search

cloudfoundry / cf-for-k8s

The open source deployment manifest for Cloud Foundry on Kubernetes
Apache License 2.0
300 stars 115 forks source link

Can't deploy on K8s cluster with PodSecurityPolicies enabled #395

Open JamesClonk opened 4 years ago

JamesClonk commented 4 years ago

Describe the bug

Currently it is not possible to install cf-for-k8s on a Kubernetes cluster that has PodSecurityPolicy enabled in the admission-controller. Valid PodSecurityPolicies are missing for cf-db / postgres and cf-blobstore / minio.

To Reproduce

Steps to reproduce the behavior:

  1. Target K8s cluster with PodSecurityPolicies enabled
  2. Deploy cf-for-k8s
  3. kubectl -n cf-db describe statefulset.apps/cf-db-postgresql
  4. See error 
    Warning  FailedCreate      85s (x16 over 4m9s)  statefulset-controller  create Pod cf-db-postgresql-0 in StatefulSet cf-db-postgresql failed error: pods "cf-db-postgresql-0" is forbidden: unable to validate against any pod security policy: []

Expected behavior

Deploying cf-for-k8s on a Kubernetes cluster with PodSecurityPolicies enabled should work. All components as part of the cf-for-k8s deployment should provide PodSecurityPolicies.

Additional context

The bitnami/postgresql helm chart would provide the possibility to template PodSecurityPolicies:

  psp.create    Create Pod Security Policy

Cluster information

Tested with:

cf-gitbot commented 4 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/174511296

The labels on this github issue will be updated when the story is started.

JamesClonk commented 4 years ago

Istio seems to lack PodSecurityPolicies as well.

edit: OK, it looks like basically anything in cf-for-k8s except for Eirini completely lacks PodSecurityPolicies, making it basically impossible to even manually hack something together on my end to get it deployed. :cry:

davewalter commented 4 years ago

Hi @JamesClonk,

Thanks for creating this issue. We've had some discussion about this in PR #223. We will check in with our PM about filing requests with the appropriate teams and making the changes for the components that we control directly (Postgres and Minio).

Regards, Dave and @jamespollard8

anyandrea commented 3 years ago

@davewalter Do we have any news on this topic? This feature is very important to us :)

jamespollard8 commented 3 years ago

Thanks @anyandrea. Unfortunately we have no significant news here. It's still on the horizon but I'm not sure if this is going to make it into our 1.0 release next month.

We're starting to use github projects now so this has become the best place to inspect our roadmap: https://github.com/cloudfoundry/cf-for-k8s/projects/4 (you'll see that this issue is currently in the Icebox)

If you have more to share with our new interim PM @paulcwarren, this would be a great place to share it.