C-0020 - Mount service principal
Mount service principal
Note: this control relevant for cloud managed Kubernetes cluster
Description of the the issue
When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check which workloads have volumes with potential access to known cloud credentials folders or files in node, like “/etc/kubernetes/azure.json” for Azure.
Refrain from using path mount to known cloud credentials folders or files .
apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # This field triggers failure! path: /data type: Directory
Updated 2 days ago