Support mounting hostPath volumes in ReadOnly Mode in node-agent daemonset

[ksudarsh00]

Describe the problem/challenge you have

The CSOC team in our organisation has detected an Aquasec alert for the node-agent pod, which states that 'hostPath' volumes are mounted and have security risks in production environments.

I understand hostPath volumes are used to access data in PV when mounted to pod volumes while taking backups. Is there any way we can scope hostPath volume to a specific directory, or can we mount hostPath volumes as "ReadOnly"?

Describe the solution you'd like

Provide support in Helm Chart to mount hostPath volumes in ReadOnly mode.

Anything else you would like to add:

Environment:

• Velero version (use velero version):
• Kubernetes version (use kubectl version):
• Kubernetes installer & version:
• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release):

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

• :+1: for "The project would be better with this feature added"
• :-1: for "This feature will not enhance the project in a meaningful way"

[Lyndon-Li]

@ksudarsh00 Could you explain more why the ReadOnly mount could help you? As far as we know, the ReadOnly mount is still treated as a risk for the security system that concerns, so still need an exception claim to the security system.

[Lyndon-Li]

7198 could help in this case for data movement backup/restore; but for fs-backup, host-path is a must have

[draghuram]

Even assuming that read-only mount is possible for backups, you do need write access for restore?