Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add securitycontext to keystore container #820

Conversation

cthtrifork
Copy link
Contributor

@cthtrifork cthtrifork commented May 22, 2024

Description

This fixes the issue found in this kubernetes event log:

create Pod opensearch-data-0 in StatefulSet opensearch-data failed error: pods "opensearch-data-0" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "keystore" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "keystore" must set securityContext.capabilities.drop=["ALL"])  

When we are running

labels:
    pod-security.kubernetes.io/enforce: restricted

Issues Resolved

List any issues this PR will resolve, e.g. Closes [...].

Check List

  • Commits are signed per the DCO using --signoff
  • Unittest added for the new/changed functionality and all unit tests are successful
  • Customer-visible features documented
  • No linter warnings (make lint)

If CRDs are changed:

  • CRD YAMLs updated (make manifests) and also copied into the helm chart
  • Changes to CRDs documented

Please refer to the PR guidelines before submitting this pull request.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Casper Thygesen <cth@trifork.com>
@cthtrifork cthtrifork force-pushed the feature/add-security-context-to-keystore-container branch from ddb95c9 to 65f52c1 Compare May 22, 2024 18:53
Copy link
Collaborator

@swoehrl-mw swoehrl-mw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@swoehrl-mw swoehrl-mw merged commit f58948e into opensearch-project:main May 28, 2024
9 checks passed
@prudhvigodithi prudhvigodithi mentioned this pull request Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants