Workload Mounting With Sensitive OS Directory

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-013
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "Workload Mounting With Sensitive OS Directory"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-269" 
    rules.spotter.dev/description: "Workloads should not mount sensitive host directories (e.g., `/etc`, `/var`, `/usr`) with write permissions, as this can lead to privilege escalation or system compromise."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
          - "serving.knative.dev"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
          - PersistentVolume
          - Configuration
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude:
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'PersistentVolume' && has(object.spec.hostPath) && (
      object.spec.hostPath.path == '/' ||
      object.spec.hostPath.path.startsWith('/etc') ||
      object.spec.hostPath.path.startsWith('/var') ||
      object.spec.hostPath.path.startsWith('/usr') ||
      object.spec.hostPath.path.startsWith('/proc') ||
      object.spec.hostPath.path.startsWith('/sys') ||
      object.spec.hostPath.path.startsWith('/root') ||
      object.spec.hostPath.path.startsWith('/dev') ||
      object.spec.hostPath.path.startsWith('/boot')
    )) ||
    (object.kind == 'Pod' && has(object.spec.volumes) && object.spec.volumes.exists(v, has(v.hostPath) && (
      v.hostPath.path == '/' ||
      v.hostPath.path.startsWith('/etc') ||
      v.hostPath.path.startsWith('/var') ||
      v.hostPath.path.startsWith('/usr') ||
      v.hostPath.path.startsWith('/proc') ||
      v.hostPath.path.startsWith('/sys') ||
      v.hostPath.path.startsWith('/root') ||
      v.hostPath.path.startsWith('/dev') ||
      v.hostPath.path.startsWith('/boot')
    ))) ||
    (object.kind != 'Pod' && object.kind != 'PersistentVolume' && has(object.spec.template.spec.volumes) && object.spec.template.spec.volumes.exists(v, has(v.hostPath) && (
      v.hostPath.path == '/' ||
      v.hostPath.path.startsWith('/etc') ||
      v.hostPath.path.startsWith('/var') ||
      v.hostPath.path.startsWith('/usr') ||
      v.hostPath.path.startsWith('/proc') ||
      v.hostPath.path.startsWith('/sys') ||
      v.hostPath.path.startsWith('/root') ||
      v.hostPath.path.startsWith('/dev') ||
      v.hostPath.path.startsWith('/boot')
    )))
  remediation:
    manual: "Avoid mounting sensitive host directories. If necessary, ensure they are mounted as read-only by setting `readOnly: true` in the volume mount."
  references:
    - title: "Kubernetes Volumes"
      url: "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |-
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      labels:
        app: prometheus
        chart: prometheus-11.1.2
        component: node-exporter
        heritage: Helm
        release: exporter
      name: exporter-prometheus-node-exporter
      namespace: monitoring
    spec:
      selector:
        matchLabels:
          app: prometheus
          component: node-exporter
          release: exporter
      template:
        metadata:
          labels:
            app: prometheus
            chart: prometheus-11.1.2
            component: node-exporter
            heritage: Helm
            release: exporter
        spec:
          containers:
            - args:
                - --path.procfs=/host/proc
                - --path.sysfs=/host/sys
              image: prom/node-exporter:v0.18.1
              imagePullPolicy: IfNotPresent
              name: prometheus-node-exporter
              ports:
                - containerPort: 9100
                  hostPort: 9100
                  name: metrics
                  protocol: TCP
              resources:
                limits:
                  cpu: 500m
                  memory: 200Mi
                requests:
                  cpu: 100m
                  memory: 200Mi
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
              volumeMounts:
                - mountPath: /host/proc
                  name: proc
                  readOnly: true
                - mountPath: /host/sys
                  name: sys
                  readOnly: true
          dnsPolicy: ClusterFirst
          hostNetwork: true
          hostPID: true
          restartPolicy: Always
          schedulerName: default-scheduler
          serviceAccount: exporter-prometheus-node-exporter
          serviceAccountName: exporter-prometheus-node-exporter
          terminationGracePeriodSeconds: 30
          volumes:
            - name: proc
              hostPath:
                path: /proc
                type: ""
            - name: sys
              hostPath:
                path: /sys
                type: ""
- name: insecure sample 2 should fail
  pass: false
  input: |-
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: fluentd-elasticsearch
      namespace: logs
      labels:
        k8s-app: fluentd-logging
    spec:
      selector:
        matchLabels:
          name: fluentd-elasticsearch
      template:
        metadata:
          labels:
            name: fluentd-elasticsearch
        spec:
          tolerations:
            - key: node-role.kubernetes.io/master
              effect: NoSchedule
          containers:
            - name: fluentd-elasticsearch
              image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2
              resources:
                limits:
                  cpu: 500m
                  memory: 200Mi
                requests:
                  cpu: 100m
                  memory: 200Mi
              volumeMounts:
                - name: varlog
                  mountPath: /var/log
                - name: varlibdockercontainers
                  mountPath: /var/lib/docker/containers
                  readOnly: true
          terminationGracePeriodSeconds: 30
          volumes:
            - name: varlog
              hostPath:
                path: /var/log
            - name: varlibdockercontainers
              hostPath:
                path: /var/lib/docker/containers
- name: insecure sample 3 should fail
  pass: false
  input: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx-deployment
      namespace: default
      labels:
        app: nginx
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
            - name: nginx
              image: nginx:1.14.2
              ports:
                - containerPort: 80
              volumeMounts:
                - name: static-page-dir
