Open NissesSenap opened 1 year ago
Error creating: pods "wait-for-crds-chg4r" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "wait-for-crds" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "wait-for-crds" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "wait-for-crds" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "wait-for-crds" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Related error when deploying this chart version v0.23.1 against EKS 1.26 on the Job/wait-for-crds
resource.
@NissesSenap you can find a related PR here:
https://github.com/sighupio/gatekeeper-policy-manager/pull/545
The issue here is that this chart's Job/wait-for-crds
will fail if there is a Restricted PSS and there is no way to configure it otherwise using values.yaml
.
Yeah i used it on a new cluster a few days ago and got the same issue. I don't work at Xenit any more but I'm sure they would be very happy to get a PR @brsolomon-deloitte if you have the possibility
We are always happy to receive PRs! 😊🖖
Otherwise we'll take it as it comes up for ourselves in the process of validating the new versions. 👍
Took an initial look at the list https://kubernetes.io/docs/concepts/security/pod-security-standards/ and in general it looks very good.
I think we have missed to configure anything around restricting seccompProfile, seLinux and sysctls options.