This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Someone created a workload that contains a hostPath volume mount to a
sensitive path on the host node's file system. Access to these paths on the host
file system can be used to access privileged or sensitive information on the
node and for container escapes. If possible, don't allow any hostPath volumes
in your cluster. For more details, see the log message for this alert.
- Review the workload to determine if this
hostPathvolume is necessary for the intended functionality. If yes, ensure that the path is to the most specific directory possible. For example,/etc/myapp/myfilesinstead of/or/etc. - Determine whether there are other signs of malicious activity related to this workload in the audit logs in Cloud Logging.
To block hostPath volume mounts in the cluster, see guidance for enforcing Pod Security Standards.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.