C-0045 - Writable hostPath mount

Framework

AllControls, MITRE, WorkloadScan, security

Severity

High

Description of the the issue

hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn’t exist) we raise an alert.

Remediation

Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.

Example

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath: #we look for this attribute 
      path: /data
      type: Directory