PSP With Unrestricted Access to Host Path

Query id: de4421f1-4e35-43b4-9783-737dd4e4a47e
Query name: PSP With Unrestricted Access to Host Path
Platform: Kubernetes
Severity: High
Category: Resource Management
URL: Github

Description¶

PodSecurityPolicy should set 'readOnly' to true in every host path allowed
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

Positive test num. 2 - yaml file

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  allowedHostPaths:
  - pathPrefix: /dev
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

Positive test num. 3 - yaml file

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  allowedHostPaths:
  - pathPrefix: /dev
    readOnly: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  allowedHostPaths:
    - pathPrefix: "/foo"
      readOnly: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'