K8s 1.33+ does not allow procMount: "Unmasked"

[miguelbernadi]

From k8s 1.33+ having procMount: "Unmasked" requires hostUsers: false which is incompatible with hostPID: true. That means that all recommended configuration of the agent DaemonSet are no longer valid in k8s 1.33+.

Why is it required to have procMount: "Unmasked"? According to documentation, avoiding this option prevents writing in parts of /proc but not reading from there. And we do need to use hostPID: true so we can inspect the other processes in the node.

Can we get a definitive and officially documented set of required values that is compatible with k8s 1.33+?

[christos68k]

Hello @miguelbernadi, it's likely that this is no longer needed as we have not revisited this setting recently. Can you test and validate if that is the case?

[miguelbernadi]

I'm in the process of validating with:

      hostPID: true
      hostNetwork: true
      #hostUsers: false
      containers:
      - name: opentelemetry-collector
        securityContext:
          #procMount: "Unmasked"
          privileged: true
          capabilities:
            add:
            - BPF
            - PERFMON
            - SYS_RESOURCE
            - SYS_PTRACE

It seems to be working, but I have unrelated permission issues to resolve before I can complete the validation. I was trying a different set of changes when I found the control plane upgrade to 1.33 had broken my deployment.

[florianl]

Not an k8s expert, just following documentation. Did you try something like the following?

securityContext:
      procMount: Default
      readOnlyRootFilesystem: true
      privileged: true
      capabilities:
        add:
          - BPF
          - PERFMON
          - SYS_RESOURCE
          - SYS_PTRACE

[miguelbernadi]

Not an k8s expert, just following documentation. Did you try something like the following?

securityContext:
      procMount: Default
      readOnlyRootFilesystem: true
      privileged: true
      capabilities:
        add:
          - BPF
          - PERFMON
          - SYS_RESOURCE
          - SYS_PTRACE

I have not, but I'd guess the procMount: Default is the same as not specifying it, as in my example. Or do you refere to also removing the hostPID and hostNetwork options?

[florianl]

I'm unsure about the effect of setting readOnlyRootFilesystem.