You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HostPath volumes present many security risks, and it is a best practice to avoid the use of HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the required file or directory, and mounted as ReadOnly.
If restricting HostPath access to specific directories through AdmissionPolicy, volumeMounts MUST be required to use readOnly mounts for the policy to be effective.
It would be good to evaluate/fix these where and if possible.
The text was updated successfully, but these errors were encountered:
This one may be an oversight but there are places where hostPaths are mounted without being in read-only mode:
https://github.com/grafana/agent/blob/main/production/kubernetes/agent-loki.yaml#L79-L86
Per https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
It would be good to evaluate/fix these where and if possible.
The text was updated successfully, but these errors were encountered: