From 89fe228b9a8b6b545a0055454d5669dc9c2d6bb6 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <cardoe@cardoe.com>
Date: Fri, 21 Nov 2025 19:15:52 -0600
Subject: [PATCH] feat(ironic): drop host mounts and hostIPC

Drop additional access that Ironic conductor no longer needs with the
removal of the iSCSI deploy interface. This change went into effect
with 2023.2. Remove host mount for /dev, /sys, and /var/run.
Disable hostIPC by default.

Change-Id: I6d7a2d7a58cf364ce46a8f033725aba34fa9e538
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 ironic/templates/statefulset-conductor.yaml     | 15 ---------------
 ironic/values.yaml                              |  2 +-
 releasenotes/notes/ironic-022571f573f6c430.yaml |  8 ++++++++
 3 files changed, 9 insertions(+), 16 deletions(-)
 create mode 100644 releasenotes/notes/ironic-022571f573f6c430.yaml

diff --git a/ironic/templates/statefulset-conductor.yaml b/ironic/templates/statefulset-conductor.yaml
index 4c923a1fb9..fc01c37872 100644
--- a/ironic/templates/statefulset-conductor.yaml
+++ b/ironic/templates/statefulset-conductor.yaml
@@ -202,12 +202,6 @@ spec:
               readOnly: true
             - name: host-var-lib-ironic
               mountPath: /var/lib/ironic
-            - name: host-run
-              mountPath: /var/run
-            - name: host-dev
-              mountPath: /dev
-            - name: host-sys
-              mountPath: /sys
             - name: pod-data
               mountPath: /var/lib/openstack-helm
 {{ if $mounts_ironic_conductor.volumeMounts }}{{ toYaml $mounts_ironic_conductor.volumeMounts | indent 12 }}{{ end }}
@@ -277,15 +271,6 @@ spec:
         - name: host-var-lib-ironic
           hostPath:
             path: /var/lib/ironic
-        - name: host-run
-          hostPath:
-            path: /var/run
-        - name: host-dev
-          hostPath:
-            path: /dev
-        - name: host-sys
-          hostPath:
-            path: /sys
         - name: pod-data
           emptyDir: {}
 {{ if $mounts_ironic_conductor.volumes }}{{ toYaml $mounts_ironic_conductor.volumes | indent 8 }}{{ end }}
diff --git a/ironic/values.yaml b/ironic/values.yaml
index 41641caf21..a85650a309 100644
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@@ -799,7 +799,7 @@ pod:
   useHostNetwork:
     conductor: true
   useHostIPC:
-    conductor: true
+    conductor: false
 
 network_policy:
   ironic:
diff --git a/releasenotes/notes/ironic-022571f573f6c430.yaml b/releasenotes/notes/ironic-022571f573f6c430.yaml
new file mode 100644
index 0000000000..0529fc4977
--- /dev/null
+++ b/releasenotes/notes/ironic-022571f573f6c430.yaml
@@ -0,0 +1,8 @@
+---
+ironic:
+  - |
+    Drop additional access that Ironic conductor no longer needs with the
+    removal of the iSCSI deploy interface. This change went into effect
+    with 2023.2. Remove host mount for /dev, /sys, and /var/run.
+    Disable hostIPC by default.
+...