search

metal-stack / gardener-extension-provider-metal

Implementation of the gardener-extension-controller for metal-stack
MIT License
24 stars 11 forks source link

tailer pods violating pod security standards #327

Closed mwennrich closed 1 year ago

mwennrich commented 1 year ago

There are some deployments violating Pod Security restricted, without a need:

droptailer:
Error creating: pods "droptailer-867cfb7555-8gzmv" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "droptailer" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "droptailer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
audittailer:
pods "audittailer-86cd855454-74g2c" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "audittailer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "audittailer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "audittailer" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "audittailer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
majst01 commented 1 year ago

we should fix this before

Gerrit91 commented 1 year ago

References https://github.com/fi-ts/cloudctl/issues/234.