Mount docker sock check feature (#217)

* Add new check "mountds"

- Checks if any container mounts /var/run/docker.sock
- Also added a label to override the check
- Command added to "all"
- Errors created for each case

* add unit tests to cover the new mountds check

- Tested base case
- Tested override labels for single container
- Tested overrride labels for entire pod
- Tested override via config

* update documentation to reflect the new check

* formatting changes

* remove labels to emulate limits check

* remove extra newline

* small documentation fixes

README.md

@@ -123,6 +123,7 @@ The manifest might end up a little too secure for the work it is supposed to do.
 - [Audit Service Accounts](#sat)
 - [Audit network policies](#netpol)
 - [Audit resources](#resources)
+- [Audit mounting Docker Socket](#dockersock)
 - [Audit AppArmor](#apparmor)
 - [Audit Seccomp](#seccomp)
 - [Audit namespaces](#namespaces)
@@ -317,6 +318,33 @@ WARN[0000] CPU limit exceeded, it is set to 1 but it must not exceed 500m. Pleas
 WARN[0000] Memory limit exceeded, it is set to 512Mi but it must not exceed 125Mi. Please adjust it!
 ```
 
+<a name="dockersock" />
+
+## Audit Mounting Docker Socket
+
+It checks that no container in the pod mounts `/var/run/docker.sock`, as this can be a [very dangerous practice](https://dev.to/petermbenjamin/docker-security-best-practices-45ih). 
+If a container does this, it will be indicated as such:
+
+```
+containers:
+      - image: <image name>
+        name: <container name>
+        volumeMounts:
+        - mountPath: /var/run/docker.sock
+          name: <volume name>
+volumes:
+      - name: <volume name>
+        hostPath:
+          path: /var/run/docker.sock
+```
+
+If `/var/run/docker.sock` is being mounted by a container:
+
+```sh
+kubeaudit mountds
+WARN[0000] /var/run/docker.sock is being mounted, please avoid this practice. Container=myContainer KubeType=pod Name=myPod Namespace=myNamespace
+```
+
 <a name="apparmor" />
 
 ## Audit AppArmor

cmd/all.go

@@ -7,7 +7,7 @@ import (
 var allAuditFunctions = []interface{}{
 	auditAllowPrivilegeEscalation, auditReadOnlyRootFS, auditRunAsNonRoot,
 	auditAutomountServiceAccountToken, auditPrivileged, auditCapabilities,
-	auditLimits, auditImages, auditAppArmor, auditSeccomp, auditNetworkPolicies, auditNamespaces,
+	auditLimits, auditImages, auditMountDockerSock, auditAppArmor, auditSeccomp, auditNetworkPolicies, auditNamespaces,
 }
 
 var auditAllCmd = &cobra.Command{

cmd/errors.go

@@ -27,6 +27,8 @@ const (
 	ErrorCapabilityAllowed
 	// ErrorCapabilityNotDropped occurs when a capability should be dropped but it isn't
 	ErrorCapabilityNotDropped
+	// ErrorDockerSockMounted occurs when a container is mounting /var/run/docker.sock
+	ErrorDockerSockMounted
 	// ErrorImageTagIncorrect occurs when an incorrect image tag is provided.
 	ErrorImageTagIncorrect
 	// ErrorImageTagMissing occurs when there is no image tag provided.

cmd/mountDockerSock.go

@@ -0,0 +1,64 @@
+package cmd
+
+import (
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// DockerSockPath is the mount path of the Docker socket
+const DockerSockPath = "/var/run/docker.sock"
+
+func checkMountDockerSock(container ContainerV1, result *Result) {
+	if container.VolumeMounts != nil {
+		for _, mount := range container.VolumeMounts {
+			if mount.MountPath == DockerSockPath {		
+				occ := Occurrence{
+					container: container.Name,
+					id:        ErrorDockerSockMounted,
+					kind:      Warn,
+					message:   "/var/run/docker.sock is being mounted, please avoid mounting docker socket on your containers.",
+				}
+				result.Occurrences = append(result.Occurrences, occ)
+			}
+		}
+	} 
+	return
+}
+
+func auditMountDockerSock(resource Resource) (results []Result) {
+	for _, container := range getContainers(resource) {
+		result, err, warn := newResultFromResource(resource)
+		if warn != nil {
+			log.Warn(warn)
+			return
+		}
+		if err != nil {
+			log.Error(err)
+			return
+		}
+
+		checkMountDockerSock(container, result)
+		if len(result.Occurrences) > 0 {
+			results = append(results, *result)
+		}
+	}
+	return
+}
+
+var mountdsCmd = &cobra.Command{
+	Use:   "mountds",
+	Short: "Audit containers that mount /var/run/docker.sock",
+	Long: `This command determines which containers in a kubernetes cluster
+mount /var/run/docker.sock. 
+
+A PASS is given when a container does not mount /var/run/docker.sock
+A FAIL is generated when a container mounts /var/run/docker.sock
+
+Example usage:
+kubeaudit mountds`,
+	Run: runAudit(auditMountDockerSock),
+}
+
+func init() {
+	RootCmd.AddCommand(mountdsCmd)
+}

cmd/mountDockerSock_test.go

@@ -0,0 +1,7 @@
+package cmd
+
+import "testing"
+
+func TestDockerSockMounted(t *testing.T) {
+	runAuditTest(t, "docker_sock_mounted.yml", auditMountDockerSock, []int{ErrorDockerSockMounted})
+}

fixtures/docker_sock_mounted.yml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+spec:
+    containers:
+    - name: container
+      volumeMounts:
+        - mountPath: /var/run/docker.sock
+          name: docker-sock-volume
+    - name: container2
+      volumeMounts:
+        - mountPath: /var/run/docker.sock
+          name: docker-sock-volume      
+    volumes:
+      - name: docker-sock-volume
+        hostPath:
+          path: /var/run/docker.sock