Volume Mount With OS Directory Write Permissions

  • Query id: b7652612-de4e-4466-a0bf-1cd81f0c6063
  • Query name: Volume Mount With OS Directory Write Permissions
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Resource Management
  • URL: Github

Description

Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: pod-0
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /bin
      name: vol-0
    - mountPath: /var/run
      name: vol-1
      readOnly: false
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-1
    volumeMounts:
    - mountPath: /var/run
      name: vol-0
    - mountPath: /bin
      name: vol-1
      readOnly: false
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: pod-0
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /bin
      name: vol-0
      readOnly: true
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /project-mount
      name: vol-0
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-2
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /var/run
      name: vol-0
      readOnly: true
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs