Kube-hunter hunts for security weaknesses in Kubernetes clusters
View the Project on GitHub aquasecurity/kube-hunter
KHV047 - Pod With Mount To /var/log
Issue description
Kubernetes uses /var/log/pods on nodes to store Pods log files. When running kubectl logs the kubelet is fetching the pod logs from that directory. If a container has write access to /var/log it can create arbitrary files, or symlink to other files on the host. Those would be read by the kubelet when a user executes kubectl logs.
Remediation
Consider disallowing running as root:
Using Kubernetes Pod Security Policies with MustRunAsNonRoot policy.
Aqua users can use a Runtime Policy with Volume Blacklist.
Consider disallowing writable host mounts to /var/log:
Using Kubernetes Pod Security Policies with AllowedHostPaths policy.
Aqua users can use a Runtime Policy with Blacklisted OS Users and Groups.