MAISTRA-548 Drop CAP_MKNOD from sidecar container #102
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The anyuid SCC requires the MKNOD kernel capability to be dropped. If the container's spec doesn't drop it, the SCC admission controller tries to add it, but isn't allowed to, because it tries to do that during the validation phase (as the sidecar container wasn't injected prior to the SCC controller running during the mutation phase). Because it can't mutate the pod, the SCC admission controller rejects it. By dropping the capability in the sidecar template, the mutation is not required and thus the pod is marked as valid by the SCC admission controller.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The anyuid SCC requires the MKNOD kernel capability to be dropped. If
the container's spec doesn't drop it, the SCC admission controller tries
to add it, but isn't allowed to, because it tries to do that during the
validation phase (as the sidecar container wasn't injected prior to the
SCC controller running during the mutation phase). Because it can't
mutate the pod, the SCC admission controller rejects it. By dropping the
capability in the sidecar template, the mutation is not required and
thus the pod is marked as valid by the SCC admission controller.