2.0.8

- [Disallowed volume type](https://protsenko.dev/infrastructure-security/disallowed-volume-type/) inspection (Pod Security Standards - Restricted)

Author: NordCoderd

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 # Cloud (IaC) Security Changelog
 
+## [2.0.8] 09-08-2025
+
+### Added
+- Kubernetes Security Standards: [Disallowed volume type](https://protsenko.dev/infrastructure-security/disallowed-volume-type/)
+ 
 ## [2.0.7] 03-08-2025
 
 ### Changed

gradle.properties

@@ -1,7 +1,7 @@
 pluginGroup = dev.protsenko.securityLinter
 pluginName = Cloud (IaC) Security
 pluginRepositoryUrl = https://github.com/NordCoderd/cloud-security-plugin
-pluginVersion = 2.0.7
+pluginVersion = 2.0.8
 
 # Supported build number ranges and IntelliJ Platform versions -> https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 pluginSinceBuild = 231

src/main/kotlin/dev/protsenko/securityLinter/kubernetes/DisallowedVolumeType.kt

@@ -0,0 +1,60 @@
+package dev.protsenko.securityLinter.kubernetes
+
+import com.intellij.codeInspection.LocalInspectionTool
+import com.intellij.codeInspection.ProblemHighlightType
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.PsiElementVisitor
+import dev.protsenko.securityLinter.core.HtmlProblemDescriptor
+import dev.protsenko.securityLinter.core.SecurityPluginBundle
+import dev.protsenko.securityLinter.utils.YamlPath
+import org.jetbrains.yaml.psi.YAMLDocument
+import org.jetbrains.yaml.psi.YAMLMapping
+import org.jetbrains.yaml.psi.YAMLSequence
+
+class DisallowedVolumeType : LocalInspectionTool() {
+    override fun buildVisitor(
+        holder: ProblemsHolder,
+        isOnTheFly: Boolean,
+    ): PsiElementVisitor {
+        return object : BaseKubernetesVisitor() {
+            override fun analyze(
+                specPrefix: String,
+                document: YAMLDocument,
+            ) {
+                val specVolumes =
+                    YamlPath.findByYamlPath("${specPrefix}spec.volumes", document) as? YAMLSequence ?: return
+
+                for (volume in specVolumes.items) {
+                    val volumeValue = volume.value as? YAMLMapping ?: continue
+                    val prohibitedValues =
+                        volumeValue
+                            .keyValues
+                            .filter {
+                                if (it.value !is YAMLMapping) return@filter false
+                                if (it.keyText !in allowedVolumeTypes) {
+                                    return@filter true
+                                }
+                                return@filter false
+                            }
+
+                    if (prohibitedValues.isNotEmpty()) {
+                        prohibitedValues.forEach {
+                            val descriptor =
+                                HtmlProblemDescriptor(
+                                    it,
+                                    SecurityPluginBundle.message("kube012.documentation"),
+                                    SecurityPluginBundle.message("kube012.problem-text"),
+                                    ProblemHighlightType.ERROR,
+                                    emptyArray(),
+                                )
+                            holder.registerProblem(descriptor)
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+private val allowedVolumeTypes =
+    setOf("configMap", "csi", "downwardAPI", "emptyDir", "ephemeral", "persistentVolumeClaim", "projected", "secret")

src/main/resources/META-INF/dev.protsenko.security-linter-yaml.xml

@@ -70,5 +70,10 @@
                 displayName="Insecure systctls"
                 groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"
                 enabledByDefault="true" language="yaml"/>
+        <localInspection
+                implementationClass="dev.protsenko.securityLinter.kubernetes.DisallowedVolumeType"
+                displayName="Disallowed volume types"
+                groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"
+                enabledByDefault="true" language="yaml"/>
     </extensions>
 </idea-plugin>

src/main/resources/inspectionDescriptions/DisallowedVolumeType.html

@@ -0,0 +1,8 @@
+<html>
+<body>
+<p>Detects disallowed volume types in Pods (violates Pod Security Restricted).</p>
+<p>Certain volume types (e.g., <code>hostPath</code> and legacy in-tree plugins) can expose the node filesystem or bypass pod isolation, leading to privilege escalation and node compromise.</p>
+<p><b>Allowed under Restricted:</b> <code>configMap</code>, <code>csi</code>, <code>downwardAPI</code>, <code>emptyDir</code>, <code>ephemeral</code>, <code>persistentVolumeClaim</code>, <code>projected</code>, <code>secret</code>.</p>
+<p><b>How to fix:</b> Replace with Kubernetes data volumes (ConfigMap/Secret/DownwardAPI/Projected) or storage via PVC/CSI. Prefer read-only mounts where possible and avoid mounting host paths or runtime sockets.</p>
+</body>
+</html>

src/main/resources/messages/SecurityPluginBundle.properties

@@ -165,6 +165,10 @@ kube010.qf.fix-value=Set the type to 'RuntimeDefault'
 kube011.documentation=insecure-sysctls
 kube011.problem-text=Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset.
 
