C-0048 - HostPath mount

HostPath mount

Framework

MITRE, YAML-scanning, AllControls

Severity

Medium

Description of the the issue

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.

Remediation

Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.

Example

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath: # This field triggers failure!
      path: /data
      type: Directory


Did this page help you?