I am setting up TektonCD operators in IKS Cluster. This cluster is enabled with instana autotrace webhook.
When starting the tekton controller pods they won`t start as they are breaking PodSecurity with following message:
Error creating: pods "tekton-operator-proxy-webhook-59dff97bb9-fhvkh" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "instana-instrumentation-init" must set securityContext.capabilities.drop=["ALL"])
I have doublechecked and the instana-instrumentation-init container is instrumented with correct securityContext (on the bottom of the yaml).
Hello,
Problem description
I am setting up TektonCD operators in IKS Cluster. This cluster is enabled with instana autotrace webhook. When starting the tekton controller pods they won`t start as they are breaking PodSecurity with following message:
I have doublechecked and the
instana-instrumentation-init
container is instrumented with correctsecurityContext
(on the bottom of the yaml).The problem is that the "all" is lowercase in
drop: all
. And the pod security is checking exactly for upercase "ALL". The instana operator documentation specifies uppercase value{"drop":["ALL"]}
https://www.ibm.com/docs/en/instana-observability/current?topic=installing-instana-operatorExpecteed result
The "all" value is spelled/generated "ALL" in the securityContext of the instana-instrumentation-init containers.
Workround
I have fixed this by modyfing
instana-autotrace-webhook
deployment resouce yaml in my cluster and changed environment variable to:with upercase "ALL"