Volume types restricted
Description
Restricted level allows only: configMap, downwardAPI, emptyDir, projected, secret, csi, persistentVolumeClaim, ephemeral.
⚠️ Risk Impact
hostPath volumes mount node directories into containers — escape path. Other unauthorized volume types may expose host data.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Remove hostPath from PodSpecs. Use PVC for persistent storage. Enforce via PSS Restricted.
💀 Real-World Attack Scenario
A debug pod mounted /var/log via hostPath. Compromised, attacker read host log files including container runtime logs containing credentials.
💰 Cost of Non-Compliance
hostPath-related breach: variable; up to $4M+.
📋 Audit Questions
- 1.hostPath volumes in use?
- 2.Justified?
- 3.PSS Restricted enforced?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔hostPath used 'for performance'
- ⛔Logging agents using hostPath
- ⛔Migration breaks legacy patterns
📈 Business Value
Volume restrictions prevent host-data exposure.
⏱️ Effort Estimate
Per-workload migration
EchelonGraph enforces via PSS
🔗 Cross-Framework References
Automate Pod Security Standards PSS-VolumeTypes compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →