Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Benchmark: Containers should not use hostPath mounts

Description

Containers should not able to access any specific paths of the host file system. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and abusing the credentials of system services, such as Kubelet.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select Containers should not use hostPath mounts.

Run this benchmark in your terminal:

powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_container_disallow_host_path

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_container_disallow_host_path --share

Controls

Tags

category = Compliance
nsa_cisa_v1 = true
plugin = kubernetes
service = Kubernetes
type = Benchmark