aramase
commented
1 year ago - For the
azwi-proxysidecar container, we can setreadOnlyRootFileSystem: true(covered in https://github.com/Azure/azure-workload-identity/pull/829). azwi-proxy-initneedsreadOnlyRootFileSystem: false, so that can't be changed. If you need to use the proxy sidecar approach to migrate, you'll need to allow this init container to run without that setting.
Describe the bug After moving to workload-identity 1.0.0 deployments using the azure.workload.identity/inject-proxy-sidecar annotation fail to create pods due to required readonly root filesystem setting. This previously was not blocked by Azure Policy on version 0.15
Steps To Reproduce Create a deployment that sets the annotation
azure.workload.identity/inject-proxy-sidecarExpected behavior The deployment creates a replicaset with pods running the application container as well as the injected proxy sidecar container
Logs
Warning FailedCreate 2m20s (x8 over 7m46s) replicaset-controller (combined from similar events): Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3readonlyrootfilesyst-01317df5d97e241e6132] Readonly root filesystem is required for container. pod:'pod', container:'azwi-proxy' [azurepolicy-k8sazurev3readonlyrootfilesyst-01317df5d97e241e6132] Readonly root filesystem is required for container. pod:'pod', container:'azwi-proxy-init'Environment
kubectl version):Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.6", GitCommit:"08d3594304660f86cfbd17bbb862041b4b75fe6c", GitTreeState:"clean", BuildDate:"2023-02-08T17:22:59Z", GoVersion:"go1.18.6", Compiler:"gc", Platform:"linux/amd64"}cat /etc/os-release):uname -a):Additional context