Writable hostPath mount
Info
ID: MS-TA9013
Tactic: Persistence, Privilege Escalation, Lateral Movement
MITRE technique: T1611
hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9013 | Restrict over permissive containers | Block sensitive volume mounts using admission controller. |
| MS-M9016 | Restrict File and Directory Permissions | Use read-only volumes. |
| MS-M9011 | Restrict Container Runtime using LSM | Use AppArmor to restrict file writing. |
| MS-M9017 | Ensure that pods meet defined Pod Security Standards | Use Baseline or Restricted pod security standards to prevent exploiting writable hostPath mount. |