I’ve read in the pod-security-policy page:
Writeable hostPath directory volumes allow containers to write to the filesystem in ways that let them traverse the host filesystem outside the
readOnly: true, available in Kubernetes 1.11+, must be used on all
allowedHostPathsto effectively limit access to the specified
We’re not using PSPs currently, but does this mean that even if I run containers as non-root, if I mount a writable hostPath volume to it (for a specific path), it can access the entire host filesystem?
Something like this:
volumes: - hostPath: path: /somediskonhost/mydata/rne3ig0np8s type: DirectoryOrCreate name: hostpath-volume
Which is mounted like this:
volumeMounts: - mountPath: /app/mydata/ name: hostpath-volume
Would the container with this mount be able to access things outside of
/somediskonhost/mydata/rne3ig0np8s on the host, even if it’s running as non-root?
We have a privileged daemonset that changes the permissions on
/somediskonhost/ to be owned by a non-root user before things can be scheduled to the node.
Kubernetes version: 1.18.10
Cloud being used: AKS
Installation method: ARM template