Control: Pod containers should not allow privilege escalation
Description
Containers in a Pod should not able to access any specific paths of the host file system. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and abusing the credentials of system services, such as Kubelet.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_volume_host_pathSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_volume_host_path --shareSQL
This control uses a named query:
select distinct(coalesce(uid, concat(path, ':', start_line))) as resource, case when v -> 'hostPath' -> 'path' is null then 'ok' else 'alarm' end as status, case when v -> 'hostPath' -> 'path' is null then 'No host path volume mounted.' else 'Host path volume mounted for ' || (v ->> 'name') || '.' end as reason, name as pod_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod, jsonb_array_elements(volumes) as v;