Kubernetes uses /var/log/pods
on nodes to store Pods log files. When running kubectl logs
the kubelet is fetching the pod logs from that directory. If a container has write access to /var/log
it can create arbitrary files, or symlink to other files on the host. Those would be read by the kubelet when a user executes kubectl logs
.
Consider disallowing running as root:
Using Kubernetes Pod Security Policies with MustRunAsNonRoot
policy.
Aqua users can use a Runtime Policy with Volume Blacklist
.
Consider disallowing writable host mounts to /var/log
:
Using Kubernetes Pod Security Policies with AllowedHostPaths
policy.
Aqua users can use a Runtime Policy with Blacklisted OS Users and Groups
.