Skip to content

Commit

Permalink
PSP readOnly hostPath
Browse files Browse the repository at this point in the history
  • Loading branch information
liggitt committed Jun 12, 2018
1 parent 2d05bab commit d8efeb0
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions content/en/docs/concepts/policy/pod-security-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -413,19 +413,26 @@ minimum value of the first range as the default. Validates against all ranges.
to be used by hostPath volumes. An empty list means there is no restriction on
host paths used. This is defined as a list of objects with a single `pathPrefix`
field, which allows hostPath volumes to mount a path that begins with an
allowed prefix. For example:
allowed prefix, and a `readOnly` field indicating it must be mounted read-only.
For example:

```yaml
allowedHostPaths:
# This allows "/foo", "/foo/", "/foo/bar" etc., but
# disallows "/fool", "/etc/foo" etc.
# "/foo/../" is never valid.
- pathPrefix: "/foo"
readOnly: true # only allow read-only mounts
```

_Note: There are many ways a container with unrestricted access to the host
{{< warning >}}**Warning:** There are many ways a container with unrestricted access to the host
filesystem can escalate privileges, including reading data from other
containers, and abusing the credentials of system services, such as Kubelet._
containers, and abusing the credentials of system services, such as Kubelet.
Writeable hostPath directory volumes allow containers to write
to the filesystem in ways that let them traverse the host filesystem outside the `pathPrefix`.
`readOnly: true`, available in Kubernetes 1.11+, must be used on **all** `allowedHostPaths`
to effectively limit access to the specified `pathPrefix`.
{{< /warning >}}

**ReadOnlyRootFilesystem** - Requires that containers must run with a read-only
root filesystem (i.e. no writable layer).
Expand Down

0 comments on commit d8efeb0

Please sign in to comment.