☑️ Prevent containers from mounting Docker socket

It is recommended to disallow Docker socket access to all pods running on a cluster. When a container has access to the Docker socket, it can effectively manage other containers on the host.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: medium (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET

This rule will fail

If one of the volumes is targeting the /var/run/docker.sock path

spec:
  volumes:
    - name: docker-sock-volume
      hostPath:
        path: /var/run/docker.sock
  containers:
    - name: app
      image: nginx:1.19.8
      volumeMounts:
        - mountPath: /var/run/docker.sock

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from mounting Docker socket [1 occurrence]
💡 Incorrect value for key `path` - avoid mounting the docker.socket becasue it can allow container breakout

How to fix this failure

Avoid mounting the Docker socket

spec:
  containers:
    - name: app
      image: nginx:1.19.8

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more