Considering that using hostPath is a sensitive feature in k8s and that tetragon is a runtime security product we should maybe do a few things here:

• not use the type: "" here and use something more specific if possible, read-only, see https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types.
• make this optional and not mounted by default with a config "enabled" and such in the values.yaml.

Can I ask some questions, just to make it clear, please?

1. I think, type: "File might be OK, but if /sys/kernel/security/lsm is not exists (in other words LSM is not enabled), than Pod will not be loaded, right? I think it's not good.
2. If we use an option, it might fix the problem above, but what will be if we have nodes with different configuration? Some of the nodes have LSM enabled, but some don't?
3. Am I right that this config is the superset of this config? In other words, I can add some field to helm, but it is not necessary to add this field to tetragon.yaml?

For point 3, just worry about https://github.com/cilium/tetragon/blob/main/install/kubernetes/tetragon/values.yaml, the other one is just an example helm config, I don't exactly know what is its use.

For your point 1 and 2, I did some research, and in any case, if the file the volume points to do not exists, the pod creation will fail, even without a type.

Failed attempt 1

So ideally we would write something like this:

apiVersion: v1
kind: Pod
metadata:
  name: lsm-pod
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - name: lsm-volume
          mountPath: /sys/kernel/security/lsm
          readOnly: true
  volumes:
    - name: lsm-volume
      hostPath:
        path: /sys/kernel/security/lsm
        type: File

But for some reason I don't understand, containerd OCI runtime creation failed to create antyhing under /sys/kernel/security/lsm with

Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/sys/kernel/security/lsm" to rootfs at "/sys/kernel/security/lsm": open /run/containerd/io.containerd.runtime.v2.task/k8s.io/nginx/rootfs/sys/kernel/security/lsm: no such file or directory: unknown

My hypothesis is that the fs under /sys is readonly in the container fs, and only /sys/kernel/security exists.

Failed attempt 2

So I tried something like

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: lsm-pod
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - name: lsm-volume
          mountPath: /sys/kernel/security/lsm
          subPath: lsm
          readOnly: true
  volumes:
    - name: lsm-volume
      hostPath:
        path: /sys/kernel/security
        type: Directory

But it's the same issue. Note that you can basically used the attempt 1 and attempt 2 if you want to mount the file anywhere else. It will work, the issue is with mounting under /sys/kernel/security/lsm.

Attempt 3

It seems the only way is to mount under this exact path is to mount the entire security directory.

apiVersion: v1
kind: Pod
metadata:
  name: lsm-pod
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - name: lsm-volume
          mountPath: /sys/kernel/security
          readOnly: true
  volumes:
    - name: lsm-volume
      hostPath:
        path: /sys/kernel/security
        type: Directory

Conclusions

So, would the /sys/kernel/security folder at least exist (if empty) on most kernel, even those without most security modules enabled? That could be a first solution if exposing the entire directory is not a security issue.

If not, it's possible to only mount /sys/kernel/security/lsm but you will bump into situation where it doesn't exist (and thus the deployment will fail) and it seems you cannot mount it at the exact same path in the container fs, so you'll need to mount it elsewhere and teach tetragon where to look (flag/hardcoding/etc).

Kind config

For you to retry this on a linux machine, you'll need to mount an extra volume on the kind cluster, you can use this config:

apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
nodes:
  - role: control-plane
    extraMounts:
      - hostPath: /sys/kernel/security
        containerPath: /sys/kernel/security

And then kind create cluster --config kind.yaml