Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow disabling hostNetwork: true #274

Closed
dm3ch opened this issue Dec 1, 2023 · 8 comments
Closed

Allow disabling hostNetwork: true #274

dm3ch opened this issue Dec 1, 2023 · 8 comments

Comments

@dm3ch
Copy link

dm3ch commented Dec 1, 2023
edited
Loading

Describe the problem/challenge you have
Reduce amount of open ports on k8s nodes.
As far as I understood the only port is exposed is 9500 and used only for metrics.
So it seems it's possible to collect it using pod or service scrapper.

Describe the solution you'd like
Helm value that would allow to disable hostNetwork: false

For such case it would also useful to allow modify pod and service annotations throw chart values

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • LVM Driver version
  • Kubernetes version (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):
@Abhinandan-Purkait
Copy link
Member

Abhinandan-Purkait commented Dec 7, 2023
edited
Loading

@dm3ch IIUC you want a helm value to set hostNetwork: false here ? Can you please explain significance of this change?

@dm3ch
Copy link
Author

dm3ch commented Dec 18, 2023

Yes. I want to make it possible top set hostNetwork: false via helm values.

It would allow to decrease amount of opened ports on node IP. As far as I understood the only use-case for open ports is metrics collection and prometheus agent in k8s is able to collect the metrics using pod IP.

So my point of view, is that such change would allow users to minimize potential attack surface for clusters with public IPs on nodes, without affecting any features.

@rpieczon
Copy link

@Abhinandan-Purkait Do you really need to connect this POD to host network? If so why?

@huornlmj
Copy link

+1 on this request. This pod has a couple of configurations that when put together can lead to a risky container:

  1. network reachable (hostNetwork)
  2. no authentication or encryption on the endpoint
  3. privileged pod
  4. Host's /dev/ directory mounted inside.

@huornlmj
Copy link

huornlmj commented Jan 9, 2024

Ping?

@Abhinandan-Purkait
Copy link
Member

@rpieczon @huornlmj It needs to be a privileged pod to perform the operations on the node.

Regarding the hostNetwork we would run our whole test suite disabling it and then accordingly update it. Thanks

@Abhinandan-Purkait Abhinandan-Purkait mentioned this issue Jan 12, 2024
Closed
@abhilashshetty04
Copy link
Contributor

Hi @dm3ch , PR has been raised to make it configurable. by default it will be disabled.

#280

@abhilashshetty04
Copy link
Contributor

Hi @dm3ch , Closing this as we have allowed users to disable hotNetwork

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(charts): disable hostNetwork on node plugin openebs/lvm-localpv
5 participants
@dm3ch @huornlmj @Abhinandan-Purkait @rpieczon @abhilashshetty04