PSP with unrestricted access to host path

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PSP with unrestricted access to host path

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

Id: de4421f1-4e35-43b4-9783-737dd4e4a47e

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: High

Category: Resource Management

Learn More

Provider Reference

Description

PodSecurityPolicy should set readOnly to true for every entry in spec.allowedHostPaths. The spec.allowedHostPaths attribute must be defined and not null, and each allowed host path must include readOnly: true. Entries with readOnly undefined or set to false, or a missing spec.allowedHostPaths, are reported.

Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  allowedHostPaths:
    - pathPrefix: "/foo"
      readOnly: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

Non-Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  allowedHostPaths:
  - pathPrefix: /dev
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  allowedHostPaths:
  - pathPrefix: /dev
    readOnly: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'