Ensure pods outside of kube-system do not have access to node volume

A hostPath volume mounts a file or directory from the host node s filesystem into your Pod. This is not something that most Pods will need, but it offers a powerful escape hatch for some applications. It is important to watch out when using this type of volume because; when Kubernetes adds resource-aware scheduling, as is planned, it will not be able to account for resource used by a hostPath.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.NET.22
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod where namespace != 'kube-system' should have spec.volumes contain-all [ hostPath isEmpty()]

REMEDIATION

Please refer to the Kubernetes documentation on how to configure the hostpath:

References

  1. https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices