Open ILZ1105 opened 7 months ago
antgamdia
commented
7 months ago Thanks for reporting. PSA were added in the official bitnami chart as part of a wider standardization and it seems it's failing here. Looks like an issue, yep. If you have a workaround and you want to send a PR adding the fix in the code, please feel more than welcome!
ILZ1105
commented
7 months ago I think Bitnami is actually fine, I'd have to doublecheck. It's all the additional repos that are being added which are missing these settings.
I'm not sure if I can propose a proper pull request to fix it myself as these repos and therefore their corresponding cronjobs are added after adding them via kubeapps (or when upgrading it seems to ditch those settings too actually, I'm guessing because they're recreated).
Been a while I've been using Github so I'm a bit rusty. :P
Describe the bug Package Repositories can not be synched with PSA (restricted) enabled. The respective cronjobs that are created miss the required PSA settings.
To Reproduce Steps to reproduce the behavior:
Warning FailedCreate 3m28s (x1142 over 4d17h) job-controller (combined from similar events): Error creating: pods "apprepo-kubeapps-sync-test-r82t5-c9gdb" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "sync" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sync" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sync" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sync" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Expected behavior The respective settings can be applied to the cronjobs:
Screenshots None
Desktop (please complete the following information):
Additional context You can workaround the issue by manually adding the respective settings in all the cronjobs manually: