Open nwsparks opened 2 years ago
kmarteaux
commented
2 years ago I do not think it is possible to do with an annotation. Init containers support all the fields and features of app containers, including resource limits, volumes, and security settings. It would be sensible to set the security context for the init container to ensure its elevated privilege is limited to accomplishing the EFS mount.
nwsparks
commented
2 years ago The problem is that in this scenario there is no alternative other than running it as root when it comes to EFS. There's a github issue open about it here https://github.com/kubernetes/examples/issues/260
So there is no way I can see to stop kube-conform from alarming on it.
kmarteaux
commented
2 years ago At present kube-score container checks apply to both init and standard containers. It would be possible to differentiate against the two and permit an annotation such as -- "kube-score/ignore: init-container", but I will defer to @zegl judgement on the matter. @zegl - if you think it is sensible to permit the disabling of container checks against init-containers, I will implement it.
nwsparks
commented
1 year ago I think that sounds like a reasonable implementation. an alternative that could provide more flexibility might be ignoring based on container name.
I'm not seeing a way to set annotations for a specific pod in a deployment.
I have a deployment that has to run an init container as root to deal with setting privileges in an EFS mount so that the app containers can run as non root. I'd like to be able to set ignore's for this pod only. Is that possible?