PSP With Unrestricted Access to Host Path
- Query id: de4421f1-4e35-43b4-9783-737dd4e4a47e
- Query name: PSP With Unrestricted Access to Host Path
- Platform: Kubernetes
- Severity: High
- Category: Resource Management
- CWE: 250
- URL: Github
Description¶
PodSecurityPolicy should set 'readOnly' to true in every host path allowed
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
hostIPC: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
Positive test num. 2 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
hostIPC: false
allowedHostPaths:
- pathPrefix: /dev
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
Positive test num. 3 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
hostIPC: false
allowedHostPaths:
- pathPrefix: /dev
readOnly: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'