charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon kubereboot

Need to set hostPID and hostIPC to false in Kured

Open kavinkvb opened this issue 2 years ago • 5 comments

As per the security recommendation to avoid containers sharing sensitive host namespaces, I need to set the hostPID and hostIPC to false on the pod spec in Kured.

We are using helm chart to deploy the Kured and when i deploy by assigning the value to false it is not reflecting in pod values.yaml.

Please let me know if any input is required.

Please assist me to solve this.

kavinkvb avatar Jun 01 '23 13:06 kavinkvb

Hi @kavinkvb, the helm-chart does not offer the hostPID and hostIPC to be set through the values.yaml file. The hostPID variable is hardcoded to true in the chart, because kured needs this setting right now to work properly. We know, that this is not ideal from a security pov, but there would be huge architectural changes needed to achieve this.

ckotzbauer avatar Jun 03 '23 07:06 ckotzbauer

Hi @ckotzbauer Thanks for your inputs. I manually edited the hostPID to false in the daemonset after deploying the helm chart and this resolves the security recommendation. Can you please suggest if this is the correct way of approach?

Also, in this case we need to change this value manually whenever we are redeploying the helm chart to avoid security recommendations.

kavinkvb avatar Jun 04 '23 17:06 kavinkvb

Did you test, that kured successfully can reboot nodes with this config? When kured is just idle, the hostpid is not needed, so maybe it does not work now.

ckotzbauer avatar Jun 05 '23 04:06 ckotzbauer

I'll have a look and let you know if face any challenges.

Thanks

kavinkvb avatar Jun 05 '23 07:06 kavinkvb

@kavinkvb Do you have any feedback for us here?

ckotzbauer avatar Aug 02 '23 09:08 ckotzbauer