Writable hostPath volume as non-root

I’ve read in the pod-security-policy page:

Writeable hostPath directory volumes allow containers to write to the filesystem in ways that let them traverse the host filesystem outside the pathPrefix.

readOnly: true , available in Kubernetes 1.11+, must be used on all allowedHostPaths to effectively limit access to the specified pathPrefix .

We’re not using PSPs currently, but does this mean that even if I run containers as non-root, if I mount a writable hostPath volume to it (for a specific path), it can access the entire host filesystem?

Something like this:

  - hostPath:
      path: /somediskonhost/mydata/rne3ig0np8s
      type: DirectoryOrCreate
    name: hostpath-volume

Which is mounted like this:

- mountPath: /app/mydata/
  name: hostpath-volume

Would the container with this mount be able to access things outside of /somediskonhost/mydata/rne3ig0np8s on the host, even if it’s running as non-root?

We have a privileged daemonset that changes the permissions on /somediskonhost/ to be owned by a non-root user before things can be scheduled to the node.


Cluster information:

Kubernetes version: 1.18.10
Cloud being used: AKS
Installation method: ARM template