Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set seccompProfile to ensure that deployment is successful on PSA enforced cluster. #1466

Closed
rohitagg2020 opened this issue Jan 28, 2024 · 0 comments · Fixed by #1467
Closed

Set seccompProfile to ensure that deployment is successful on PSA enforced cluster. #1466

rohitagg2020 opened this issue Jan 28, 2024 · 0 comments · Fixed by #1467
Labels
bug This issue describes a defect or unexpected behavior carvel-accepted This issue should be considered for future work and that the triage process has been completed priority/important-soon Must be staffed and worked on currently or soon.

Comments

@rohitagg2020
Copy link
Contributor

What steps did you take:
Given I have Kubernetes cluster with Pod Security Admission set to enforced. When I deployed kapp-controller on the Kubernetes cluster, kapp-controller pod doesn't come up and deployment fails:

$ kubectl get deploy/kapp-controller -n kapp-controller -oyaml | yq .status
availableReplicas: 1
conditions:
  - lastTransitionTime: "2024-01-28T07:14:03Z"
    lastUpdateTime: "2024-01-28T07:14:03Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2024-01-28T07:13:33Z"
    lastUpdateTime: "2024-01-28T07:15:04Z"
    message: Created new replica set "kapp-controller-6b8d5dc9d8"
    reason: NewReplicaSetCreated
    status: "True"
    type: Progressing
  - lastTransitionTime: "2024-01-28T07:15:04Z"
    lastUpdateTime: "2024-01-28T07:15:04Z"
    message: 'admission webhook "pod-security-webhook.kubernetes.io" denied the request: pods "kapp-controller-6b8d5dc9d8-ghkg6" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "kapp-controller", "kapp-controller-sidecarexec" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure
observedGeneration: 2
readyReplicas: 1
replicas: 1
unavailableReplicas: 1

What happened:
Kapp-controller deployment fails to bring up the pod.

What did you expect:
Kapp-controller deployment to be running successfully.

Anything else you would like to add:
Setting the seccompProfile to RuntimeDefault will also harden the container security.

Environment:

  • kapp Controller version (execute kubectl get deployment -n kapp-controller kapp-controller -o yaml and the annotation is kbld.k14s.io/images):
  • Kubernetes version (use kubectl version)

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.
@rohitagg2020 rohitagg2020 added bug This issue describes a defect or unexpected behavior carvel-triage This issue has not yet been reviewed for validity carvel-accepted This issue should be considered for future work and that the triage process has been completed priority/unprioritized-backlog Higher priority than priority/awaiting-more-evidence but not planned. Contributions are welcome. priority/important-soon Must be staffed and worked on currently or soon. and removed carvel-triage This issue has not yet been reviewed for validity priority/unprioritized-backlog Higher priority than priority/awaiting-more-evidence but not planned. Contributions are welcome. labels Jan 28, 2024
@rohitagg2020 rohitagg2020 mentioned this issue Jan 28, 2024
Merged
5 tasks
This was referenced Apr 10, 2024
Merged
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue describes a defect or unexpected behavior carvel-accepted This issue should be considered for future work and that the triage process has been completed priority/important-soon Must be staffed and worked on currently or soon.
Projects
Carvel
Archived in project
Milestone
No milestone
1 participant
@rohitagg2020