Writable hostPath volume as non-root

m101 · January 13, 2021, 4:45pm

I’ve read in the pod-security-policy page:

Writeable hostPath directory volumes allow containers to write to the filesystem in ways that let them traverse the host filesystem outside the pathPrefix.

readOnly: true , available in Kubernetes 1.11+, must be used on all allowedHostPaths to effectively limit access to the specified pathPrefix .

We’re not using PSPs currently, but does this mean that even if I run containers as non-root, if I mount a writable hostPath volume to it (for a specific path), it can access the entire host filesystem?

Something like this:

  volumes:
  - hostPath:
      path: /somediskonhost/mydata/rne3ig0np8s
      type: DirectoryOrCreate
    name: hostpath-volume

Which is mounted like this:

volumeMounts:
- mountPath: /app/mydata/
  name: hostpath-volume

Would the container with this mount be able to access things outside of /somediskonhost/mydata/rne3ig0np8s on the host, even if it’s running as non-root?

We have a privileged daemonset that changes the permissions on /somediskonhost/ to be owned by a non-root user before things can be scheduled to the node.

Thanks!

Cluster information:

Kubernetes version: 1.18.10
Cloud being used: AKS
Installation method: ARM template

Topic		Replies	Views
Mount Hostpath volume as non root user General Discussions	2	5747	October 5, 2020
PV/hostpath and non root owner General Discussions	6	16422	September 11, 2019
NFS/hostPath is mounted as root in a pod running non-root user General Discussions	2	3788	July 6, 2021
[Security Advisory] CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access Announcements	0	909	September 15, 2021
Security context `fsUser` to not loose write access on mounted filesystem General Discussions development , minikube , security	1	4060	July 21, 2021

Writable hostPath volume as non-root

Cluster information:

Related topics