rspec/rules/S6433/kubernetes/rule.adoc

Mounting sensitive file system paths can lead to information disclosure and compromise of the host systems.

System paths can contain sensitive information like configuration files or cache files.
Those might be used by attackers to expand permissions or to collect information for further attacks.
System paths can also contain binaries and scripts that might be executed by the host system periodically.
A compromised or rogue container with access to sensitive files could endanger the integrity of the whole Kubernetes cluster.


== Ask Yourself Whether

* The mounted file path contains sensitive information.
* The mounted file path contains configuration files or executables that are writable.
* The Pod is untrusted or might contain vulnerabilities.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It is recommended to avoid mounting sensitive system file paths into containers.
If it is necessary to mount such a path due to the architecture, the least privileges should be given, for instance by making the mount read-only to prevent unwanted modifications.


== Sensitive Code Example
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /data
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /etc # Sensitive
----

== Compliant Solution
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /data
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /mnt/nfs
----

== See

* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-668 - Exposure of Resource to Wrong Sphere]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure mounting the file system path is safe here.


=== Highlighting

* Highlight the whole path if not empty.


endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Mounting sensitive file system paths can lead to information disclosure and compromise of the host systems.`
Create rule S6433: Mounting sensitive file system paths is security-sensitive (#1031) 2022-07-19 10:46:41 +02:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`System paths can contain sensitive information like configuration files or cache files.`
			`Those might be used by attackers to expand permissions or to collect information for further attacks.`
			`System paths can also contain binaries and scripts that might be executed by the host system periodically.`
			`A compromised or rogue container with access to sensitive files could endanger the integrity of the whole Kubernetes cluster.`


			`== Ask Yourself Whether`

			`* The mounted file path contains sensitive information.`
			`* The mounted file path contains configuration files or executables that are writable.`
			`* The Pod is untrusted or might contain vulnerabilities.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`It is recommended to avoid mounting sensitive system file paths into containers.`
			`If it is necessary to mount such a path due to the architecture, the least privileges should be given, for instance by making the mount read-only to prevent unwanted modifications.`
Create rule S6433: Mounting sensitive file system paths is security-sensitive (#1031) 2022-07-19 10:46:41 +02:00

			`== Sensitive Code Example`
			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: test`
			`spec:`
			`containers:`
			`- image: k8s.gcr.io/test-webserver`
			`name: test-container`
			`volumeMounts:`
			`- mountPath: /data`
			`name: test-volume`
			`volumes:`
			`- name: test-volume`
			`hostPath:`
			`path: /etc # Sensitive`
			`----`

			`== Compliant Solution`
			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: test`
			`spec:`
			`containers:`
			`- image: k8s.gcr.io/test-webserver`
			`name: test-container`
			`volumeMounts:`
			`- mountPath: /data`
			`name: test-volume`
			`volumes:`
			`- name: test-volume`
			`hostPath:`
			`path: /mnt/nfs`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== See`

			`* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes`
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/284[CWE-668 - Exposure of Resource to Wrong Sphere]`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
Create rule S6433: Mounting sensitive file system paths is security-sensitive (#1031) 2022-07-19 10:46:41 +02:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure mounting the file system path is safe here.`


			`=== Highlighting`

			`* Highlight the whole path if not empty.`
Create rule S6433: Mounting sensitive file system paths is security-sensitive (#1031) 2022-07-19 10:46:41 +02:00

			`endif::env-github,rspecator-view[]`