You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This leads to the problem that container tools deployed into the lacework container will not work properly because they expect that the cgroup root is at /sys/fs/cgroup/. For example, the container's memory limit should be available via /sys/fs/cgroup/memory/memory.limit_in_bytes (e.g. as documented for Docker in Specify hard limits on memory). But with the sys mount, the container has the node view instead. This means /sys/fs/cgroup/memory/memory.limit_in_bytes is the limit of the node, not the container.
Warning:
Using the hostPath volume type presents many security risks. If you can avoid using a hostPath volume, you should. For example, define a local PersistentVolume, and use that instead.
The text was updated successfully, but these errors were encountered:
The deployment files for installing the lacework agent on Kubernetes contain
hostPathvolume mounts. From thelacework-k8s.yamlfile:This leads to the problem that container tools deployed into the
laceworkcontainer will not work properly because they expect that the cgroup root is at/sys/fs/cgroup/. For example, the container's memory limit should be available via/sys/fs/cgroup/memory/memory.limit_in_bytes(e.g. as documented for Docker in Specify hard limits on memory). But with thesysmount, the container has the node view instead. This means/sys/fs/cgroup/memory/memory.limit_in_bytesis the limit of the node, not the container.Additionally, the Kubernetes documentation recommends not using
hostPathvolume types as they introduce a security risk:The text was updated successfully, but these errors were encountered: