Manage Host Shield Privileges

You can configure Host Shield to run in unprivileged mode to enhance the security of your Linux Kubernetes deployments. Host Shield can operate with host.privileged set to false, enhancing your deployment without interrupting essential monitoring and security functions.

You can modify Host Shield privileges to enhance the security of your Linux deployments. Host Shield can operate with the host.privileged parameter set to false, enhancing your deployment’s security posture without interrupting essential monitoring and security functions. We recommend configuring Host Shield with host.privileged: false to reduce the attack surface and align with container security best practices.

Benefits of Setting host.privileged: false

Enhanced Security: By setting host.privileged to false, you can limit Linux capabilities, minimizing the attack surface.

Prerequisites

  • Host Shield version 14.6.0 and later.

  • Kubernetes deployment managed with the shield Helm chart version >= 1.38.0.

  • Host Shield requires the Universal eBPF driver.

    Limitation

  • Host Shield does not support Google Kubernetes Engine (GKE) Autopilot.

  • Host Shield does not support AWS Bottlerocket on ARM architecture.

Configure Least Privileged Mode

To set host.privileged to false using the shield Helm chart, specify shield.host.privileged=false.

The Helm chart automatically detects whether OpenShift is in use and applies the appropriate set of permissions.