-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kyverno's default restrict-automount-sa-token
policy denies the installation of policy-reporter
#155
Comments
If i set
Any ideas how to make it run without setting it |
The SA is required to get permissions for accessing the K8s API. Thats because it is set to true. There is no really work around for it. Only possible solution could be to add a manual volume and volumeMount instead the automount feature. |
So it's something we can fix in the deployment manifests? I prefer to handle all that manual stuff in the helm side during installation. Currently, it's unable to run this project with Kyverno's default policy enforcement, which decreases the UX a bit in the first place. |
But you will have the same problem with all tools that access the K8s API in some case, the Policy description also says that the intention is to prevent automount for pods that are not interacting with the K8s API.
Because the SA secret name has a dynamic suffix like |
You could add an exclude label and add this label to the policy-reporter pods and other K8s API related tools. Would it make sense to add some kind of exclusion (e.g. label) to the Kyverno Policy directly @chipzoller @realshuting? |
Sure, should it exclude by name? |
If you want to add a policy-reporter specific exclude I would suggest the label |
Glad to accept a PR to the policy if one is made. |
Thanks @chipzoller . I will open one |
I created kyverno/policies#348 which should resolve your issue and the Policy should no longer the Policy Reporter deployment. |
The updated Policy has now an exclude filter for Policy Reporter (kyverno/policies#348) which should fix this issue. |
Shouldn't we set
automountServiceAccountToken: "false"
in deployment manifest? Any ideas why we set it to true instead?Rule:
cc @developer-guy
The text was updated successfully, but these errors were encountered: