Volsync does not start in cluster with PodSecurityAdmission set to restricted

backube / volsync

Asynchronous data replication for Kubernetes volumes

https://volsync.readthedocs.io

GNU Affero General Public License v3.0

601 stars 69 forks source link

Volsync does not start in cluster with PodSecurityAdmission set to restricted #1430

Open davralin opened 1 month ago

davralin commented 1 month ago

Describe the bug VolSync fails to start in a cluster with Pod Security Configuration enforced to restricted, due to missing SecCompProfile.

Steps to reproduce Enforce pod security configuration to restricted in your cluster. Deploy volsync

Expected behavior Volsync is actually deployed

Actual results

Error creating: pods "volsync-554964465c-lw8t4" is forbidden:
violates PodSecurity "restricted:latest":
seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")

Additional context #292 is somewhat related, but deals with the implementation in kind I guess.

tesshuflower commented 1 month ago

You may need to set podSecurityContext.seccompProfile.type in your values.yaml

https://github.com/backube/volsync/blob/main/helm/volsync/values.yaml#L66

davralin commented 1 month ago

Right... not sure how I missed that... Anyway;

    podSecurityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Leads to:

pod/volsync-5cc98f9b59-plvkf
Error: container has runAsNonRoot and image will run as root
(pod: "volsync-5cc98f9b59-plvkf_volsync(d7b7b3c9-8959-48ca-b8b3-b8a226c21c12)", container: manager)

So, new thing failed - but runAsRoot needs to be set in order to reach restricted.

tesshuflower commented 1 month ago

I think it sounds like you also will need to set podSecurityContext.runAsUser in your system. By default we normally set this to 65534 if you don't specify a podSecurityContext.

davralin commented 1 month ago

So, this is the conclussion I chose:

    podSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

This will allow volsync to work under restricted.

In order to do backup/restores:

    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      fsGroup: 1000
      fsGroupChangePolicy: "OnRootMismatch"
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Maybe some of these values should be the defaults?

My issue is closed however, I solved it with some configuration, I'll leave it open in-case someone needs/wants to change the default securityContext of volsync.

onedr0p commented 1 month ago

I think it would be fine to set this as a default on the helm chart?

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
  seccompProfile:
    type: RuntimeDefault