C-0020 - Mount service principal
Mount service principal
Framework
MITRE, YAML-scanning, AllControls
Severity
Low
Description of the the issue
When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check which workloads have hostPath volumes to known cloud credentials files in node, like “/etc/kubernetes/azure.json” for Azure.
Remediation
Refrain from using host path mount.
Example
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath: # This field triggers failure!
path: /data
type: Directory
Updated about 2 months ago
Did this page help you?