APM UMA security warnings on hardened k8s cluster
search cancel

APM UMA security warnings on hardened k8s cluster

book

Article ID: 414808

calendar_today

Updated On:

Products

DX Application Performance Management DX APM SaaS

Issue/Introduction

UMA 25.9.1.12 installation on hardened k8s cluster (based on CIS) shows the warnings below. 

W0930 11:56:43.584761 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (containers "containerinfo", "podmonitor" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "containerinfo", "podmonitor" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "containerinfo" must set securityContext.capabilities.drop=["ALL"]; container "podmonitor" must not include "SYS_RESOURCE" in securityContext.capabilities.add), restricted volume types (volumes "sys-kernel-debug", "dockersock", "containerdsock", "containerdekssock", "dockeroverlay", "dockeroverlay2", "dev", "run", "sys", "boot", "home", "rootfs", "proc" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "init-clusterinfo", "containerinfo", "podmonitor" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "containerinfo" must not set runAsUser=0)
W0930 11:56:43.603726 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": runAsNonRoot != true (pod or container "http-collector-agent" must set securityContext.runAsNonRoot=true)
W0930 11:56:43.608470 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": runAsNonRoot != true (pod or containers "init-clusterinfo", "prometheus-exporter" must set securityContext.runAsNonRoot=true)
W0930 11:56:43.617098 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": runAsNonRoot != true (pod or container "apm-probe-autoattach" must set securityContext.runAsNonRoot=true)
W0930 11:56:43.623591 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": allowPrivilegeEscalation != false (containers "init-clusterinfo", "acc-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-clusterinfo", "acc-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "init-clusterinfo", "acc-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "init-clusterinfo", "acc-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0930 11:56:43.623614 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": runAsNonRoot != true (pod or containers "init-clusterinfo", "kubernetesservice" must set securityContext.runAsNonRoot=true)
W0930 11:56:43.624243 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": runAsNonRoot != true (pod or containers "init-clusterinfo", "uma" must set securityContext.runAsNonRoot=true)
W0930 11:56:43.624353 1769016 warnings.go:70] would violate PodSecurity "restricted:v1.32": runAsNonRoot != true (pod or container "clusterinfo" must set securityContext.runAsNonRoot=true)

Environment

DX O2 UMA Agent

Cause

As UMA is a monitoring agent, it needs some additional privileges to monitor the Kubernetes/Openshift cluster. 

Resolution

Relax the restrictions just for the UMA namespace. 

Some of the privileges needed and the reason for it are given below:

1. Host Namespaces (Required for Container Monitoring):

Status: Required for container monitoring
Reason: Needed to access host network, processes, and IPC for comprehensive monitoring

2. Privileged Containers (Required for Socket Access) :

Status: Required for container runtime socket access
Reason: containerinfo needs privileged access to communicate with Docker/containerd/CRI-O sockets

3. Unrestricted Capabilities (Required for System Monitoring):

Status: Required for system resource monitoring
Reason: podmonitor needs SYS_RESOURCE capability for memory and CPU monitoring

4. Restricted Volume Types (Required for Host Access):

Status: Required for container monitoring
Reason: Need access to host filesystems and container runtime sockets

5. Root User (Required for Socket Access):

Status: Required for socket communication
Reason: containerinfo needs root access to read container runtime sockets

Additional Information

Powered by Wolken Software