Volume Mount With OS Directory Write Permissions
- Query id: b7652612-de4e-4466-a0bf-1cd81f0c6063
- Query name: Volume Mount With OS Directory Write Permissions
- Platform: Kubernetes
- Severity: Medium
- Category: Resource Management
- URL: Github
Description¶
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-0
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /bin
name: vol-0
- mountPath: /var/run
name: vol-1
readOnly: false
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
name: pod-1
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-1
volumeMounts:
- mountPath: /var/run
name: vol-0
- mountPath: /bin
name: vol-1
readOnly: false
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-0
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /bin
name: vol-0
readOnly: true
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
name: pod-1
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /project-mount
name: vol-0
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
name: pod-2
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /var/run
name: vol-0
readOnly: true
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs