HIGH
Source
Kube Hunter
ID
KHV047

Pod With Mount To /var/log

Kubernetes uses /var/log/pods on nodes to store Pods log files. When running kubectl logs the kubelet is fetching the pod logs from that directory. If a container has write access to /var/log it can create arbitrary files, or symlink to other files on the host. Those would be read by the kubelet when a user executes kubectl logs.

Consider disallowing running as root: Using Kubernetes Pod Security Policies with MustRunAsNonRoot policy.
Aqua users can use a Runtime Policy with Volume Blacklist.

Consider disallowing writable host mounts to /var/log: Using Kubernetes Pod Security Policies with AllowedHostPaths policy.
Aqua users can use a Runtime Policy with Blacklisted OS Users and Groups.