Containers · Term

What is a host-path mount?

A host-path mount maps a directory from the host into a container. Mount the wrong path and the container can read host secrets or write its way to root on the node. Here is the risk and the safer alternatives.

Containers · TermCloud Penetration Testing
TL;DR

A host-path mount maps a directory or file from the host into a container (Docker -v /host/path:/in/container, Kubernetes hostPath volume). It is useful for sharing data, but mounting a sensitive path lets a compromised container read host secrets or write to host-controlled locations and escape to the node. Mounting /, /etc, /var/run/docker.sock, or a writable system directory effectively breaks isolation. Prefer named volumes and, in Kubernetes, block hostPath with policy.

By John Dill, Red Team Lead, SecureLayer7Updated

What a host-path mount is

A host-path mount makes a path on the host appear inside the container. In Docker that is -v /host/dir:/container/dir; in Kubernetes it is a `hostPath` volume.

The mount is as powerful as the path it exposes and the permissions it grants. A read-only mount of a harmless data directory is fine. A mount of a sensitive or writable host location gives the container a foothold on the host itself.

The abuse and payload

A dangerous mount turns a container compromise into a host compromise:

  • Mounting host root or /etc: read /etc/shadow, SSH keys, or cloud credentials; with write access, add a root user or a cron job on the host.
  • Mounting a writable system path (for example a host bin or a kubelet directory): drop a binary the host will execute.
  • Mounting /var/run/docker.sock: full daemon control (see the Docker socket).
  • Writing to /host/etc/cron.d/ to get root code execution on the node.

Documented techniques shown for defenders.

How to defend

  • Avoid hostPath for application workloads. Use named volumes, CSI drivers, or cloud storage instead.
  • Never mount sensitive host paths (/, /etc, /var/run, system binaries) into containers.
  • Mount read-only when a mount is unavoidable, and scope it to the narrowest possible directory.
  • In Kubernetes, block hostPath with Pod Security Standards and admission control (or allow-list specific safe paths).
  • Scan manifests for hostPath volumes and risky -v mounts.

References

  1. [1]Kubernetes docs: Volumes (hostPath)(Kubernetes)
  2. [2]NIST SP 800-190 Application Container Security Guide(NIST)
  3. [3]MITRE ATT&CK: Containers Matrix(MITRE)
Related terms

Common questions

Container security, asked often

Want your containers and clusters tested for these paths?

Scope an engagement

Find the container escape paths before an attacker does.

We test your Docker hosts and Kubernetes clusters the way a real intruder would, from a compromised pod to the node and the rest of the cluster, then hand your team reproducible evidence and a fix for every step. Free re-test included.

See cloud penetration testing30-min scoping call, fixed-price proposal in 48 hours.