Our security team is doing a review of the Kubernetes agent and has questions about its need to mount the docker socket. What sort of information is collected using this channel? Have alternatives been considered? Our corporate policy is to minimize containers with highly privileged access to the host.
Hi @zsgasg7 ,
The New Relic infra pod is using the docker socket for gathering performances informations about the containers and the node (underlying host).
We are considering alternate approaches for the environments that have higher security constraints, would you security team rather have an agent running on the node than a pod using the docker socket?
I’ll get the detailed set of feedback and suggestions and post them here.
He was out of the office and has this to share for now:
Really it’s just using the nodeexporter and cadvistor exclusively to get the data it needs. That is what prometheus does and it has a lot more information than they are collecting and the setup doesn’t require an agent on every node or volume mounts on every node.