Enforce Trusted Volume Types 1.2.5

Enforces that only the following set of predefined trusted volumes can be used:

  • configMap
  • downwardAPI
  • emptyDir
  • persistentVolumeClaim
  • secret
  • projected

Especially, hostPath volumes are critical. This policy prevents containers from mounting paths like /etc/passwd or /var/run/docker.sock of the node they are running on.


Note that this policy is part of the following security standards:

  • k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.5.5
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A16, SYS.1.6.A19, SYS.1.6.A21
  • bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A4
  • Host Access
  • Security
  • bsi/containerization
  • bsi/kubernetes
  • k8s/baseline
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
-     volumes:
-       - name: volumename
-         hostPath:
-           path: /data
-           type: Directory

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforcetrustedvolumetypes as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforcetrustedvolumetypes: |-
      This container relies on a non-trusted volume.
...