Control: Pod Security Policy should prohibit hostPaths volumes
Description
The Pod Security Policy `allowedHostPaths` specifies a list of host paths that are allowed to be used by hostPath volumes. An empty list means there is no restriction on host paths used. This is defined as a list of objects with a single pathPrefix field, which allows hostPath volumes to mount a path that begins with an allowed prefix, and a readOnly field indicating it must be mounted read-only.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_security_policy_allowed_host_pathSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_security_policy_allowed_host_path --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when allowed_host_paths is null then 'alarm' else 'ok' end as status, case when allowed_host_paths is null then 'Pod security policy ' || name || ' containers can use all host paths.' else 'Pod security policy ' || name || ' containers using specified host path.' end as reason , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_security_policy;