Profile Applicability
Level 1
Description:
HostPath volumes allow containers to mount files or directories from the host node’s filesystem into a pod. While useful for certain use cases, they can pose security risks by granting containers access to host files and directories. This check ensures that the use of HostPath volumes is minimized and only allowed for specific, trusted workloads.
Rationale:
HostPath volumes can introduce significant security risks, as containers can access sensitive parts of the host filesystem, leading to potential privilege escalation, data leakage, or modification of host resources. Minimizing their use and enforcing stricter policies around their deployment helps ensure that containers are isolated from the host filesystem, reducing the attack surface.
Impact:
Pros:
Reduces security risks by limiting the exposure of sensitive host resources to containers.
Enhances the isolation between containers and the underlying host.
Cons:
Some workloads, like logging or monitoring agents, may require HostPath volumes for accessing host files.
Requires configuration effort to ensure that only trusted workloads use HostPath volumes.
Default Value:
By default, Kubernetes allows the use of HostPath volumes in pod specifications unless restricted via PodSecurityPolicies or other admission controllers.
Pre-requisites:
Ensure that PodSecurityPolicies (PSP) or a similar admission control mechanism is configured to restrict the use of HostPath volumes.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.
Review the Pod specifications and verify that HostPath volumes are not being used unless explicitly required.
Check the PodSecurityPolicies and admission control settings to ensure that HostPath volumes are restricted or denied for untrusted workloads.
Using Azure CLI:
List all pods and check for the use of HostPath volumes:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.volumes[*].hostPath.path}'Ensure that no untrusted containers are using HostPath volumes unless necessary for the application.
Verify that PodSecurityPolicy or admission control is applied to block the use of HostPath unless explicitly allowed by policy.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to your AKS cluster and navigate to PodSecurityPolicies (or configure equivalent policies).
Apply a PodSecurityPolicy that restricts the use of HostPath volumes. You can define a policy to only allow HostPath volumes from trusted paths and block untrusted ones:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrict-hostpath
spec:
volumes:
- hostPath
hostPath:
path: "/allowed/path"
type: DirectoryEnsure that the PodSecurityPolicy is enforced and that only the necessary workloads are allowed to use HostPath volumes from approved paths.
Using Azure CLI:
To apply a PodSecurityPolicy that restricts HostPath volumes, create the YAML definition:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrict-hostpath
spec:
volumes:
- hostPath
hostPath:
path: "/allowed/path"
type: DirectoryApply the policy using the following command:
kubectl apply -f pod-security-policy.yaml
Ensure that the PodSecurityPolicy is enforced for the cluster by configuring the necessary RBAC roles and bindings:
kubectl create rolebinding psp-binding --role=admin --user=<user-name> --namespace=<namespace-name>
Backout Plan:
Using Azure Console:
If restricting HostPath volumes causes issues with legitimate workloads, revert the changes in the Azure portal by modifying or removing the PodSecurityPolicy.
Using Azure CLI:
If the PodSecurityPolicy causes issues with valid workloads, remove or modify the policy:
kubectl delete podsecuritypolicy restrict-hostpath
Revert any role bindings if necessary to restore previous configurations.