Allow disabling hostNetwork: true

openebs / lvm-localpv

Dynamically provision Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes that is integrated with a backend LVM2 data storage stack.

Apache License 2.0

262 stars 99 forks source link

Allow disabling hostNetwork: true #274

Closed dm3ch closed 6 months ago

dm3ch commented 12 months ago

Describe the problem/challenge you have Reduce amount of open ports on k8s nodes. As far as I understood the only port is exposed is 9500 and used only for metrics. So it seems it's possible to collect it using pod or service scrapper.

Describe the solution you'd like Helm value that would allow to disable hostNetwork: false

For such case it would also useful to allow modify pod and service annotations throw chart values

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

LVM Driver version
Kubernetes version (use kubectl version):
Kubernetes installer & version:
Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release):

Abhinandan-Purkait commented 11 months ago

@dm3ch IIUC you want a helm value to set hostNetwork: false here ? Can you please explain significance of this change?

dm3ch commented 11 months ago

Yes. I want to make it possible top set hostNetwork: false via helm values.

It would allow to decrease amount of opened ports on node IP. As far as I understood the only use-case for open ports is metrics collection and prometheus agent in k8s is able to collect the metrics using pod IP.

So my point of view, is that such change would allow users to minimize potential attack surface for clusters with public IPs on nodes, without affecting any features.

rpieczon commented 11 months ago

@Abhinandan-Purkait Do you really need to connect this POD to host network? If so why?

huornlmj commented 11 months ago

+1 on this request. This pod has a couple of configurations that when put together can lead to a risky container:

network reachable (hostNetwork)
no authentication or encryption on the endpoint
privileged pod
Host's /dev/ directory mounted inside.

huornlmj commented 10 months ago

Ping?

Abhinandan-Purkait commented 10 months ago

@rpieczon @huornlmj It needs to be a privileged pod to perform the operations on the node.

Regarding the hostNetwork we would run our whole test suite disabling it and then accordingly update it. Thanks

abhilashshetty04 commented 10 months ago

Hi @dm3ch , PR has been raised to make it configurable. by default it will be disabled.

https://github.com/openebs/lvm-localpv/pull/280

abhilashshetty04 commented 6 months ago

Hi @dm3ch , Closing this as we have allowed users to disable hotNetwork