C-0020 - Mount service principal

Mount service principal

Framework

MITRE, AllControls, YAML-scanning

Severity

Medium

Description of the the issue

When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check which workloads have hostPath volumes to known cloud credentials files in node, like “/etc/kubernetes/azure.json” for Azure.

Remediation

Refrain from using host path mount.

Example

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath: # This field triggers failure!
      path: /data
      type: Directory