search

aerokube / moon

Browser automation solution for Kubernetes and Openshift supporting Selenium, Playwright, Puppeteer and Cypress
http://aerokube.com/moon/latest
Apache License 2.0
225 stars 19 forks source link

Unable to create defender pod on AKS 1.26.3 - Privilege escalation container is not allowed #380

Closed hackinjack closed 1 year ago

hackinjack commented 1 year ago

Getting this with following container versions:

moon:1.7.0 moon-api: 1.7.0 selenoid-ui: 1.10.1

also tried: moon/moon-api 1.9.7 selenoid-ui 1.10.4

Had to add securityContext blocks to 3 above containers: securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false

... then at least these load, however

2023/05/18 08:44:17 [INIT] [Loading configuration from: config/service.json]
2023/05/18 08:44:17 [INIT] [Loading quota files from: quota]
2023/05/18 08:44:17 [INIT] [Quota configuration updated]
2023/05/18 08:44:17 [INIT] [Using image = "aerokube/moon-video-recorder:1.7.0", limits: cpu = "1", memory = "1Gi", requests: cpu = 250m, memory = 1Gi as videoRecorder]
2023/05/18 08:44:17 [INIT] [Using image = "[container-registry.example.net/aerokube/defender:1.7.0](http://container-registry.example.net/aerokube/defender:1.7.0)", limits: cpu = "250m", memory = "64Mi", requests: cpu = 100m, memory = 64Mi as defender]
2023/05/18 08:44:17 [INIT] [Using image = "aerokube/logger:1.7.0", limits: cpu = "250m", memory = "64Mi", requests: cpu = 100m, memory = 64Mi as logger]
2023/05/18 08:44:17 [INIT] [Will run as user 106 and group 65534]
2023/05/18 08:44:17 [INIT] [S3 upload is disabled: no S3 endpoint specified]
2023/05/18 08:44:25 [FORBIDDEN_TO_CREATE_POD] [browsers] [X.X.X.X] [chrome-86-0-05a258e6-83a3-4225-bab1-9fc7888b722e] [admission webhook "[validation.gatekeeper.sh](http://validation.gatekeeper.sh/)" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-08730a25fb318876e097] Privilege escalation container is not allowed: browser
[azurepolicy-k8sazurev3noprivilegeescalatio-08730a25fb318876e097] Privilege escalation container is not allowed: defender

Please advise. TiA.

vania-pooh commented 1 year ago

@hackinjack We recommend to use Moon 2 instead. Contrarily to Moon 1.x pods are never started with elevated permission requests and regular user is always used inside all images. https://aerokube.com/moon/latest/#install-kubernetes

vania-pooh commented 1 year ago

Another alternative could be using kubemod to update affected pods in place.

hackinjack commented 1 year ago

@hackinjack We recommend to use Moon 2 instead. Contrarily to Moon 1.x pods are never started with elevated permission requests and regular user is always used inside all images. https://aerokube.com/moon/latest/#install-kubernetes

Thanks very much for this, however at present we do not have any internal helm repos with moon artifacts and it would be a lengthy process to implement that. Is there any non-helm deployment code available for V2 please?

vania-pooh commented 1 year ago

@hackinjack we don't have such manifests because Moon 2 now relies on generated custom resource definitions and storing such files in raw YAML is too error prone. To get a raw YAML at least you can export Helm to raw YAML using helm template command. https://helm.sh/docs/helm/helm_template/

hackinjack commented 1 year ago

In case it helps anyone else with private repos in highly restricted environments I'll just leave this here: To download specific versions of charts locally, for example https://charts.aerokube.com/, pull up the index used by helm by adding /index.yaml to the end of the repo url: https://charts.aerokube.com/index.yaml Then you can open the index.html file downloaded from this, and search for the artifact you want, in my case:

  moon2:
  - apiVersion: v2
    appVersion: 2.5.1
    created: "2023-05-18T18:05:30.167148085Z"
    description: Moon Helm chart
    digest: 4d3bc5f676d6692c0d1224d048a82219f22f74166611c6b5478b3d9d495fc56a
    icon: https://aerokube.com/img/aerokube_logo.svg
    name: moon2
    urls:
    - https://charts.aerokube.com/moon2-2.5.1.tgz
    version: 2.5.1

Now I can download the tarball and expand it locally.

hackinjack commented 1 year ago

In case it helps anyone else with private repos in highly restricted environments I'll just leave this here: To download specific versions of charts locally, for example https://charts.aerokube.com/, pull up the index used by helm by adding /index.yaml to the end of the repo url: https://charts.aerokube.com/index.yaml Then you can open the index.html file downloaded from this, and search for the artifact you want, in my case:

  moon2:
  - apiVersion: v2
    appVersion: 2.5.1
    created: "2023-05-18T18:05:30.167148085Z"
    description: Moon Helm chart
    digest: 4d3bc5f676d6692c0d1224d048a82219f22f74166611c6b5478b3d9d495fc56a
    icon: https://aerokube.com/img/aerokube_logo.svg
    name: moon2
    urls:
    - https://charts.aerokube.com/moon2-2.5.1.tgz
    version: 2.5.1

Now I can download the tarball and expand it locally.

vania-pooh commented 1 year ago

@hackinjack yeah, this is how Helm repos work in general.