forked from kubescape/regolibrary
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hostPathmount.json
18 lines (18 loc) · 968 Bytes
/
hostPathmount.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"name": "HostPath mount",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": [
"Privilege escalation"
]
},
"description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.",
"example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n",
"remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.",
"rulesNames": [
"alert-any-hostpath"
],
"id": "C-0048",
"controlID": "C-0048",
"baseScore": 6.0
}