MITRE, AllControls, YAML-scanning
hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn’t exist) we raise an alert.
Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.
apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: #we look for this attribute path: /data type: Directory
Updated 11 days ago