Finds containers that have sensitive host paths mounted.
kubeaudit mounts [flags]
| Short | Long | Description | Default |
|---|---|---|---|
| -s | --paths | List of sensitive paths that shouldn't be mounted. | default sensitive host paths list |
Also see Global Flags
| Host path | Description |
|---|---|
| /proc | Pseudo-filesystem which provides an interface to kernel data structures |
| /var/run/docker.sock | Unix socket used to communicate with Docker daemon |
| / | Filesystem's root |
| /etc | Directory that usually contains all system related configurations files |
| /root | Home directory of the root user |
| /var/run/crio/crio.sock | Unix socket used to communicate with the CRI-O Container Engine |
| /home/admin | Home directory of the admin user |
| /var/lib/kubelet | Directory for Kublet-related configuration |
| /var/lib/kubelet/pki | Directory containing the certificate and private key of the Kublet |
| /etc/kubernetes | Directory containing Kubernetes related configuration |
| /etc/kubernetes/manifests | Directory containing manifest of Kubernetes components |
$ kubeaudit mounts -f auditors/mounts/fixtures/proc-mounted.yml
---------------- Results for ---------------
apiVersion: v1
kind: Pod
metadata:
name: pod
namespace: proc-mounted
--------------------------------------------
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: proc-volume (/proc -> /host/proc, readOnly: false). It should be removed from the container's mounts list.
Metadata:
Container: container
Mount: proc-volume
A custom paths list can be provided in the config file. See docs for more information. These are the host paths you'd like to have kubeaudit raise an error when they are mounted in a container.
config.yaml
---
auditors:
mounts:
paths: ["/etc", "/var/run/docker.sock"]manifest.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: deployment
namespace: example-namespace
spec:
template:
spec:
containers:
- name: container
image: scratch
volumeMounts:
- mountPath: /host/etc
name: etc-volume
- mountPath: /var/run/docker.sock
name: docker-socket-volume
volumes:
- name: etc-volume
hostPath:
path: /etc
- name: docker-socket-volume
hostPath:
path: /var/run/docker.sock$ kubeaudit all --kconfig "config.yaml" -f "manifest.yaml"
---------------- Results for ---------------
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: deployment
namespace: example-namespace
--------------------------------------------
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: etc-volume (/etc -> /host/etc, readOnly: false). It should be removed from the container's mounts list.
Metadata:
Container: container
Mount: etc-volume
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: docker-socket-volume (/var/run/docker.sock -> /var/run/docker.sock, readOnly: false). It should be removed from the container's mounts list.
Metadata:
Container: container
Mount: docker-socket-volumeA custom paths list can be provided as a comma separated value list of paths using the --paths flag. These are the host paths you'd like to have kubeaudit raise an error when they are mounted in a container.
manifest.yaml (example manifest)
volumes:
- name: etc-volume
hostPath:
path: /etc
- name: docker-socket-volume
hostPath:
path: /var/run/docker.sock$ kubeaudit capabilities --path "/etc,/var/run/docker.sock" -f "manifest.yaml"
---------------- Results for ---------------
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: deployment
namespace: example-namespace
--------------------------------------------
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: etc-volume (/etc -> /host/etc, readOnly: false). It should be removed from the container's mounts list.
Metadata:
Container: container
Mount: etc-volume
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: docker-socket-volume (/var/run/docker.sock -> /var/run/docker.sock, readOnly: false). It should be removed from the container's mounts list.
Metadata:
Container: container
Mount: docker-socket-volumeMounting some sensitive host paths (like /etc, /proc, or /var/run/docker.sock) may allow a container to access sensitive information from the host like credentials or to spy on other workloads' activity.
These sensitive paths should not be mounted.
Example of a resource which fails the mounts audit:
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: container
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
volumes:
- name: proc-volume
hostPath:
path: /procFirst, see the Introduction to Override Errors.
The override identifier has the format allow-host-path-mount-[mount name] which allows for each mount to be individually overridden.
Example of resource with mounts overridden for a specific container:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
container.audit.kubernetes.io/container2.allow-host-path-mount-proc-volume: "SomeReason"
spec: #PodSpec
containers:
- name: container1
image: scratch
- name: container2
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
volumes:
- name: proc-volume
hostPath:
path: /procExample of resource with mounts overridden for a whole pod:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
audit.kubernetes.io/pod.allow-host-path-mount-proc-volume: "SomeReason"
spec: #PodSpec
containers:
- name: container1
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
- name: container2
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
volumes:
- name: proc-volume
hostPath:
path: /proc