Finds containers that have sensitive host paths mounted.
kubeaudit mounts [flags]
| Short | Long | Description | Default |
|---|---|---|---|
| -d | --denyPathsList | List of sensitive paths that shouldn't be mounted. | default sensitive host paths list |
Also see Global Flags
| Host path | Description |
|---|---|
| /proc | Pseudo-filesystem which provides an interface to kernel data structures |
| / | Filesystem's root |
| /etc | Directory that usually contains all system related configurations files |
| /root | Home directory of the root user |
| /var/run/docker.sock | Unix socket used to communicate with Docker daemon |
| /var/run/crio/crio.sock | Unix socket used to communicate with the CRI-O Container Engine |
| /run/containerd/containerd.sock | Unix socket used to communicate with the Containerd container runtime |
| /home/admin | Home directory of the admin user |
| /var/lib/kubelet | Directory for Kublet-related configuration |
| /var/lib/kubelet/pki | Directory containing the certificate and private key of the kublet |
| /etc/kubernetes | Directory containing Kubernetes related configuration |
| /etc/kubernetes/manifests | Directory containing manifest of Kubernetes components |
$ kubeaudit mounts -f auditors/mounts/fixtures/proc-mounted.yml
---------------- Results for ---------------
apiVersion: v1
kind: Pod
metadata:
name: pod
namespace: proc-mounted
--------------------------------------------
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: proc-volume (/proc -> /host/proc, readOnly: false). It should be removed from the container's mounts list.
Metadata:
Container: container
MountName: proc-volume
MountPath: /host/proc
MountReadOnly: false
MountVolume: proc-volume
MountVolumeHostPath: /proc
If you don't want kubeaudit to raise errors for all the paths in the default list (DefaultSensitivePaths), you can
provide a custom paths list in the config file. See docs for more information. That way kubeaudit will
only raise errors for those specific paths listed in the config file.
config.yaml
---
enabledAuditors:
mounts: true
auditors:
mounts:
denyPathsList: ["/etc", "/var/run/docker.sock"]manifest.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
namespace: example-namespace
spec:
template:
spec:
containers:
- name: container
image: scratch
volumeMounts:
- mountPath: /host/etc
name: etc-volume
- mountPath: /var/run/docker.sock
name: docker-socket-volume
volumes:
- name: etc-volume
hostPath:
path: /etc
- name: docker-socket-volume
hostPath:
path: /var/run/docker.sock$ kubeaudit all --kconfig "config.yaml" -f "manifest.yaml"
---------------- Results for ---------------
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: deployment
namespace: example-namespace
--------------------------------------------
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: etc-volume (hostPath: /etc). It should be removed from the container's mounts list.
Metadata:
Container: container
MountName: etc-volume
MountPath: /host/etc
MountReadOnly: false
MountVolume: etc-volume
MountVolumeHostPath: /etc
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: docker-socket-volume (hostPath: /var/run/docker.sock). It should be removed from the container's mounts list.
Metadata:
MountReadOnly: false
MountVolume: docker-socket-volume
MountVolumeHostPath: /var/run/docker.sock
Container: container
MountName: docker-socket-volume
MountPath: /var/run/docker.sockA custom paths list can be provided as a comma separated value list of paths using the --denyPathsList flag. These are
the host paths you'd like to have kubeaudit raise an error when they are mounted in a container.
manifest.yaml (example manifest)
volumes:
- name: etc-volume
hostPath:
path: /etc
- name: docker-socket-volume
hostPath:
path: /var/run/docker.sock$ kubeaudit mounts --denyPathsList "/etc,/var/run/docker.sock" -f "manifest.yaml"
---------------- Results for ---------------
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: deployment
namespace: example-namespace
--------------------------------------------
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: etc-volume (hostPath: /etc). It should be removed from the container's mounts list.
Metadata:
Container: container
MountName: etc-volume
MountPath: /host/etc
MountReadOnly: false
MountVolume: etc-volume
MountVolumeHostPath: /etc
-- [error] SensitivePathsMounted
Message: Sensitive path mounted as volume: docker-socket-volume (hostPath: /var/run/docker.sock). It should be removed from the container's mounts list.
Metadata:
Container: container
MountName: docker-socket-volume
MountPath: /var/run/docker.sock
MountReadOnly: false
MountVolume: docker-socket-volume
MountVolumeHostPath: /var/run/docker.sockMounting some sensitive host paths (like /etc, /proc, or /var/run/docker.sock) may allow a container to access
sensitive information from the host like credentials or to spy on other workloads' activity.
These sensitive paths should not be mounted.
Example of a resource which fails the mounts audit:
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: container
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
volumes:
- name: proc-volume
hostPath:
path: /procFirst, see the Introduction to Override Errors.
The override identifier has the format allow-host-path-mount-[mount name] which allows for each mount to be
individually overridden.
Example of resource with mounts overridden for a specific container:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason"
spec: #PodSpec
containers:
- name: container1
image: scratch
- name: container2
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
volumes:
- name: proc-volume
hostPath:
path: /procExample of resource with mounts overridden for a whole pod:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason"
spec: #PodSpec
containers:
- name: container1
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
- name: container2
image: scratch
volumeMounts:
- mountPath: /host/proc
name: proc-volume
volumes:
- name: proc-volume
hostPath:
path: /proc