search

adyanth / cloudflare-operator

A Kubernetes Operator to create and manage Cloudflare Tunnels and DNS records for (HTTP/TCP/UDP*) Service Resources
https://adyanth.site/posts/migration-compose-k8s/cloudflare-tunnel-operator-architecture/
Apache License 2.0
346 stars 35 forks source link

Fix securityContext #110

Open maxpain opened 1 week ago

maxpain commented 1 week ago 
 Error creating: pods "cloudflare-operator-controller-manager-6c69d7595-fvqr5" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "kube-rbac-proxy", "manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
maxpain commented 1 week ago

The operator also can't create the tunnel deployment itself:

Error creating: pods "fastcup-95b95b84f-bs672" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cloudflared" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cloudflared" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cloudflared" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cloudflared" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
adyanth commented 1 week ago

Looks like your environment enforces security policies for pods. You would benefit from https://github.com/adyanth/cloudflare-operator/pull/73 but I have not had time to work on this sadly.