☑️ Prevent containers from accessing the underlying host

Kubernetes pods can use host bind mounts (i.e. directories and volumes mounted on the container host) in containers. Using a hostPath mount can enable attackers to break from the container and gain access to the underlying host. Therefore, it's not recommended to use bind mounts for application pods.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_KEY_HOSTPATH

This rule will fail

If the key hostPath is used:

spec:
  volumes:
    - name: myVolume
      hostPath:
        path: /data

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from accessing the underlying host [1 occurrence]
💡 Invalid key `hostPath` - refrain from using this mount to prevent an attack on the underlying host

How to fix this failure

Refrain from using the hostPath mount

spec:
  volumes:
    - name: myVolume

Kubernetes.io - pod security policies

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more