Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricted PodSecurity violation from deployments #6532

Closed
matzew opened this issue Sep 22, 2022 · 4 comments · Fixed by #6533
Closed

Restricted PodSecurity violation from deployments #6532

matzew opened this issue Sep 22, 2022 · 4 comments · Fixed by #6533
Assignees
@matzew
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@matzew
Copy link
Member

matzew commented Sep 22, 2022

Running with a restricted knative-eventing Namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: knative-eventing
  labels:
    eventing.knative.dev/release: devel
    app.kubernetes.io/version: devel
    app.kubernetes.io/name: knative-eventing
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/audit: restricted

Results in warnings, like (here for the eventing-controller):

Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (container "eventing-controller" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "eventing-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

No deployments are being created
@matzew matzew added the kind/bug Categorizes issue or PR as related to a bug. label Sep 22, 2022
@matzew
Copy link
Member Author

matzew commented Sep 22, 2022

/assign matzew

@matzew matzew mentioned this issue Sep 22, 2022
Closed
@matzew
Copy link
Member Author

matzew commented Sep 22, 2022

Related is also that currently we have all in the capabilities section, but it must be ALL since this is the only acceptable string check here and here.

@matzew
Copy link
Member Author

matzew commented Sep 22, 2022

With ALL instead of all, the warning per deployment reduces to:

Warning: would violate PodSecurity "restricted:latest": seccompProfile (pod or container "eventing-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

@matzew
Copy link
Member Author

matzew commented Sep 22, 2022

Adding the following to the deployments.apps:

...
          seccompProfile:
            type: RuntimeDefault
...

lets the deployment succeed.

@matzew matzew mentioned this issue Sep 22, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matzew matzew

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enhance PodSecurityPolicy for restricted namespace matzew/eventing
1 participant
@matzew