search

instana / instana-autotrace-webhook

Apache License 2.0
7 stars 8 forks source link

securityContext capabilities drop value of instana-instrumentation-init containers is lowercase #12

Open Thorien opened 1 year ago

Thorien commented 1 year ago

Hello,

Problem description

I am setting up TektonCD operators in IKS Cluster. This cluster is enabled with instana autotrace webhook. When starting the tekton controller pods they won`t start as they are breaking PodSecurity with following message:

Error creating: pods "tekton-operator-proxy-webhook-59dff97bb9-fhvkh" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "instana-instrumentation-init" must set securityContext.capabilities.drop=["ALL"])

I have doublechecked and the instana-instrumentation-init container is instrumented with correct securityContext (on the bottom of the yaml).

      initContainers:
        - name: instana-instrumentation-init
          image: >-
            icr.io/instana/instrumentation@sha256:92db1d8a0b40bc7cc54a90ee53abd6911dce0d8637679977512360e1905d69f9
          env:
            - name: INSTANA_AGENT_HOST
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: status.hostIP
          resources:
            limits:
              cpu: 250m
              memory: 64Mi
            requests:
              cpu: 150m
              memory: 16Mi
          volumeMounts:
            - name: instana-instrumentation-volume
              mountPath: /opt/instana/instrumentation
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              drop:
                - all
            privileged: false
            runAsUser: 1001
            runAsNonRoot: true
            allowPrivilegeEscalation: false

The problem is that the "all" is lowercase in drop: all. And the pod security is checking exactly for upercase "ALL". The instana operator documentation specifies uppercase value {"drop":["ALL"]} https://www.ibm.com/docs/en/instana-observability/current?topic=installing-instana-operator

Expecteed result

The "all" value is spelled/generated "ALL" in the securityContext of the instana-instrumentation-init containers.

Workround

I have fixed this by modyfing instana-autotrace-webhook deployment resouce yaml in my cluster and changed environment variable to:

- name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_SECURITY_CONTEXT
              value: >-
                {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"runAsNonRoot":true,"runAsUser":1001}

with upercase "ALL"