github/kube-hunter
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-hunter.git synced 2026-05-24 10:02:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bf7023d01c08086ec5cf2a836da3b451b4fcd2b2
kube-hunter/docs/_kb/KHV047.md
Itay Shakury 8cc90db8f5 add kb index (#252)
2019-10-30 20:38:16 +02:00

1.3 KiB
Raw Blame History

vid, title, categories
vid title categories
KHV047 Pod With Mount To /var/log
Privilege Escalation

{{ page.vid }} - {{ page.title }}

Issue description

Kubernetes uses /var/log/pods on nodes to store Pods log files. When running kubectl logs the kubelet is fetching the pod logs from that directory. If a container has write access to /var/log it can create arbitrary files, or symlink to other files on the host. Those would be read by the kubelet when a user executes kubectl logs.

Remediation

Consider disallowing running as root: Using Kubernetes Pod Security Policies with MustRunAsNonRoot policy.
Aqua users can use a Runtime Policy with Volume Blacklist.

Consider disallowing writable host mounts to /var/log: Using Kubernetes Pod Security Policies with AllowedHostPaths policy.
Aqua users can use a Runtime Policy with Blacklisted OS Users and Groups.

References

Reference in New Issue View Git Blame Copy Permalink