Volume Mount With OS Directory Write Permissions
- Query id: b7652612-de4e-4466-a0bf-1cd81f0c6063
- Query name: Volume Mount With OS Directory Write Permissions
- Platform: Kubernetes
- Severity: High
- Category: Resource Management
- CWE: 284
- URL: Github
Description¶
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-0
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /bin
name: vol-0
- mountPath: /var
name: vol-1
recursiveReadOnly: Disabled
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
name: pod-1
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-1
volumeMounts:
- mountPath: /var
name: vol-0
recursiveReadOnly: Enabled
- mountPath: /bin
name: vol-1
readOnly: false
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-0
spec:
containers:
- name: pod-0
image: k8s.gcr.io/test-webserver
volumeMounts:
- mountPath: /bin
name: vol-0
readOnly: false
recursiveReadOnly: Disabled
- mountPath: /var
name: vol-1
readOnly: false
recursiveReadOnly: Enabled
volumes:
- name: vol-0
emptyDir: {}
- name: vol-1
emptyDir: {}
---
apiVersion: v1
kind: Pod
metadata:
name: pod-1
spec:
containers:
- name: pod-1
image: k8s.gcr.io/test-webserver
volumeMounts:
- mountPath: /var
name: vol-0
readOnly: true
- mountPath: /bin
name: vol-1
readOnly: true
recursiveReadOnly: Disabled
volumes:
- name: vol-0
emptyDir: {}
- name: vol-1
emptyDir: {}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-0
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /bin
name: vol-0
readOnly: true
recursiveReadOnly: Enabled
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
name: pod-1
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /project-mount
name: vol-0
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
name: pod-2
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: pod-0
volumeMounts:
- mountPath: /var/run
name: vol-0
readOnly: true
recursiveReadOnly: Enabled
volumes:
- name: vol-0
scaleIO:
gateway: https://localhost:443/api
system: scaleio
protectionDomain: sd0
storagePool: sp1
volumeName: vol-0
secretRef:
name: sio-secret
fsType: xfs
Negative test num. 2 - yaml file
apiVersion: v1
kind: ConfigMap
metadata:
name: log-config
data:
log_level: "INFO"
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-pod
spec:
volumes:
- name: config-vol
configMap:
name: log-config
items:
- key: log_level
path: log_level.conf
containers:
- name: test
image: busybox:1.28
volumeMounts:
- name: config-vol
mountPath: /etc/config
Negative test num. 3 - yaml file
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
password: cGFzc3dvcmQxMjM= # base64 for "password123"
---
apiVersion: v1
kind: Pod
metadata:
name: secret-pod
spec:
containers:
- name: test
image: busybox:1.28
command: ['sh', '-c', 'echo "Secret volume mounted" && tail -f /dev/null']
volumeMounts:
- name: secret-vol
mountPath: /etc/secret
volumes:
- name: secret-vol
secret:
secretName: my-secret