github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/mounts_docker_socket.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/mounts_docker_socket.rego (about)

     1  # METADATA
     2  # title: "hostPath volume mounted with docker.sock"
     3  # description: "Mounting docker.sock from the host can give the container full root access to the host."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # related_resources:
     8  # - https://kubesec.io/basics/spec-volumes-hostpath-path-var-run-docker-sock/
     9  # custom:
    10  #   id: KSV006
    11  #   avd_id: AVD-KSV-0006
    12  #   severity: HIGH
    13  #   short_code: no-docker-sock-mount
    14  #   recommended_action: "Do not specify /var/run/docker.socket in 'spec.template.volumes.hostPath.path'."
    15  #   input:
    16  #     selector:
    17  #     - type: kubernetes
    18  package builtin.kubernetes.KSV006
    19  
    20  import data.lib.kubernetes
    21  
    22  name = input.metadata.name
    23  
    24  default checkDockerSocket = false
    25  
    26  # checkDockerSocket is true if volumes.hostPath.path is set to /var/run/docker.sock
    27  # and is false if volumes.hostPath is set to some other path or not set.
    28  checkDockerSocket {
    29  	volumes := kubernetes.volumes
    30  	volumes[_].hostPath.path == "/var/run/docker.sock"
    31  }
    32  
    33  deny[res] {
    34  	checkDockerSocket
    35  	msg := kubernetes.format(sprintf("%s '%s' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'", [kubernetes.kind, kubernetes.name]))
    36  	res := result.new(msg, input.spec)
    37  }