Closed patpicos closed 4 months ago
Mounting the above hostPath has implications when using PodSecurityPolicies. A policy specific to AGIC needs to be developed to allow the access to the host file
When enabling Azure Policy for AKS this also causes non-compliance with the 'Kubernetes cluster pod hostPath volumes should only use allowed host paths' policy definition.
Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
I was reviewing the helm chart and noticed that the hostPath
/etc/kubernetes/azure.json
was mounted into the AGIC. This file contains sensitive data such as the cluster identity and secret. See https://github.com/Azure/application-gateway-kubernetes-ingress/blob/ef4765e206de581d4b7b8b796cae1fc3cc0ed99e/helm/ingress-azure/templates/deployment.yaml#L79-L82AGIC should not require this level of elevation or access. I dug into the code based and found this PR merge https://github.com/Azure/application-gateway-kubernetes-ingress/pull/585/files that added the mount. It sounds like this was done to retrieve some environment data. A preferred approach would be to ask for the data as a helm chart input.