Limit mounting Docker socket daemon in a container

Error: Mounting Docker socket daemon in a container is not limited

Bridgecrew Policy ID: BC_K8S_26
Checkov Check ID: CKV_K8S_27
Severity: MEDIUM

Mounting Docker socket daemon in a container is not limited

Description

Docker runs through a non-networked UNIX socket. In daemon mode it only allows connections from clients authenticated by a certificate signed by that CA. This socket can be mounted by other containers unless correct permissions are in place. Once mounted, the socket can be used to spin up any container, create new images, or shut down existing containers.

To protect the docker socket daemon running in a container, set appropriate SELinux/AppArmor profiles to limit containers mounting this socket.

Fix - Buildtime

Kubernetes

Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
Argument: volumes:hostPath (Optional)
Mounts a file or directory from the host node’s filesystem into your Pod. If the path is set to /var/lib/docker, the container has access to Docker internals.

apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
    volumes:
        -name: <volume name>
        hostPath:
-           path: /var/run/docker.sock
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
          volumes:
            -name: <volume name>
              hostPath:
 -                      path: /var/run/docker.sock
apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
    spec:
      volumes:
        -name: <volume name>
          hostPath:
 -                  path: /var/run/docker.sock

Did this page help you?