C-0045 - Writable hostPath mount
Framework
WorkloadScan, security, MITRE, AllControls
Severity
High
Description of the the issue
hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn’t exist) we raise an alert.
Remediation
Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.
Example
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath: #we look for this attribute
path: /data
type: Directory
Updated 9 days ago