C-0020 - Mount service principal

Prerequisites

Integrate with cloud provider (see here)

Framework

AllControls, MITRE

Severity

Medium

Description of the the issue

When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check which workloads have volumes with potential access to known cloud credentials folders or files in node, like “/etc/kubernetes/azure.json” for Azure.

Remediation

Refrain from using path mount to known cloud credentials folders or files .

Example

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath: # This field triggers failure!
      path: /data
      type: Directory