C-0074 - Containers mounting Docker socket
Containers mounting Docker socket
Description of the the issue
Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.
Remove docker socket mount request or define an exception.
apiVersion: v1 kind: Pod metadata: name: pod-with-hostpath-mounting spec: containers: - name: test-webserver image: k8s.gcr.io/test-webserver:latest volumeMounts: - mountPath: /var/local/aaa name: mydir - mountPath: /var/local/aaa/1.txt name: myfile volumes: - name: mydir hostPath: # Ensure the file directory is created. path: /var/run/docker type: DirectoryOrCreate - name: myfile hostPath: path: /var/run/docker.sock type: FileOrCreate
Updated 2 days ago