C-0074 - Containers mounting Docker socket
Containers mounting Docker socket
Framework
DevOpsBest, AllControls
Severity
Medium
Description of the the issue
Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.
Remediation
Remove docker socket mount request or define an exception.
Example
apiVersion: v1
kind: Pod
metadata:
name: pod-with-hostpath-mounting
spec:
containers:
- name: test-webserver
image: k8s.gcr.io/test-webserver:latest
volumeMounts:
- mountPath: /var/local/aaa
name: mydir
- mountPath: /var/local/aaa/1.txt
name: myfile
volumes:
- name: mydir
hostPath:
# Ensure the file directory is created.
path: /var/run/docker
type: DirectoryOrCreate
- name: myfile
hostPath:
path: /var/run/docker.sock
type: FileOrCreate
Updated 2 days ago