Open empinator opened 2 years ago
We have a similar issue with istio.. in order to use the istio-init
initContainer, we'd have to exempt the pod_no_new_capabilities
check for the replicaset/statefulset/daemonset controllers, which would effectively bypass the check altogether.
We've avoided the issue thus far by using Istio's CNI plugin (https://istio.io/latest/docs/setup/additional-setup/cni/), but this doesn't work with secure runtimes such as kata/gvisor.
👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.
Thanks for your contribution(s) to the project!
Hi,
I am running k-rail on my kubernetes cluster combined with linkerd as service mesh to ensure mTLS communication between pods. linkerd will automatically inject further (init-)containers into my pod to accomplish this.
One of the injected containers require to be run with
runAsNonRoot: false
then, of course k-rail is throwing a
pod_no_root_user
violationI was wondering if there is a way to define an exemptions on container level within a pod?
Any help would be much appreciated.