Mounting sensitive file system paths can lead to information disclosure and compromise of the host systems.

System paths can contain sensitive information like configuration files or cache files. Those might be used by attackers to expand permissions or to collect information for further attacks. System paths can also contain binaries and scripts that might be executed by the host system periodically. A compromised or rogue container with access to sensitive files could endanger the integrity of the whole Kubernetes cluster.

Ask Yourself Whether

• The mounted file path contains sensitive information.
• The mounted file path contains configuration files or executables that are writable.
• The Pod is untrusted or might contain vulnerabilities.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to avoid mounting sensitive system file paths into containers. If it is necessary to mount such a path due to the architecture, the least privileges should be given, for instance by making the mount read-only to prevent unwanted modifications.

Sensitive Code Example

---
- name: Deploy a Container
  hosts: all
  tasks:
    - name: Create and Start Container
      community.docker.docker_container:
        name: container
        image: ubuntu:22.04
        volumes:
          - "/etc:/host_etc" # Sensitive

Compliant Solution

---
- name: Deploy a Container
  hosts: all
  tasks:
    - name: Create and Start Container
      community.docker.docker_container:
        name: container
        image: ubuntu:22.04
        volumes:
          - "/data:/data"

See

• Ansible Community Documentation - community.docker.docker_container module
• Ansible Community Documentation - containers.podman.podman_container module
• Ansible Community Documentation - kubernetes.core.k8s module
• CWE - CWE-668 - Exposure of Resource to Wrong Sphere