Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes security: hostPath mounts should be read only #553

Open
eamonryan opened this issue Sep 28, 2021 · 0 comments
Open

Kubernetes security: hostPath mounts should be read only #553

eamonryan opened this issue Sep 28, 2021 · 0 comments
Labels
enhancement New feature or request

Comments

@eamonryan
Copy link
Member

This one may be an oversight but there are places where hostPaths are mounted without being in read-only mode:

https://github.com/grafana/agent/blob/main/production/kubernetes/agent-loki.yaml#L79-L86

Per https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

HostPath volumes present many security risks, and it is a best practice to avoid the use of HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the required file or directory, and mounted as ReadOnly.

If restricting HostPath access to specific directories through AdmissionPolicy, volumeMounts MUST be required to use readOnly mounts for the policy to be effective.

It would be good to evaluate/fix these where and if possible.
@marctc marctc added the enhancement New feature or request label Oct 31, 2022
@rfratto rfratto transferred this issue from grafana/agent Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
No open projects
Grafana Agent (Public)
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marctc @eamonryan