Reason for Mounting mountPath: /var/lib/kubelet and Having hostPID: true #681
-
|
What are the exact reasons for "mountPath: /var/lib/kubelet" and having HostPID set to true? Both are not ideal from a security standpoint, but are required for the tool. So reasoning for this would be helpful. (This is for job-eks.yaml) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @ramesh-ramani, thanks for your question
|
Beta Was this translation helpful? Give feedback.
-
|
@lizrice thanks for that; however, in EKS, in that path (/var/lib/kubelet), there's also the kubeconfig file which has elevated rights to the cluster. So that's seems like a fairly risky mount. Is there an alternative or this is a "must-have"? |
Beta Was this translation helpful? Give feedback.
Hi @ramesh-ramani, thanks for your question
/var/lib/kubeletis mounted so that kube-bench can read the kubelet configuration files on the hostHostPID is needed so that kube-bench can run
pscommands to observe what's running on the host and check for parameters that might override the configuration settings