rspec/rules/S6429/kubernetes/rule.adoc

Exposing Docker sockets can lead to compromise of the host systems.

The Docker daemon provides an API to access its functionality, for example through a UNIX domain socket.
Mounting the Docker socket into a container allows the container to control the Docker daemon of the host system, resulting in full access over the whole system.
A compromised or rogue container with access to the Docker socket could endanger the integrity of the whole Kubernetes cluster.


== Ask Yourself Whether

* The Pod is untrusted or might contain vulnerabilities.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It is recommended to never add a Docker socket as a volume to a Pod.


== Sensitive Code Example
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /var/run/docker.sock
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /var/run/docker.sock # Sensitive
      type: Socket
----

== Compliant Solution
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
----

== See

* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes
* https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option[Docker Documention] - Daemon socket option
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure exposing the Docker socket is safe here.


=== Highlighting

* Highlight the whole path if not empty.


endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Exposing Docker sockets can lead to compromise of the host systems.`
Create rule S6429: Exposing Docker sockets is security-sensitive (#1019) 2022-07-13 15:46:28 +02:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`The Docker daemon provides an API to access its functionality, for example through a UNIX domain socket.`
			`Mounting the Docker socket into a container allows the container to control the Docker daemon of the host system, resulting in full access over the whole system.`
			`A compromised or rogue container with access to the Docker socket could endanger the integrity of the whole Kubernetes cluster.`


			`== Ask Yourself Whether`

			`* The Pod is untrusted or might contain vulnerabilities.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`It is recommended to never add a Docker socket as a volume to a Pod.`
Create rule S6429: Exposing Docker sockets is security-sensitive (#1019) 2022-07-13 15:46:28 +02:00

			`== Sensitive Code Example`
			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: test`
			`spec:`
			`containers:`
			`- image: k8s.gcr.io/test-webserver`
			`name: test-container`
			`volumeMounts:`
			`- mountPath: /var/run/docker.sock`
			`name: test-volume`
			`volumes:`
			`- name: test-volume`
			`hostPath:`
			`path: /var/run/docker.sock # Sensitive`
			`type: Socket`
			`----`

			`== Compliant Solution`
			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: test`
			`spec:`
			`containers:`
			`- image: k8s.gcr.io/test-webserver`
			`name: test-container`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== See`

			`* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes`
			`* https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option[Docker Documention] - Daemon socket option`
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
Create rule S6429: Exposing Docker sockets is security-sensitive (#1019) 2022-07-13 15:46:28 +02:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure exposing the Docker socket is safe here.`


			`=== Highlighting`

			`* Highlight the whole path if not empty.`
Create rule S6429: Exposing Docker sockets is security-sensitive (#1019) 2022-07-13 15:46:28 +02:00

			`endif::env-github,rspecator-view[]`