C-0048 - HostPath mount

Framework

WorkloadScan, ClusterScan, security, MITRE, AllControls

Severity

High

Description of the the issue

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.

Remediation

Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.

Example

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath: # This field triggers failure!
      path: /data
      type: Directory