When I run this command:
kubectl run windows-core-2022 -it --rm -n default --image mcr.microsoft.com/windows/servercore:ltsc2022 --image-pull-policy=IfNotPresent --restart=Never --overrides '{ "spec": {"nodeSelector":{"kubernetes.io/os":"windows"}}}' --command -- cmd
then the container it is not created:
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev1windowsblockcontaine-08e4f379cf8967bf8e97] Container <windows-core-2022> has ContainerAdministrator runAsUsername. [azurepolicy-k8sazurev1windowscontainerallo-7df27f4171cac6a47ff1] Container <windows-core-2022> has disallowed runAsUsername. Disallowed users are ["ContainerUser"]
Which is expected, but then when I run this other command (without node selector -> still will go to the same node):
kubectl run windows-core-2022 -it --rm -n default --image mcr.microsoft.com/windows/servercore:ltsc2022 --image-pull-policy=IfNotPresent --restart=Never --command -- cmd
My container gets created, so the policy it is not working as expected:
C:\>whoami user manager\containeradministrator
Question
Is the AZ policy not covering this use case? what's going on here? Thanks.
nestpana
commented
1 week ago
Describe scenario I've a cluster where I've applied the following AZ policy:
https://www.azadvertizer.net/azpolicyadvertizer/5485eac0-7e8f-4964-998b-a44f4f0c1e75.html
When I run this command:
kubectl run windows-core-2022 -it --rm -n default --image mcr.microsoft.com/windows/servercore:ltsc2022 --image-pull-policy=IfNotPresent --restart=Never --overrides '{ "spec": {"nodeSelector":{"kubernetes.io/os":"windows"}}}' --command -- cmdthen the container it is not created:
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev1windowsblockcontaine-08e4f379cf8967bf8e97] Container <windows-core-2022> has ContainerAdministrator runAsUsername. [azurepolicy-k8sazurev1windowscontainerallo-7df27f4171cac6a47ff1] Container <windows-core-2022> has disallowed runAsUsername. Disallowed users are ["ContainerUser"]Which is expected, but then when I run this other command (without node selector -> still will go to the same node):
kubectl run windows-core-2022 -it --rm -n default --image mcr.microsoft.com/windows/servercore:ltsc2022 --image-pull-policy=IfNotPresent --restart=Never --command -- cmdMy container gets created, so the policy it is not working as expected:
C:\>whoami user manager\containeradministratorQuestion Is the AZ policy not covering this use case? what's going on here? Thanks.