Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support mounting hostPath volumes in ReadOnly Mode in node-agent daemonset #7833

Closed
ksudarsh00 opened this issue May 27, 2024 · 5 comments
Closed

Support mounting hostPath volumes in ReadOnly Mode in node-agent daemonset #7833

ksudarsh00 opened this issue May 27, 2024 · 5 comments
Labels
area/fs-backup staled work as design

Comments

@ksudarsh00
Copy link

Describe the problem/challenge you have

The CSOC team in our organisation has detected an Aquasec alert for the node-agent pod, which states that 'hostPath' volumes are mounted and have security risks in production environments.

I understand hostPath volumes are used to access data in PV when mounted to pod volumes while taking backups. Is there any way we can scope hostPath volume to a specific directory, or can we mount hostPath volumes as "ReadOnly"?

Describe the solution you'd like

Provide support in Helm Chart to mount hostPath volumes in ReadOnly mode.

Anything else you would like to add:

Environment:

  • Velero version (use velero version):
  • Kubernetes version (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

  • 👍 for "The project would be better with this feature added"
  • 👎 for "This feature will not enhance the project in a meaningful way"
@Lyndon-Li
Copy link
Contributor

@ksudarsh00
Could you explain more why the ReadOnly mount could help you? As far as we know, the ReadOnly mount is still treated as a risk for the security system that concerns, so still need an exception claim to the security system.

@Lyndon-Li
Copy link
Contributor

#7198 could help in this case for data movement backup/restore; but for fs-backup, host-path is a must have

@draghuram
Copy link
Contributor

Even assuming that read-only mount is possible for backups, you do need write access for restore?

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands.

@github-actions GitHub Actions
Copy link

This issue was closed because it has been stalled for 14 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/fs-backup staled work as design
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@draghuram @ksudarsh00 @blackpiglet @Lyndon-Li