Skip to content

Commit

Permalink
PSP readOnly hostPath
Browse files Browse the repository at this point in the history
  • Loading branch information
liggitt committed Jun 4, 2018
1 parent 4b3430b commit 88e03f4
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion content/en/docs/concepts/policy/pod-security-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -413,20 +413,29 @@ minimum value of the first range as the default. Validates against all ranges.
to be used by hostPath volumes. An empty list means there is no restriction on
host paths used. This is defined as a list of objects with a single `pathPrefix`
field, which allows hostPath volumes to mount a path that begins with an
allowed prefix. For example:
allowed prefix, and a `readOnly` field indicating it must be mounted read-only.
For example:

```yaml
allowedHostPaths:
# This allows "/foo", "/foo/", "/foo/bar" etc., but
# disallows "/fool", "/etc/foo" etc.
# "/foo/../" is never valid.
- pathPrefix: "/foo"
# This only allows read-only mounts
- readOnly: true
```

_Note: There are many ways a container with unrestricted access to the host
filesystem can escalate privileges, including reading data from other
containers, and abusing the credentials of system services, such as Kubelet._

{{< warning >}}**WARNING:** writeable hostPath directory volumes allow containers to write
to the filesystem in ways that let them traverse the host filesystem outside the `pathPrefix`.
`readOnly: true`, available in Kubernetes 1.11+, must be used to effectively limit access
to the specified `pathPrefix`.
{{< /warning >}}

**ReadOnlyRootFilesystem** - Requires that containers must run with a read-only
root filesystem (i.e. no writable layer).

Expand Down

0 comments on commit 88e03f4

Please sign in to comment.