elastic
K8s 1.33+ does not allow procMount: "Unmasked"
From k8s 1.33+ having procMount: "Unmasked" requires hostUsers: false which is incompatible with hostPID: true. That means that all recommended configuration of the agent DaemonSet are no longer valid in k8s 1.33+.
Why is it required to have procMount: "Unmasked"? According to documentation, avoiding this option prevents writing in parts of /proc but not reading from there. And we do need to use hostPID: true so we can inspect the other processes in the node.
Can we get a definitive and officially documented set of required values that is compatible with k8s 1.33+?
Hello @miguelbernadi, it's likely that this is no longer needed as we have not revisited this setting recently. Can you test and validate if that is the case?
I'm in the process of validating with:
hostPID: true
hostNetwork: true
#hostUsers: false
containers:
- name: opentelemetry-collector
securityContext:
#procMount: "Unmasked"
privileged: true
capabilities:
add:
- BPF
- PERFMON
- SYS_RESOURCE
- SYS_PTRACE
It seems to be working, but I have unrelated permission issues to resolve before I can complete the validation. I was trying a different set of changes when I found the control plane upgrade to 1.33 had broken my deployment.
Not an k8s expert, just following documentation. Did you try something like the following?
securityContext:
procMount: Default
readOnlyRootFilesystem: true
privileged: true
capabilities:
add:
- BPF
- PERFMON
- SYS_RESOURCE
- SYS_PTRACE
Not an k8s expert, just following documentation. Did you try something like the following?
securityContext: procMount: Default readOnlyRootFilesystem: true privileged: true capabilities: add: - BPF - PERFMON - SYS_RESOURCE - SYS_PTRACE
I have not, but I'd guess the procMount: Default is the same as not specifying it, as in my example. Or do you refere to also removing the hostPID and hostNetwork options?