C-0048 - HostPath mount
Framework
WorkloadScan, ClusterScan, security, MITRE, AllControls
Severity
High
Description of the the issue
Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.
Remediation
Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.
Example
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath: # This field triggers failure!
path: /data
type: Directory
Updated 3 days ago