Skip to content

[kubernetes] Set hostUsers explicitly#997

Merged
opcm merged 1 commit into
intel:masterfrom
jcpunk:host-users
Dec 23, 2025
Merged

[kubernetes] Set hostUsers explicitly#997
opcm merged 1 commit into
intel:masterfrom
jcpunk:host-users

Conversation

@jcpunk
Copy link
Copy Markdown
Contributor

@jcpunk jcpunk commented Dec 22, 2025
edited
Loading

The daemons require host privileges. Setting this explicitly both documentes the incompatibility with user namespaces and ensures, if the default changes, the daemonset will continue to function as expected.

@opcm opcm requested a review from Copilot December 22, 2025 21:12
Copilot AI reviewed Dec 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an explicit hostUsers: true setting to the PCM Kubernetes DaemonSet manifest to document the incompatibility with user namespaces and ensure the DaemonSet continues to function correctly if Kubernetes changes the default behavior for this field.

Key change:

  • Adds hostUsers: true field to explicitly require host user namespace access for the PCM daemon

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pcm-kubernetes.yaml.experimental Outdated
@jcpunk
[kubernetes] Set hostUsers explicitly
19668b6 
The pcm daemons require host privileges. Setting this explicitly
both documentes the incompatibility with user namespaces and
ensures, if the default changes, the daemonset will continue
to function as expected.

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
@opcm opcm requested a review from Copilot December 23, 2025 14:16
Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pcm-kubernetes.yaml.experimental
automountServiceAccountToken: false
hostUsers: true
containers:
- image: ghcr.io/intel/pcm:latest
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The container image is referenced using the mutable :latest tag (image: ghcr.io/intel/pcm:latest), which creates a supply chain risk because new, potentially malicious image versions can be pulled without any change to this manifest. Since this DaemonSet has host-level access via SYS_ADMIN, SYS_RAWIO, and multiple hostPath mounts, a compromised or hijacked image tag here could lead to full node compromise across the cluster. Pin this dependency to an immutable, trusted identifier (for example a specific version tag or image digest) and update it deliberately through code review.

Copilot uses AI. Check for mistakes.
@opcm opcm merged commit 112ac90 into intel:master Dec 23, 2025
36 checks passed
@jcpunk jcpunk deleted the host-users branch December 23, 2025 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@opcm opcm opcm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jcpunk @opcm