☑️ Ensure hostPath volume mounts are read-only

A hostPath volume mounts a file or directory from the host node's filesystem into a Pod.

By default pods that run as root will have write access to the file system exposed by hostPath. This could allow an attacker to modify the kubelet settings, create symbolic links to directories or files not directly exposed by the hostPath, install ssh keys, read secrets mounted to the host, and other malicious things.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: EKS_INVALID_HOSTPATH_MOUNT_READONLY_VALUE

This rule will fail

If a hostPath volume is mounted without being set as read-only:

spec:
  volumes:
    - name: mount-this
      hostPath: 
        path: /cache
        type: Directory
  containers:
  - volumeMounts:
    - mountPath: /cache
      name: mount-this

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Ensure hostPath volume mounts are read-only [1 occurrence]
💡 Invalid key `readOnly` - set to 'true' to prevent potential attacks on the host filesystem

How to fix this failure

spec:
  volumes:
    - name: mount-this
      hostPath: 
        path: /cache
        type: Directory
  containers:
  - volumeMounts:
    - mountPath: /cache
      name: mount-this
      readOnly: true

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more