Terraform Host Path Volume Prohibited
Description
Detects the use of hostPath volumes in Kubernetes configurations which allow pods to mount paths from the host node's filesystem. This is a security risk as it can allow containers to access sensitive files on the host system or escape container isolation.
Detection Strategy
• Scans Kubernetes resource definition files (like Pod, Deployment, StatefulSet specs)
• Examines the 'spec' section of container resources to identify volume configurations
• Reports a vulnerability when a hostPath volume type is found in the configuration
• Validates the entire spec hierarchy to catch hostPath volumes defined at any nesting level
Vulnerable code example
resource "kubernetes_pod" "vulnerable_pod" {
metadata {
name = "vulnerable-pod"
}
spec {
container {
name = "container"
image = "nginx"...✅ Secure code example
resource "kubernetes_pod" "secure_pod" {
metadata {
name = "secure-pod"
}
spec {
automount_service_account_token = false # Prevent access to service account tokens
container {
name = "container"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.