For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-volume-mount-with-os-directory-write-permissions.md. A documentation index is available at /llms.txt.

Volume mount with OS directory write permissions

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-volume-mount-with-os-directory-write-permissions

Platform: Kubernetes

Severity: High

Category: Resource Management

Learn More

Description

Containers can mount sensitive directories from the host, granting potentially dangerous access to critical host configurations and binaries. This rule flags container volume mounts where the mountPath is a host-sensitive directory (for example /bin, /etc, /proc, or /) and the readOnly attribute is missing or set to false. Such mounts are expected to be set to read-only to avoid modification of host files and reduce the risk of privilege escalation or system compromise.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /bin
      name: vol-0
      readOnly: true
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /project-mount
      name: vol-0
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-2
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /var/run
      name: vol-0
      readOnly: true
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-0
    volumeMounts:
    - mountPath: /bin
      name: vol-0
    - mountPath: /var/run
      name: vol-1
      readOnly: false
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-1
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: pod-1
    volumeMounts:
    - mountPath: /var/run
      name: vol-0
    - mountPath: /bin
      name: vol-1
      readOnly: false
  volumes:
  - name: vol-0
    scaleIO:
      gateway: https://localhost:443/api
      system: scaleio
      protectionDomain: sd0
      storagePool: sp1
      volumeName: vol-0
      secretRef:
        name: sio-secret
      fsType: xfs