kubectl run -i -t busybox --image=busybox --restart=Never
kubectl debug busybox --image=golang:1.19.3-alpine3.16 -i -t -- /bin/sh
Defaulting debug container name to debugger-j2g7s.
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [psp-allow-privilege-escalation-container] Privilege escalation container is not allowed: debugger-j2g7s
[psp-capabilities] ephemeral container <debugger-j2g7s> is not dropping all required capabilities. Container must drop all of ["NET_RAW", "CAP_SYS_ADMIN"] or "ALL"
[psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: debugger-j2g7s
My current thought is that it's some other API that I also need to listen to but I'm unable to find it.
Or that the gatekeeper assign don't work with ephemeralContainers for some reason.
I think that
k get validatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-validating-webhook-configuration
k get mutatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-mutating-webhook-configuration
I have tried to use this pr but I'm unable to get it to work. I still get validation errors.
This have been tested together with https://github.com/XenitAB/terraform-modules/pull/881 And we know that this works since it works with linkerd.
I have tried by running
My current thought is that it's some other API that I also need to listen to but I'm unable to find it. Or that the gatekeeper assign don't work with ephemeralContainers for some reason.
I think that
Looks okay.