Closed borkodjurkovic-ssc closed 2 months ago
This has been fixed in Config Sync 1.18.0 https://github.com/GoogleContainerTools/kpt-config-sync/pull/1136
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
Admissions Webhook in the
config-management-system
namespace fails Pod Security Standards Policy for "Pod container is allowed to run as root". This application is managed by config-management system.In order to fix the issue:
The pod security context needs
spec.securityContext.runAsNonRoot
set totrue
.The
admission-webhook
container security context needssecurityContext.runAsNonRoot
set totrue
The
admission-webhook
container security context already hasallowPrivilegeEscalation: false
set, so I think settingsecurityContext.runAsNonRoot: true
should have no impact, but this should be confirmed by somebody more knowledgeable with the internals of the application.In our cluster, the webhook is running
gcr.io/config-management-release/admission-webhook:v1.17.1-rc.2
image.