set hostPID:true in elastic-agent-managed-kubernetes.yaml

[m-sample]

Describe the enhancement:

Currently the Agent's managed Kubernetes YAML leaves "hostPID" unspecified so it defaults to false (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hosts-namespaces). Please change it to "hostPID:true" to grant sufficient access to in-Pod Agent integrations/containers so they may perform their expected tasks.

The hostPID attribute appears to be a Pod-wide setting that cannot be overridden at the container level in that Pod spec.

Describe a specific use case for the enhancement or feature:

Some integrations/containers in the same Pod need access to the host pid namespace, for example, to ensure the integration container's /proc has visibility of all processes on the host (including those in other Pods, e.g. for event enrichment) and to allow response actions such as killing any disallowed process (when combined with other privileges in that container's SecurityContext).

[norrietaylor]

/cc @qcorporation @lrishi @norrietaylor

[jlind23]

@blakerouse @michalpristas @ph @pierrehilbert this is a pretty simple change but I am kind of afraid that it is going to give too much permissions. Do we have any security recommandations on this?

[blakerouse]

I think it would be best to know what integrations need this and why it is needed, before we just got toggling it on.

[m-sample]

I think it would be best to know what integrations need this and why it is needed, before we just got toggling it on.

Endpoint monitors all process executions on the host by kprobes or BPF (these don't need hostPID to see all processes, CAP_SYS_ADMIN/privileged is enough). Endpoint needs hostPID:true in order to augment these process fork & exec events coming from BPF or kprobes with additional process information from a /proc that shows all processes on the host. hostPID:true ensures the /proc mounted in the container shows all the host's processes. Endpoint response actions to kill/signal processes will also require this.

[blakerouse]

@m-sample Now I understand, and why it needs to be at the Pod-level and cannot be at the container-level. I think we have no choice but to set this too true.

[m-sample]

@m-sample Now I understand, and why it needs to be at the Pod-level and cannot be at the container-level. I think we have no choice but to set this too true.

💯 Yes, unfortunately hostPID is only available at the pod level and applies to all containers in the Pod. The container-level SecurityContext config that can override the Pod level one does not offer hostPID.