rspec/rules/S6429/kubernetes/rule.adoc

Exposing Docker sockets can lead to compromise of the host systems.

The Docker daemon provides an API to access its functionality, for example through a UNIX domain socket.
Mounting the Docker socket into a container allows the container to control the Docker daemon of the host system, resulting in full access over the whole system.
A compromised or rogue container with access to the Docker socket could endanger the integrity of the whole Kubernetes cluster.


== Ask Yourself Whether

* The Pod is untrusted or might contain vulnerabilities.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It is recommended to never add a Docker socket as a volume to a Pod.


== Sensitive Code Example
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /var/run/docker.sock
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /var/run/docker.sock # Sensitive
      type: Socket
----

== Compliant Solution
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
----

== See

* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes
* https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option[Docker Documention] - Daemon socket option
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure exposing the Docker socket is safe here.


=== Highlighting

* Highlight the whole path if not empty.


endif::env-github,rspecator-view[]