Docker daemon socket exposed to containers

ID

docker_socket_volume

Severity

low

Vendor

Kubernetes

Resource

General Security

Tags

reachable

Description

Exposing the docker Unix socket (/var/run/docker.sock) grants root access to the host.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: weak
spec:
  containers:
    - image: k8s.gcr.io/test-pod
      name: test-pod
      volumeMounts:
        - mountPath: /test-pod
          name: test-volume
  volumes:
    - name: docker-volume
    hostPath:
      path: /var/run/docker.sock (1)
1 Having read/write access to socket placed under /var/run/docker.socket means attacker could get access to the host and the others containers.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
    - image: k8s.gcr.io/test-pod
      name: test-pod
      volumeMounts:
        - mountPath: /test-pod
          name: test-volume
  volumes:
    - name: app-volume
    hostPath:
      path: /opt/app/vol (1)
1 Avoid access to docker socket through volume path.