+## kube012
+kube012.documentation=disallowed-volume-type
+kube012.problem-text=This volume type may expose the node or bypass pod isolation. Use Kubernetes data volumes (ConfigMap/Secret/DownwardAPI/Projected) or storage via PVC/CSI instead.
+
 # Not implemented
 ds029.missing-healthcheck=Missing HEALTHCHECK instruction
 ds023.multiple-exposed-port=Port {0} exposed more than one time.

src/test/kotlin/dev/protsenko/securityLinter/kubernetes/KUBE012DisallowedVolumeType.kt

@@ -0,0 +1,14 @@
+package dev.protsenko.securityLinter.kubernetes
+
+import com.intellij.codeInspection.LocalInspectionTool
+import dev.protsenko.securityLinter.core.KubernetesHighlightingBaseTest
+
+class KUBE012DisallowedVolumeType(
+    override val ruleFolderName: String = "KUBE012",
+    override val targetFileName: String = "pod.yaml",
+    override val targetInspection: LocalInspectionTool = DisallowedVolumeType(),
+    override val customFiles: Set<String> =
+        setOf(
+            "cronjob.yaml.denied",
+        ),
+) : KubernetesHighlightingBaseTest()

src/test/testData/kubernetes/KUBE012/cronjob.yaml.denied

@@ -0,0 +1,38 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hostlog-audit
+  labels:
+    app: hostlog-audit
+spec:
+  schedule: "*/5 * * * *"          # every 5 minutes
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: hostlog-audit
+        spec:
+          restartPolicy: OnFailure
+          volumes:
+          - name: host-logs
+            <error descr="This volume type may expose the node or bypass pod isolation. Use Kubernetes data volumes (ConfigMap/Secret/DownwardAPI/Projected) or storage via PVC/CSI instead.">hostPath:
+              path: /var/log
+              type: Directory</error>
+          containers:
+          - name: log-dumper
+            image: busybox:1.36.1
+            command: ["/bin/sh", "-c"]
+            args:
+              - tail -n 20 /host/var/log/dmesg
+            securityContext:
+              allowPrivilegeEscalation: false
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+            volumeMounts:
+            - name: host-logs
+              mountPath: /host/var/log
+              readOnly: true

src/test/testData/kubernetes/KUBE012/pod.yaml.allowed

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: safe-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: safe
+  template:
+    metadata:
+      labels:
+        app: safe
+    spec:
+      containers:
+        - name: app
+          image: alpine
+          command: ["sh", "-c", "sleep 3600"]
+          volumeMounts:
+            - name: app-config
+              mountPath: /etc/app/config
+              readOnly: true
+            - name: db-creds
+              mountPath: /var/run/secrets/db
+              readOnly: true
+            - name: cache
+              mountPath: /var/cache/app
+            - name: data
+              mountPath: /var/lib/app
+      volumes:
+        - name: app-config
+          configMap:
+            name: app-config
+        - name: db-creds
+          secret:
+            secretName: db-creds
+        - name: cache
+          emptyDir:
+            sizeLimit: 256Mi
+        - name: data
+          persistentVolumeClaim:
+            claimName: app-data # Backed by an approved StorageClass/CSI driver

src/test/testData/kubernetes/KUBE012/pod.yaml.denied

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: risky-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: risky
+  template:
+    metadata:
+      labels:
+        app: risky
+    spec:
+      containers:
+        - name: app
+          image: alpine
+          command: ["sh", "-c", "sleep 3600"]
+          volumeMounts:
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
+            - name: host-etc
+              mountPath: /host/etc
+              readOnly: true
+      volumes:
+        - name: docker-sock
+          <error descr="This volume type may expose the node or bypass pod isolation. Use Kubernetes data volumes (ConfigMap/Secret/DownwardAPI/Projected) or storage via PVC/CSI instead.">hostPath:
+            path: /var/run/docker.sock   # Direct access to runtime socket
+            type: Socket</error>
+        - name: host-etc
+          <error descr="This volume type may expose the node or bypass pod isolation. Use Kubernetes data volumes (ConfigMap/Secret/DownwardAPI/Projected) or storage via PVC/CSI instead.">hostPath:
+            path: /etc                   # Arbitrary host filesystem access
+            type: Directory</error>