Guides

Do not admit containers with docker socket bind mount

This can be used for to leak information, privilege escalation, and to manage containers outside of Kubernetes.

Suggest Edits

Risk Level: Critical
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.AC.07
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod should not have spec.volumes contain [ hostPath.path='/var/run/docker.sock' ]

REMEDIATION

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Container Admission Control
  • Container Admission Control 1.0

Updated over 1 year ago