yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath
semgrepAuthor
418
Download Count*
License
Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.
Run Locally
Run in CI
Defintion
rules:
- id: exposing-docker-socket-hostpath
patterns:
- pattern-inside: |
volumes:
...
- pattern: |
hostPath:
...
path: /var/run/docker.sock
message: Exposing host's Docker socket to containers via a volume. The owner of
this socket is root. Giving someone access to it is equivalent to giving
unrestricted root access to your host. Remove 'docker.sock' from hostpath
to prevent this.
metadata:
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
references:
- https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers
category: security
technology:
- kubernetes
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: WARNING
Examples
exposing-docker-socket-hostpath.test.yaml
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: gcr.io/google_containers/test-webserver
name: test-container
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker-sock-volume
volumes:
- name: docker-sock-volume
# ruleid: exposing-docker-socket-hostpath
hostPath:
type: File
path: /var/run/docker.sock
Short Link: https://sg.run/v0pR