5.1.9 Minimize access to create persistent volumes

Information

The ability to create persistent volumes in a cluster can provide an opportunity for privilege escalation, via the creation of hostPath volumes. As persistent volumes are not covered by Pod Security Admission, a user with access to create persistent volumes may be able to get access to sensitive files from the underlying host even where restrictive Pod Security Admission policies are in place.

The ability to create persistent volumes in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Where possible, remove create access to PersistentVolume objects in the cluster.

See Also

https://workbench.cisecurity.org/benchmarks/17568

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4)

Plugin: Unix

Control ID: e4d0dcd8a578f1872cf0d5db997089a7702531e7ee5ffaf0b98cc555311e6325