What steps did you take:
Given I have Kubernetes cluster with Pod Security Admission set to enforced. When I deployed secretgen-controller on the Kubernetes cluster, secretgen-controller pod doesn't come up and deployment fails:
$ kubectl get deploy/secretgen-controller -n secretgen-controller -oyaml | yq .status
conditions:
- lastTransitionTime: "2024-01-28T05:24:16Z"
lastUpdateTime: "2024-01-28T05:24:16Z"
message: Created new replica set "secretgen-controller-59db9f7c64"
reason: NewReplicaSetCreated
status: "True"
type: Progressing
- lastTransitionTime: "2024-01-28T05:24:17Z"
lastUpdateTime: "2024-01-28T05:24:17Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2024-01-28T05:24:16Z"
lastUpdateTime: "2024-01-28T05:24:16Z"
message: 'admission webhook "pod-security-webhook.kubernetes.io" denied the request: pods "secretgen-controller-59db9f7c64-4nz6v" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or container "secretgen-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'
reason: FailedCreate
status: "True"
type: ReplicaFailure
observedGeneration: 1
unavailableReplicas: 1
What happened:Secretgen-controller deployment fails to bring up the pod.
What did you expect:Secretgen-controller deployment to be running successfully.
Anything else you would like to add:
Setting the seccompProfile to RuntimeDefault will also harden the container security.
Environment:
secretgen-controller version (execute kubectl get deployment -n secretgen-controller secretgen-controller -o yaml and the annotation is kbld.k14s.io/images):
Kubernetes version (use kubectl version)
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
š "I would like to see this addressed as soon as possible"
š "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.
What steps did you take: Given I have Kubernetes cluster with
Pod Security Admissionset to enforced. When I deployedsecretgen-controlleron the Kubernetes cluster,secretgen-controllerpod doesn't come up and deployment fails:What happened:
Secretgen-controllerdeployment fails to bring up the pod.What did you expect:
Secretgen-controllerdeployment to be running successfully.Anything else you would like to add: Setting the
seccompProfiletoRuntimeDefaultwill also harden the container security.Environment:
kubectl get deployment -n secretgen-controller secretgen-controller -o yamland the annotation iskbld.k14s.io/images):kubectl version)Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
š "I would like to see this addressed as soon as possible" š "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.