C-0006 - Allowed hostPath
Allowed hostPath
Framework
ArmoBest, NSA, YAML-scanning, AllControls
Severity
Medium
Description of the the issue
hostPath mount can be used by attackers to get access to the underlying host and thus break from the container to the host. (See “3: Writable hostPath mount” for details).
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check in POD spec if there are hostPath mounts.
Remediation
Refrain from using host path mount.
Example
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath: #we are looking for this parameter
path: /data
Updated about 2 months ago
Did this page help you?