Privilege Escalation: Workload Created with a Sensitive Host Path Mount
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Someone created a workload that contains a hostPath volume mount to a
sensitive path on the host node's file system. Access to these paths on the host
file system can be used to access privileged or sensitive information on the
node and for container escapes. If possible, don't allow any hostPath volumes
in your cluster. For more details, see the log message for this alert.
How to respond
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To respond to this finding, do the following:
Review the workload to determine if this hostPath volume is necessary for
the intended functionality. If yes, ensure that the path is to the most
specific directory possible. For example, /etc/myapp/myfiles instead of /
or /etc.
Determine whether there are other signs of malicious activity related to this
workload in the audit logs in Cloud Logging.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nSomeone created a workload that contains a `hostPath` volume mount to a\nsensitive path on the host node's file system. Access to these paths on the host\nfile system can be used to access privileged or sensitive information on the\nnode and for container escapes. If possible, don't allow any `hostPath` volumes\nin your cluster. For more details, see the log message for this alert.\n\nHow to respond\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo respond to this finding, do the following:\n\n1. Review the workload to determine if this `hostPath` volume is necessary for the intended functionality. If yes, ensure that the path is to the most specific directory possible. For example, `/etc/myapp/myfiles` instead of `/` or `/etc`.\n2. Determine whether there are other signs of malicious activity related to this workload in the audit logs in Cloud Logging.\n\nTo block `hostPath` volume mounts in the cluster, see [guidance for enforcing Pod Security Standards](/kubernetes-engine/docs/how-to/hardening-your-cluster#admission_controllers).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
