Closed jshsp closed 12 months ago
Thanks for opening this. This might be due to the fact that a PSP needs to be created to deploy correctly when privileged which isn't something that the operator does today.
Closing this as PSP is no longer supported and there is now official support for GCOS using a DaemonSet method which is now preferred over crowdstrike-falcon-container
Greetings. I have the falcon-operator installed on a GKE 1.20 test cluster
`✗ kg nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
gke-cluster-2-20-default-pool-d4df75be-5c22 Ready 40h v1.20.10-gke.1600 x.x.x.x x.x.x.x Container-Optimized OS from Google 5.4.120+ containerd://1.4.4
gke-cluster-2-20-default-pool-d4df75be-bb8g Ready 40h v1.20.10-gke.1600 x.x.x.x x.x.x.x Container-Optimized OS from Google 5.4.120+ containerd://1.4.4
gke-cluster-2-20-default-pool-d4df75be-l0sr Ready 40h v1.20.10-gke.1600 x.x.x.x x.x.x.x Container-Optimized OS from Google 5.4.120+ containerd://1.4.4`
It seems that when a deployment is 1 of Statefulset or Replicaset with securityContext: privileged: true
replicaset error
the following error is thrown and does not allow pods to be created:
Warning FailedCreate 10s (x19 over 14m) replicaset-controller Error creating: Internal error occurred: add operation does not apply: doc is missing path: "/metadata/annotations/container.apparmor.security.beta.kubernetes.io~1crowdstrike-falcon-container": missing value
statefulset error
Warning FailedCreate 7m23s (x18 over 18m) statefulset-controller create Pod redis-0 in StatefulSet redis failed error: Internal error occurred: add operation does not apply: doc is missing path: "/metadata/annotations/container.apparmor.security.beta.kubernetes.io~1crowdstrike-falcon-container": missing value
This does not happen for kind: Deployment with the same securitycontext set.
It looks suspiciously similar to: https://github.com/kubernetes/kubernetes/issues/69953 though i may be way off.