Kubernetes has a feature called “volume subpaths”, which is intended to enable sharing of a volume between multiple containers in a particular pod. Critically, these subpaths are controlled by the user. There have been attacks in the past that have abused this. One they highlight is where a malicious workload would abuse the InitContainer to create a symbolic link of /mnt/attack to /etc, so that when another container later on tried to mount that volume and followed the symlink, it would use the host’s /etc instead of the containerized /etc. The fix for this involved resolving the subpaths and validating they point inside the volume, and ensure the host path isn’t changeable by the user between validation and when the container runtime uses it (in an effort to prevent Time-of-Check Time-of-Use or TOCTOU issues).

However, the Google team found another route to exploit this issue using another TOCTOU to bypass the validation of the path against a host directory. They still did a symlink attack like the previous attack had done, but they continuously swapped the symlink with a directory using the RENAME_EXCHANGE option. If the race succeeded, the kubelet sees the path as a directory and thinks it’s safe to access, but the mount utility sees the path as a symlink and follows it.