Background here is that an empty initContainers: element will be created.
This is a bug from bitnami/postgresql Helm chart which was solved in bitnami/charts#14602.
With this bug kyverno will detect a problem when checking the chart (error message in code block below).
To Reproduce
Run kyverno with the mentioned policy and see error (executed through eclipse-tractusx/e2e-testing):
policy require-run-as-nonroot -> resource edc/StatefulSet/chart-consumer-postgresql failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/initContainers/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/
policy require-run-as-nonroot -> resource edc/StatefulSet/chart-provider-postgresql failed:
1. autogen-run-as-non-root: validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule autogen-run-as-non-root[0] failed at path /spec/template/spec/initContainers/ rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/
Expected behavior
No nun-as-non-root error should occur.
Possible Implementation
To fix this problem only an update is required to at least bitnami/postgresql 12.1.13 - or latest version (currently 12.7.1).
Describe the bug
Currently the Helm chart is using postgresql in version
12.1.6
:https://github.com/eclipse-tractusx/tractusx-edc/blob/968bb28b149784ecf8c3e9ab0f55b949af919df0/charts/tractusx-connector/Chart.yaml#L59-L64
This version will fail to run the kyverno policy require-run-as-nonroot.yaml check.
Background here is that an empty
initContainers:
element will be created. This is a bug from bitnami/postgresql Helm chart which was solved in bitnami/charts#14602. With this bug kyverno will detect a problem when checking the chart (error message in code block below).To Reproduce
Run kyverno with the mentioned policy and see error (executed through eclipse-tractusx/e2e-testing):
Expected behavior
No nun-as-non-root error should occur.
Possible Implementation
To fix this problem only an update is required to at least bitnami/postgresql
12.1.13
- or latest version (currently12.7.1
).If you want I can rase a PR for this.