Helm: securityContext / containerSecurityContext not fully propagated ?
udf2457 opened this issue · comments
Given the following custom values.yaml
:
reloader:
reloadStrategy: annotations
readOnlyRootFileSystem: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
I would expect Reloader
to install without issue in a Restricted
PSS environment (https://kubernetes.io/docs/concepts/security/pod-security-standards/).
However, instead, running helm install stakater-reloader -f path/to/my/stakater-reloader/values.yaml stakater/reloader
I am greeted with:
W0319 12:17:55.847256 5976 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "stakater-reloader-reloader" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "stakater-reloader-reloader" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "stakater-reloader-reloader" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
This therefore implies that the securityContext
and containerSecurityContext
are not fully propagated in the Helm chart ?
Unfortunatley I'm stll a bit of a Helm noob and so don't have the skills to troubelshoot and provide a PR but hopefully it should be a fairly simple fix ?
@faizanahmad055 tested it on Minikube and OpenShift but was not able to reproduce it
@karl-johan-grahn Was your environment setup to enforce ?
My environment is k3s, with security setup as per the docs (https://docs.k3s.io/security/hardening-guide), in particular the PSA:
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system, cis-operator-system]
@udf2457 We would like to reproduce it, can you provide template with values file that you use?
You are missing the deployment
-key for your values, it should be:
reloader:
reloadStrategy: annotations
readOnlyRootFileSystem: true
deployment: # << currently missing
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
Is this working for below setting ?
capabilities: drop: [ALL]
What are the capabilities that are needed to run this image ?
I had the same issue i raised an MR with the fix #540
There is no need to add default-settings for containerSecurityContext, just use the correct keys within your values..
Is this working for below setting ?
capabilities: drop: [ALL]
Yes, this is templated properly