Action Item: Host PID Configuration

Learn how to make PID configurations with Fairwinds Insights.

Hello everyone. My name is Munib Ali. I'm the Engineering Manager here at Fairwinds and today I'm going to be talking about how to resolve the Insights action item Host PID or process ID should not be configured.

Insights scans your pods and checks if this Host PID is set to true. When it's set to true, there are a couple of things that can happen. When you run PS on the pod with this set to true, you can see all the processes running on the host, including processes running in each pod. You can also find credentials and use them to escalate privileges in the cluster and you would also be able to kill processes. Therefore, Insights recommends that this should not be configured.

We are going to look into how we can remediate this action item. On the bottom of my screen, you are looking at the Insights user interface, and I already have this filtered to my cluster and a specific action item.

If I click on this action item, I'm given useful information on the right-hand side: you can see where exactly this action item is showing up. In our case, it's a DaemonSet in the fairwinds-prometheus namespace. It gives us a little description about this action item and why it should not be configured. The remediation for this is to set the host process ID to false.

I have my cluster and what I'm going to do is go into this namespace and pull this DaemonSets YAML to see where exactly this is set to true. Okay. I am going to pull this YAML and we are going to look at where it says the host process ID is set true. And here we are. So, this would need to be set to false in order to resolve this action item. Thanks for watching everyone.