DevOpsBest, AllControls, YAML-scanning
Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.
Remove docker socket mount request or define an exception.
apiVersion: v1 kind: Pod metadata: name: pod-with-hostpath-mounting spec: containers: - name: test-webserver image: k8s.gcr.io/test-webserver:latest volumeMounts: - mountPath: /var/local/aaa name: mydir - mountPath: /var/local/aaa/1.txt name: myfile volumes: - name: mydir hostPath: # Ensure the file directory is created. path: /var/run/docker type: DirectoryOrCreate - name: myfile hostPath: path: /var/run/docker.sock type: FileOrCreate
Updated 15 days ago