Closed hafizmujadidKhalid closed 1 year ago
Can you pls test related chart in PR?
I'd like to understand if these defaults are ok for your use case.
Hey @valeriano-manassero !
Thanks for the quick solution, I think the number of errors is reduced now and the validations are failing only on init containers:
disallow-capabilities-strict:
autogen-require-drop-all: 'validation failure: Containers must drop `ALL` capabilities.'
disallow-privilege-escalation:
autogen-privilege-escalation: 'validation error: Privilege escalation is disallowed.
The fields spec.containers[*].securityContext.allowPrivilegeEscalation, spec.initContainers[*].securityContext.allowPrivilegeEscalation,
and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must
be set to `false`. rule autogen-privilege-escalation failed at path /spec/template/spec/containers/0/securityContext/'
validate-seccomp-location:
This issue is stale because it has been open for 14 days with no activity.
@hafizmujadidKhalid securitiContext should be set for all init containers afaik; can you pls list what are init containers with this problem and their generated yaml manifest?
@valeriano-manassero! I think containerSecurityContext is missing in Coordinator container: https://github.com/valeriano-manassero/helm-charts/blob/425c0d103e93c02eddcf3070386cdabda73c725a/valeriano-manassero/trino/templates/deployment-coordinator.yaml#L186
Is your feature request related to a problem ?
Hey folks!
I am trying to deploy Trino using your provided helm chart but since our EKS cluster has some validations set it fails to deploy. The failing validations are like running with non_root_user and dropping all capabilities etc.
Describe the solution you'd like.
To fix it, I have to add following security context for container:
and following for the pod:
I want to support general securityContext settings inside values.yaml file and they should be reflected in relevant deployments. I would have created a PR but due to my limited knowledge of helm templating, I could not produce well-indented yaml.
Describe alternatives you've considered.
None, Our security team have these security & validation check in place and they are not willing to relax. I have to deploy rending template and modifying actual yaml files.
Additional context.
No response