Back to all scenarios
Scenario #287
Security
Kubernetes v1.24, CSI Plugin (AWS Secrets Store)

CSI Driver Exposing Node Secrets

Misconfigured CSI driver exposed secrets on hostPath mount accessible to privileged pods.

Find this helpful?
What Happened

Secrets mounted via the CSI driver were not isolated properly, allowing another pod with hostPath access to read them.

Diagnosis Steps
  • 1Reviewed CSI driver logs and configurations.
  • 2Found secrets mounted in shared path (/var/lib/...).
  • 3Identified privilege escalation path via hostPath.
Root Cause

CSI driver exposed secrets globally on node filesystem.

Fix/Workaround
• Scoped CSI mounts with per-pod directories.
• Disabled hostPath access for workloads.
Lessons Learned

CSI drivers must be hardened like apps.

How to Avoid
  • 1Test CSI secrets exposure under threat models.
  • 2Restrict node-level file access via policies.
Previous ScenarioNext Scenario