Skip to content

Restrict file and directory permissions

Info

ID: MS-M9016
MITRE mitigation: M1022

When using hostPath volumes, set it to “read-only” mode if possible. This prevents the container from writing to files in the underlying node and will harden an escape from the container to the node.

Kubelet monitors a specific folder on the node which contains static pods manifest. By default the location of static pod manifest on nodes is at /etc/kubernetes/manifests. Restrict access of users to this folder to avoid deployments of unwanted static pods.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9013 Writable hostPath mount Use read-only volumes.
MS-TA9021 Clear container logs Restrict access to container logs.
MS-TA9017 Static pods Restrict write access to the Static pods manifest folder.