search

CrowdStrike / falcon-operator

https://artifacthub.io/packages/olm/falcon-operator/falcon-operator
Apache License 2.0
49 stars 36 forks source link

ReplicaSet + Stateful set with securityContext: privileged breaks pod creation #106

Closed jshsp closed 12 months ago

jshsp commented 2 years ago

Greetings. I have the falcon-operator installed on a GKE 1.20 test cluster

`✗ kg nodes -o wide

NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

gke-cluster-2-20-default-pool-d4df75be-5c22 Ready 40h v1.20.10-gke.1600 x.x.x.x x.x.x.x Container-Optimized OS from Google 5.4.120+ containerd://1.4.4

gke-cluster-2-20-default-pool-d4df75be-bb8g Ready 40h v1.20.10-gke.1600 x.x.x.x x.x.x.x Container-Optimized OS from Google 5.4.120+ containerd://1.4.4

gke-cluster-2-20-default-pool-d4df75be-l0sr Ready 40h v1.20.10-gke.1600 x.x.x.x x.x.x.x Container-Optimized OS from Google 5.4.120+ containerd://1.4.4`

It seems that when a deployment is 1 of Statefulset or Replicaset with securityContext: privileged: true

replicaset error

the following error is thrown and does not allow pods to be created: Warning FailedCreate 10s (x19 over 14m) replicaset-controller Error creating: Internal error occurred: add operation does not apply: doc is missing path: "/metadata/annotations/container.apparmor.security.beta.kubernetes.io~1crowdstrike-falcon-container": missing value

statefulset error

Warning FailedCreate 7m23s (x18 over 18m) statefulset-controller create Pod redis-0 in StatefulSet redis failed error: Internal error occurred: add operation does not apply: doc is missing path: "/metadata/annotations/container.apparmor.security.beta.kubernetes.io~1crowdstrike-falcon-container": missing value

This does not happen for kind: Deployment with the same securitycontext set.

It looks suspiciously similar to: https://github.com/kubernetes/kubernetes/issues/69953 though i may be way off.

redhatrises commented 2 years ago

Thanks for opening this. This might be due to the fact that a PSP needs to be created to deploy correctly when privileged which isn't something that the operator does today.

redhatrises commented 12 months ago

Closing this as PSP is no longer supported and there is now official support for GCOS using a DaemonSet method which is now preferred over crowdstrike-falcon-container