HostPath Volume enabled on Containers

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-014
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "HostPath Volume enabled on Containers"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-732"
    rules.spotter.dev/description: "HostPath volumes mounting should not be used."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude:
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && 
      has(object.spec.volumes) && object.spec.volumes.exists(v, has(v.hostPath))
    ) ||
    (object.kind != 'Pod' && 
      has(object.spec.template.spec.volumes) && object.spec.template.spec.volumes.exists(v, has(v.hostPath))
    )
  remediation:
    manual: "Never use hostPath volume mounts. Instead, use a read-only persistent volume claim (PVC) or a config map or secret."
  references:
    - title: "Volumes - hostPath"
      url: "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: pod-0
        volumeMounts:
        - mountPath: /bin
          name: vol-0
        - mountPath: /var
          name: vol-1
      volumes:
      - name: vol-0
        hostPath:
          path: /bin
          type: Directory
      - name: vol-1
        hostPath:
          path: /var
          type: Directory
- name: secure sample 1 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: configmap-pod
    spec:
      volumes:
        - name: config-vol
          configMap:
            name: log-config
            items:
              - key: log_level
                path: log_level.conf
      containers:
        - name: test
          image: busybox:1.28
          volumeMounts:
            - name: config-vol
              mountPath: /etc/config
- name: secure sample 2 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: secret-pod
    spec:
      containers:
        - name: test
          image: busybox:1.28
          command: ['sh', '-c', 'echo "Secret volume mounted" && tail -f /dev/null']
          volumeMounts:
            - name: secret-vol
              mountPath: /etc/secret
      volumes:
        - name: secret-vol
          secret:
            secretName: my-secret

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-workload-014
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-workload-014
spec:
  # Add your VAP configuration here

Rule Metadata

HostPath Volume enabled on Containers

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub