Exposing Docker sockets can lead to compromise of the host systems.
The Docker daemon provides an API to access its functionality, for example through a UNIX domain socket. Mounting the Docker socket into a
container allows the container to control the Docker daemon of the host system, resulting in full access over the whole system. A compromised or rogue
container with access to the Docker socket could endanger the integrity of the whole Kubernetes cluster.
Ask Yourself Whether
- The Pod is untrusted or might contain vulnerabilities.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
It is recommended to never add a Docker socket as a volume to a Pod.
Sensitive Code Example
- name: Create Pod
kubernetes.core.k8s:
definition:
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /var/run/docker.sock
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /var/run/docker.sock # Sensitive
type: Socket
Compliant Solution
- name: Create Pod
kubernetes.core.k8s:
definition:
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
See
