Prisma Cloud Reported Container vulnerabilities #3209
Description
We are using OpenTelemetry (Collector / Operator) to collect telemetry data (traces, metrics, and logs) from our Kubernetes workloads.
This setup is mission critical and has been running reliably in production for several months.
Security Scan Context
As part of CIS Kubernetes Benchmark compliance, we run runtime security scans using Prisma Cloud (Palo Alto Networks).
Prisma Cloud has reported multiple findings related to container hardening and securityContext configurations for OpenTelemetry components.
Findings Reported
The following controls are being flagged:
Mount container's root filesystem as read-only
Do not disable default seccomp profile
Restrict container from acquiring additional privileges
Questions / Clarifications Requested
We would like guidance from the OpenTelemetry maintainers on the following:
1. Expected Behavior vs Vulnerability
Are these findings:
Known and expected by design for OpenTelemetry components (for example, due to required privileges, host access, or runtime behavior), or
Already fixed or planned to be fixed in any future OpenTelemetry releases?
2. Hardening via Configuration
Can any of these findings be remediated through:
Configuration changes
Helm chart values
securityContext hardening options
If so, are there recommended configurations that are officially supported?
3. Functional Impact
Would applying the above hardening controls have any functional or stability impact on OpenTelemetry components, including:
Data collection
Receivers and exporters
Host metrics
Logs and traces pipeline reliability