File system restore cannot work in PSA enabled Kubernetes cluster

[ywk253100]

Got the following error:

time="2024-09-16T17:14:27Z" level=error msg="Namespace wordpress, resource restore error: error restoring pods/wordpress/wordpress-845697cddc-pcpqw: pods \"wordpress-845697cddc-pcpqw\" is forbidden: violates PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"restore-wait\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"restore-wait\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"restore-wait\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"restore-wait\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")" logSource="pkg/controller/restore_controller.go:580" restore=velero/restore-from-bl-dev-01
time="2024-09-16T17:14:27Z" level=error msg="Namespace wordpress, resource restore error: error restoring pods/wordpress/wordpress-mariadb-0: pods \"wordpress-mariadb-0\" is forbidden: violates PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"restore-wait\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"restore-wait\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"restore-wait\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"restore-wait\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")" logSource="pkg/controller/restore_controller.go:580" restore=velero/restore-from-bl-dev-01

The necessary SecurityContext should be added to the init container to not break the pod security policy.

Environment:

• Velero version (use velero version):
• Velero features (use velero client config get features):
• Kubernetes version (use kubectl version):
• Kubernetes installer & version:
• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release):

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

• :+1: for "I would like to see this bug fixed as soon as possible"
• :-1: for "There are more important bugs to focus on right now"

[reasonerjt]

If we can't make it in v1.15.0, the fix should be cherry-picked in v1.15.1

[kaovilai]

Would this also apply to datamover?

[blackpiglet]

IMO, the data mover's intermediate pod is created in the Velero installed namespace. There are some differences from the PodVolumeBackup scenario, we already applied the privileged PSA by default to it by velero install CLI.