Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55234

RW hostPath mount in kube-rbac-proxy-crio static pod violates best practices in RHOCP4

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 1
    • Low
    • None
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      We have identified that the container kube-rbac-proxy-crio, deployed under the openshift-machine-config-operator namespace, is configured with hostPath volumes mounted with read-write (RW) access. The following mounts were observed:

Mount Path: /etc/kubernetes → Host Path: /etc/kubernetes (Access Type: RW)
Mount Path: /var/lib/kubelet → Host Path: /var/lib/kubelet (Access Type: RW)

This is a violation of Kubernetes and industry-standard security best practices, as explicitly mentioned in the Kubernetes documentation:
🔗 https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

Use of hostPath with RW permissions introduces significant security risks, including potential unauthorized modification of critical system files or configurations.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Check the pods in openshift-machine-config-operator project
2. Open yaml of kube-rbac-proxy-crio pod
3. Check volumeMounts:
    - mountPath: /etc/kubernetes
      name: etc-kube
    - mountPath: /var/lib/kubelet
      name: var-lib-kubelet
4. Check access mode

      Actual results:

      The pod is deployed as a static pod on all cluster nodes. RW hostPath mounts are present in the pod definition.
RW hostPath appears to be required for metrics proxy access to CRI-O and kubelet directories.  
There is no operator or supported mechanism to modify the pod spec to adjust mount access or enforce readOnly: true.

      Expected results:

      We request one of the following actions from the OpenShift product team:
-- Check if we can replace RW hostPath mounts with read-only equivalents wherever feasible.
-- Refactor the pod to scope hostPath access only to specific files or subdirectories, with minimal privilege.
-- Provide an officially supported method or operator to manage these mounts securely.
-- Ensure alignment with Pod Security Standards in future releases.

      Additional info:

      Currently, we cannot safely modify this pod without risking supportability or upgrade issues, as it is managed by OpenShift itself.

Security Concerns : 
-- RW hostPath access violates PodSecurity standards.
-- Allows unnecessary privilege escalation if the container is compromised.
-- Difficult to harden without unsupported changes to OpenShift-managed static pods.
-- Fails compliance checks in security-focused environments.

              team-mco Team MCO
              rhn-support-sdharma Suruchi Dharma
              Prachiti Talgulkar
              None
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: