TF 0063 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Kubernetes resource with disallowed volumes mounted
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description
Kubernetes resources are configured to mount critical host system directories (such as '/', '/etc', or '/var/lib/docker') into containers using hostPath volumes, which exposes sensitive parts of the host filesystem to pods. This setup bypasses standard container isolation and is considered insecure.
Impact
Exposing critical host directories to containers can allow attackers or compromised applications to modify or access sensitive system files, potentially leading to full host takeover, data exfiltration, or disruption of other workloads running on the same node.
Resolution
Do not Set 'spec.volumes[*].hostPath.path' to any of the disallowed volumes.