Need to set hostPID and hostIPC to false in Kured

[kavinkvb]

As per the security recommendation to avoid containers sharing sensitive host namespaces, I need to set the hostPID and hostIPC to false on the pod spec in Kured.

We are using helm chart to deploy the Kured and when i deploy by assigning the value to false it is not reflecting in pod values.yaml.

Please let me know if any input is required.

Please assist me to solve this.

[ckotzbauer]

Hi @kavinkvb,
the helm-chart does not offer the hostPID and hostIPC to be set through the values.yaml file. The hostPID variable is hardcoded to true in the chart, because kured needs this setting right now to work properly. We know, that this is not ideal from a security pov, but there would be huge architectural changes needed to achieve this.

[kavinkvb]

Hi @ckotzbauer
Thanks for your inputs.
I manually edited the hostPID to false in the daemonset after deploying the helm chart and this resolves the security recommendation.
Can you please suggest if this is the correct way of approach?

Also, in this case we need to change this value manually whenever we are redeploying the helm chart to avoid security recommendations.

[ckotzbauer]

Did you test, that kured successfully can reboot nodes with this config? When kured is just idle, the hostpid is not needed, so maybe it does not work now.

[kavinkvb]

I'll have a look and let you know if face any challenges.

Thanks

[ckotzbauer]

@kavinkvb Do you have any feedback for us here?