Ensure pods outside of kube-system do not have access to node volume
A hostPath volume mounts a file or directory from the host node s filesystem into your Pod. This is not something that most Pods will need, but it offers a powerful escape hatch for some applications. It is important to watch out when using this type of volume because; when Kubernetes adds resource-aware scheduling, as is planned, it will not be able to account for resource used by a hostPath.
Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.NET.22
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
KubernetesPod where namespace != 'kube-system' should have spec.volumes contain-all [ hostPath isEmpty()]
REMEDIATION
Please refer to the Kubernetes documentation on how to configure the hostpath:
References
Pods
Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
Compliance Frameworks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
Updated over 1 year ago