Minimize the admission of HostPath volumes

Do not generally admit containers which make use of hostPath volumes, A container which mounts a hostPath volume as part of its specification will have access to the filesystem of the underlying cluster node. The use of hostPath volumes may allow containers access to privileged areas of the node filesystem.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.79
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod should have spec.volumes contain [ hostPath isEmpty() ] or spec.volumes isEmpty()

REMEDIATION

Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use hostPath volumes..

References

  1. https://kubernetes.io/docs/concepts/security/pod-security-standards/

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.23