                  mountPath: /var/www/app/static
          volumes:
            - name: static-page-dir
              hostPath:
                path: /var/local/static
                type: DirectoryOrCreate
- name: insecure sample 4 should fail
  pass: false
  input: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx-deployment-undefined-ns
      labels:
        app: nginx
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
            - name: nginx
              image: nginx:1.14.2
              ports:
                - containerPort: 80
              volumeMounts:
                - name: static-page-dir
                  mountPath: /var/www/app/static
          volumes:
            - name: static-page-dir
              hostPath:
                path: /root/local/static
                type: DirectoryOrCreate
- name: insecure sample 5 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: redis-memcache
      namespace: memcache
    spec:
      containers:
        - name: redis
          image: redis
          volumeMounts:
            - name: redis-storage
              mountPath: /data/redis
      volumes:
        - name: redis-storage
          hostPath:
            path: /var/redis/data
- name: insecure sample 6 should fail
  pass: false
  input: |-
    kind: Pod
    apiVersion: v1
    metadata:
      name: web-server-pod
    spec:
      volumes:
        - name: nginx-host-config
          hostPath:
            path: "/etc/nginx"
      containers:
        - name: nginx-container
          image: nginx
          ports:
            - containerPort: 80
              name: "http-server"
          volumeMounts:
            - mountPath: "/etc/nginx"
              name: nginx-host-config
- name: insecure sample 7 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: malicious-pod
      namespace: default
    spec:
      containers:
        - name: evil-container
          image: alpine
          volumeMounts:
            - name: rootdir
              mountPath: /
      volumes:
        - name: rootdir
          hostPath:
            path: /
- name: insecure sample 8 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: dood
    spec:
      containers:
        - name: docker-cmds
          image: docker:1.12.6
          command: ["docker", "run", "-p", "80:80", "httpd:latest"]
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
          volumeMounts:
            - mountPath: /var/run
              name: docker-sock
      volumes:
        - name: docker-sock
          hostPath:
            path: /var/run
- name: insecure sample 9 should fail
  pass: false
  input: |-
    kind: PersistentVolume
    apiVersion: v1
    metadata:
      name: pv-001
      labels:
        type: local
    spec:
      storageClassName: manual
      capacity:
        storage: 10Gi
      accessModes:
        - ReadWriteOnce
      hostPath:
        path: "/dev/tty1"
- name: insecure sample 10 should fail
  pass: false
  input: |-
    kind: PersistentVolume
    apiVersion: v1
    metadata:
      name: pv-002
      labels:
        type: local
    spec:
      storageClassName: manual
      capacity:
        storage: 10Gi
      accessModes:
        - ReadWriteOnce
      hostPath:
        path: "/boot"
- name: insecure sample 11 should fail
  pass: false
  input: |-
    apiVersion: serving.knative.dev/v1
    kind: Configuration
    metadata:
      name: dummy-config
      namespace: default
    spec:
      template:
        spec:
          containers:
            - name: evil-container
              image: alpine
              volumeMounts:
                - name: rootdir
                  mountPath: /
          volumes:
            - name: rootdir
              hostPath:
                path: /
- name: secure sample 1 should pass
  pass: true
  input: |-
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: fluentd-elasticsearch
      namespace: kube-system
      labels:
        k8s-app: fluentd-logging
    spec:
      selector:
        matchLabels:
          name: fluentd-elasticsearch
      template:
        metadata:
          labels:
            name: fluentd-elasticsearch
        spec:
          tolerations:
            - key: node-role.kubernetes.io/master
              effect: NoSchedule
          containers:
            - name: fluentd-elasticsearch
              image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2
              resources:
                limits:
                  cpu: 500m
                  memory: 200Mi
                requests:
                  cpu: 100m
                  memory: 200Mi
              volumeMounts:
                - name: optmount
                  mountPath: /opt
          terminationGracePeriodSeconds: 30
          volumes:
            - name: optmount
              hostPath:
                path: /opt
- name: secure sample 2 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: redis-empty-dir
      namespace: kube-system
    spec:
      containers:
        - name: redis
          image: redis
          volumeMounts:
            - name: redis-storage
              mountPath: /data/redis
      volumes:
        - name: redis-storage
          emptyDir: {}
- name: secure sample 3 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: redis-tmp-dir
    spec:
      containers:
        - name: redis
          image: redis
          volumeMounts:
            - name: redis-storage-tmp
              mountPath: /data/redis
      volumes:
        - name: redis-storage-tmp
          hostPath:
            path: /tmp/redis-storage
            type: DirectoryOrCreate
- name: secure sample 4 should pass
  pass: true
  input: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx-deployment
      labels:
        app: nginx
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
            - name: nginx
              image: nginx:1.14.2
              ports:
                - containerPort: 80
              volumeMounts:
                - name: static-page-dir
                  mountPath: /var/www/app/static
          volumes:
            - name: static-page-dir
              hostPath:
                path: /tmp/static
                type: DirectoryOrCreate

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-workload-013
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-workload-013
spec:
  # Add your VAP configuration here

Rule Metadata

Workload Mounting With Sensitive OS Directory

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub