如何正确配置Kubernetes cronjob中的HostIPC和HostPID ?

我正在使用Google Cloud Build来CI/CD我的应用程序，它依赖于多个cronjob。我构建的第一步是这样的:

# validate k8s manifests
- id: validate-k8s
name: quay.io/fairwinds/polaris:1.2.1
entrypoint: polaris
args:
- audit
- --audit-path
- ./devops/k8s/cronjobs/worker-foo.yaml
- --set-exit-code-on-danger
- --set-exit-code-below-score
- "87"

我正在使用北极星来执行最佳安全实践。对于每个cronjob，我都有一个如下所示的部署清单:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: worker-foo
namespace: foo
spec:
schedule: "30 1-5,20-23 * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
backoffLimit: 3
template:
spec:
hostIPC: false
hostPID: false
hostNetwork: false
volumes:
- name: foo-sa
secret:
secretName: foo-sa
- name: foo-secrets
secret:
secretName: foo-secrets
- name: tmp-pod
emptyDir: {}
restartPolicy: OnFailure
containers:
- name: worker-foo
image: gcr.io/bar/foo:latest
imagePullPolicy: "Always"
resources:
requests:
memory: "512M"
cpu: "50m"
limits:
memory: "6000M"
cpu: "500m"
volumeMounts:
- name: foo-sa
mountPath: /var/secrets/foo-sa
- mountPath: /tmp/pod
name: tmp-pod
command: ["/bin/bash", "-c"]
args:
- |
timeout --kill-after=10500 10500 python foo/foo/foo.py --prod;

我发现这里的等级在清单文件是"spec.jobTemplate.spec.template.spec HostIPC参数。HostIPC"，但它似乎不符合北极星验证:

Step #0 - "validate-k8s":   "Results": [
Step #0 - "validate-k8s":     {
Step #0 - "validate-k8s":       "Name": "worker-foo",
Step #0 - "validate-k8s":       "Namespace": "foo",
Step #0 - "validate-k8s":       "Kind": "CronJob",
Step #0 - "validate-k8s":       "Results": {},
Step #0 - "validate-k8s":       "PodResult": {
Step #0 - "validate-k8s":         "Name": "",
Step #0 - "validate-k8s":         "Results": {
Step #0 - "validate-k8s":           "hostIPCSet": {
Step #0 - "validate-k8s":             "ID": "hostIPCSet",
Step #0 - "validate-k8s":             "Message": "Host IPC is not configured",
Step #0 - "validate-k8s":             "Success": true,
Step #0 - "validate-k8s":             "Severity": "danger",
Step #0 - "validate-k8s":             "Category": "Security"
Step #0 - "validate-k8s":           },
Step #0 - "validate-k8s":           "hostNetworkSet": {
Step #0 - "validate-k8s":             "ID": "hostNetworkSet",
Step #0 - "validate-k8s":             "Message": "Host network is not configured",
Step #0 - "validate-k8s":             "Success": true,
Step #0 - "validate-k8s":             "Severity": "warning",
Step #0 - "validate-k8s":             "Category": "Networking"
Step #0 - "validate-k8s":           },
Step #0 - "validate-k8s":           "hostPIDSet": {
Step #0 - "validate-k8s":             "ID": "hostPIDSet",
Step #0 - "validate-k8s":             "Message": "Host PID is not configured",
Step #0 - "validate-k8s":             "Success": true,
Step #0 - "validate-k8s":             "Severity": "danger",
Step #0 - "validate-k8s":             "Category": "Security"
Step #0 - "validate-k8s":           }
Step #0 - "validate-k8s":         },

我在这里错过了什么?我应该如何声明HostIPC和HostPID参数，以满足北极星验证?

可能相关的问题:https://github.com/FairwindsOps/polaris/issues/328