config-management-system Admissions Webhook fails Pod Security Standards Policy

[borkodjurkovic-ssc]

Admissions Webhook in the config-management-system namespace fails Pod Security Standards Policy for "Pod container is allowed to run as root". This application is managed by config-management system.

In order to fix the issue:

• The pod security context needs spec.securityContext.runAsNonRoot set to true.

• The admission-webhook container security context needs securityContext.runAsNonRoot set to true

The admission-webhook container security context already has allowPrivilegeEscalation: false set, so I think setting securityContext.runAsNonRoot: true should have no impact, but this should be confirmed by somebody more knowledgeable with the internals of the application.

In our cluster, the webhook is running gcr.io/config-management-release/admission-webhook:v1.17.1-rc.2 image.

[janetkuo]

This has been fixed in Config Sync 1.18.0 https://github.com/GoogleContainerTools/kpt-config-sync/pull/1136

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days