Skip to content

PodSecurityPolicy allowedHostPaths does not effectively restrict to a subpath #61043

New issue
New issue
Closed
Closed
PodSecurityPolicy allowedHostPaths does not effectively restrict to a subpath#61043
Assignees
liggitt
Labels
area/securitykind/featureCategorizes issue or PR as related to a new feature.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/storageCategorizes an issue or PR as relevant to SIG Storage.
@liggitt

Description

@liggitt
liggitt
opened on Mar 12, 2018

the allowedHostPaths feature limits what paths can be specified in a hostPath volume, but does not restrict symlink creation and traversal within that subpath

To prevent this, either of the following are required:

Until those changes are made, PodSecurityPolicy objects designed to limit container permissions must completely disable hostPath volumes

Metadata

Metadata

Assignees

Labels

area/securitykind/featureCategorizes issue or PR as related to a new feature.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/storageCategorizes an issue or PR as relevant to SIG Storage.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions