Docker Daemon Socket is Exposed to Containers

  • Query id: a6f34658-fdfb-4154-9536-56d516f65828
  • Query name: Docker Daemon Socket is Exposed to Containers
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Access Control
  • CWE: 668
  • URL: Github

Description

Sees if Docker Daemon Socket is not exposed to Containers
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /var/run/docker.sock
      type: Directory

---

apiVersion: v1
kind: ReplicationController
metadata:
  name: node-manager
  labels:
    name: node-manager
spec:
    selector:
      name: node-manager
    template:
      metadata:
        labels:
          name: node-manager
      spec:
          containers:
          - image: k8s.gcr.io/test-webserver
            name: test-container
            volumeMounts:
            - mountPath: /test-pd
              name: test-volume
          volumes:
          - name: test-volume
            hostPath:
              path: /var/run/docker.sock
              type: Directory

---

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: k8s.gcr.io/test-webserver
            name: test-container
            volumeMounts:
            - mountPath: /test-pd
              name: test-volume
          volumes:
          - name: test-volume
            hostPath:
              path: /var/run/docker.sock
              type: Directory

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: Directory