Vulnerability details

This is a volume security issue related to permission access. A user can access files and directories outside the volume mounting directory, including the host’s file system, through the volume mounting method of subpath in the created container.


This vulnerability affects related behaviors of kubelet, and the issue is particularly serious for cluster administrators who may strictly restrict the creation of hostPath.

CVSS scores

This vulnerability is rated as medium-risk with a CVSS score of 5.5.


For users who do not want to upgrade kubelet, they can use two preventative measures:

  • Disable VolumeSubpath for kubelet and kube-apiserver and remove all pods that are using this feature.
  • Use admission control to prevent users with low trust levels from running the container with the root permission.

Fixed by official

  • v1.22.2
  • v1.21.5
  • v1.20.11
  • v1.19.15

Fixed by KLTS

Last modified March 8, 2022 : mv en to kuberentes/ (95aa90d4)