Volume mount with OS directory write permissions

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Volume mount with OS directory write permissions

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: b7652612-de4e-4466-a0bf-1cd81f0c6063

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: High

Category: Resource Management

Learn More

Provider Reference

Description

Containers can mount sensitive directories from the host, granting potentially dangerous access to critical host configurations and binaries. This rule flags container volume mounts where the mountPath is a host-sensitive directory (for example /bin, /etc, /proc, or /) and the readOnly attribute is missing or set to false. Such mounts are expected to be set to read-only to avoid modification of host files and reduce the risk of privilege escalation or system compromise.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /bin
      name: vol-0
      readOnly: true
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /project-mount
      name: vol-0
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-2
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /var/run
      name: vol-0
      readOnly: true
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /bin
      name: vol-0
    - mountPath: /var/run
      name: vol-1
      readOnly: false
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-1
    volumeMounts:
    - mountPath: /var/run
      name: vol-0
    - mountPath: /bin
      name: vol-1
      readOnly: false
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs