Skip to main content

Container with sensitive mount

This finding indicates that a container was launched with a sensitive external host path mounted inside.

To simulate the finding we'll be reusing Privileged Container manifest and patch it with host path volume mount. Let's apply the patched version of privileged container from earlier example with host path /etc mounted to container's path /test-pd.

~/environment/eks-workshop/modules/security/Guardduty/mount/privileged-pod-example.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ubuntu-privileged
spec:
  selector:
    matchLabels:
      app: ubuntu-privileged
  replicas: 1
  template:
    metadata:
      labels:
        app: ubuntu-privileged
    spec:
      containers:
      - name: ubuntu-privileged
        image: ubuntu
        ports:
        - containerPort: 22
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          path: /etc

Run the below command to patch the deployment.

~$kubectl apply -f ~/environment/eks-workshop/modules/security/Guardduty/mount/privileged-pod-example.yaml
Within a few minutes we'll see the finding Persistence:Kubernetes/ContainerWithSensitiveMount in the GuardDuty portal.
Lets delete this pod before we move on:
~$kubectl delete -f ~/environment/eks-workshop/modules/security/Guardduty/mount/privileged-pod-example.yaml