C 0045
AllControls, WorkloadScan, MITRE, security
Severity
High
Description of the the issue
hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn’t exist) we raise an alert.
Remediation
Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.