Information
Do not generally admit containers which make use of hostPath volumes.
Rationale:
A container which mounts a hostPath volume as part of its specification will have access to the filesystem of the underlying cluster node. The use of hostPath volumes may allow containers access to privileged areas of the node filesystem.
There should be at least one admission control policy defined which does not permit containers to mount hostPath volumes.
If you need to run containers which require hostPath volumes, this should be defined in a separate policy and you should carefully check to ensure that only limited service accounts and users are given permission to use that policy.
Impact:
Pods defined which make use of hostPath volumes will not be permitted unless they are run under a spefific policy.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers which use hostPath volumes.
Default Value:
By default, there are no restrictions on the creation of hostPath volumes.