-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PodSecurityPolicy choose the wrong one, making pod unable to start #71787
Comments
@nmiculinic: There are no sig labels on this issue. Please add a sig label by either:
Note: Method 1 will trigger an email to the group. See the group list. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There's also a workaround if I renamed my |
the order policies are chosen in is described in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
/close |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Policy /open |
PodSecurityPolicy uses the information in the pod spec, and the pod spec did not indicate the container required running as root. |
So if I set |
Yes |
What happened:
I start a deployment:
The controllers do their thing and I end up with following pod:
and since nginx starts with root user it fails. Horribly.
However there is another security policy,
semi-restricted
:which ought to be selected.
The service account has permissions for both policies
What you expected to happen:
The pod wouldn't have it's security context modified as much, and admission controler would pick
semi-restricted
security policy.How to reproduce it (as minimally and precisely as possible):
It's described above
Environment:
kubectl version
):uname -a
): Ubuntu 18.04 LTS, amd 64/kind bug
The text was updated successfully, but these errors were encountered: