search

redpanda-data / redpanda

Redpanda is a streaming data platform for developers. Kafka API compatible. 10x faster. No ZooKeeper. No JVM!
https://redpanda.com
9.39k stars 577 forks source link

[operator] Security context rules should be available as parameters #7817

Closed mgrzybek closed 10 months ago

mgrzybek commented 1 year ago

Some templating is needed to set some security context rules.

https://github.com/redpanda-data/redpanda/blob/f12e562db3b0eecfe4b32824a2b7375f55f5cbda/src/go/k8s/helm-chart/charts/redpanda-operator/templates/deployment.yaml#L97

Deploying on Openshift is not allowed because of some default values. The only allowed namespace is default.

Error creating:
pods "redpanda-operator-7db8d486bd-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider "anyuid-extra": Forbidden: not usable by user or serviceaccount,
spec.containers[0].securityContext.runAsUser: Invalid value: 65532: must be in the ranges: [1000900000, 1000909999],
spec.containers[1].securityContext.runAsUser: Invalid value: 65532: must be in the ranges: [1000900000, 1000909999],
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "noobaa": Forbidden: not usable by user or serviceaccount,
provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount, 
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount
]
tzahigro1 commented 7 months ago

I encounter a similar issue where I have a policy in AKS and I need to change the securityContext

The securityContext under spec.template.spec is set to: 

securityContext:
  runAsUser: 65532

Which cause the following error: Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-329f1c51ff130dd44f2e] Privilege escalation container is not allowed: kube-rbac-proxy

if changing it to the following it fixes the error:

securityContext:
  runAsNonRoot: true