Restrict mounting host filesystems

Containers have the ability to mount volumes from the host into them. This is a useful feature in some circumstances, but poses significant risks.

First, containers might be able to view Secrets from the host or other containers. For example, if /var/lib is mounted from the host into the container, files in other containers—including Secrets—would be visible as well.

Containers that run as root will have unrestricted write access to the host file system. This could allow an unauthorized user to modify kubelet settings, create symbolic links to directories or files in another sensitive location (such as /etc/shadow), install Secure Shell (SSH) keys, corrupt essential files, or perform other malicious activities.

AWS recommends restricting containers from mounting host filesystems unless strictly necessary. It is rare for a container in a Software as a Service (SaaS) environment to need access to the host. Where it is required, AWS recommends enforcing read-only mounts so that files cannot be written on the host.

Admission controllers, discussed in Use admission controllers to enforce security policies, can help enforce these restrictions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Forbid running tenant containers as root

Restrict the use of host networking and block access to instance metadata service