Docker Daemon Socket is Exposed to Containers
- Query id: a6f34658-fdfb-4154-9536-56d516f65828
- Query name: Docker Daemon Socket is Exposed to Containers
- Platform: Kubernetes
- Severity: Low
- Category: Access Control
- URL: Github
Description¶
Sees if Docker Daemon Socket is not exposed to Containers
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /var/run/docker.sock
type: Directory
---
apiVersion: v1
kind: ReplicationController
metadata:
name: node-manager
labels:
name: node-manager
spec:
selector:
name: node-manager
template:
metadata:
labels:
name: node-manager
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /var/run/docker.sock
type: Directory
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /var/run/docker.sock
type: Directory