Usage of pod HostPath volume mounts should be restricted

HIGH

Restricts the use of hostPath volume mounts in pods, preventing containers from accessing the host filesystem.

What does this mean?

HostPath volumes mount directories from the underlying node into a pod. This gives the container direct access to the host filesystem, which can be exploited for container escapes, data theft, or privilege escalation.

Benefits of implementation

Prevents containers from reading sensitive host data
Blocks a common container escape technique
Required by CIS Kubernetes Benchmark

Drawbacks and considerations

Some monitoring or logging agents require hostPath mounts
May require alternative volume solutions for legitimate use cases
DaemonSets for node-level operations may need exceptions

Implementation

Implementation guidance coming soon.

Related recommendations will be linked here.

Frameworks

BIO MCSB Defender for Cloud Recommendations

Details

Risk Level: HIGH
Category: General
Azure Resource
Frameworks: 3 frameworks
Last updated: 2026-02-12