☑️ Prevent container security vulnerability (CVE-2021-25741)
A vulnerability has been discovered in Kubernetes that allows users to create a container with subpath volume mounts to access files and directories outside of the volume, including the host filesystem (NVD severity of this issue: High).
Users who are able to exploit it can gain access to the host filesystem and compromise the Kubernetes node along with all the other running containers.
Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: hard (What does this mean?)
Policy as code identifier: CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY
This rule will fail
If the VolumeSubpath feature is used in your pods. This means having the property object subPath in your configuration files.
spec:
containers:
volumeMounts:
- mountPath: /var/lib/mysql
name: site-data
subPath: mysql
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent container security vulnerability (CVE-2021-25741) [1 occurrence]
💡 Forbidden property object `subPath` - malicious users can gain access to files & directories outside of the volume
How to fix this failure
CVE-2021-25741 was fixed in the following Kubernetes versions:
- v1.22.2
- v1.21.5
- v1.20.11
- v1.19.15
To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing pods making use of the feature.
spec:
containers:
volumeMounts:
- mountPath: /var/lib/mysql
name: site-data