Mounting Docker socket daemon in a container is not limited
Description
Docker runs through a non-networked UNIX socket. In daemon mode it only allows connections from clients authenticated by a certificate signed by that CA. This socket can be mounted by other containers unless correct permissions are in place. Once mounted, the socket can be used to spin up any container, create new images, or shut down existing containers. To protect the docker socket daemon running in a container, set appropriate SELinux/AppArmor profiles to limit containers mounting this socket.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
volumes:
-name: <volume name>
hostPath:
- path: /var/run/docker.sockRemediation
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: volumes:hostPath (Optional)
Mounts a file or directory from the host node's filesystem into your Pod.
If the path is set to /var/lib/docker, the container has access to Docker internals.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1105 |
| Severity | MEDIUM |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_27 |