Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

init-config-reloader cannot run in restricted PSS #6361

Open
1 task done
rajan123456 opened this issue Mar 3, 2024 · 2 comments
Open
1 task done

init-config-reloader cannot run in restricted PSS #6361

rajan123456 opened this issue Mar 3, 2024 · 2 comments
Labels
help wanted kind/feature

Comments

@rajan123456
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

Description

bitnami/charts#23606

I am using the bitnami distribution of the kube-prometheus helm chart and deploying it in a Kubernetes namespace which enforces restricted PSS. The init-config-reloader initContainers of both alertmanager and prometheus statefulSets are unable to be admitted to the cluster as they do not set the securityContext properly.

Steps to Reproduce

  1. Create a namespace:
kubectl create ns ns-prometheus
  1. Label the namespace to enforce restricted PSS:
kubectl label --overwrite ns ns-prometheus   pod-security.kubernetes.io/enforce=restricted   pod-security.kubernetes.io/enforce-version=v1.29
  1. Install the helm chart:
helm upgrade --install my-prometheus bitnami/kube-prometheus -n ns-prometheus
  1. Verify status of statefulsets

Expected Result

The statefulSet pods should be admitted to the namespace enforcing restricted PSS

Actual Result

Pods are rejected:

Prometheus StatefulSet

Events:
  Type     Reason        Age                    From                    Message
  ----     ------        ----                   ----                    -------
  Warning  FailedCreate  2m23s (x16 over 5m7s)  statefulset-controller  create Pod prometheus-my-prometheus-kube-prometh-prometheus-0 in StatefulSet prometheus-my-prometheus-kube-prometh-prometheus failed error: pods "prometheus-my-prometheus-kube-prometh-prometheus-0" is forbidden: violates PodSecurity "restricted:v1.29": runAsNonRoot != true (pod or container "init-config-reloader" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "init-config-reloader" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

AlertManager StatefulSet

Events:
Type     Reason        Age                     From                    Message
----     ------        ----                    ----                    -------
Warning  FailedCreate  49s                     statefulset-controller  create Pod alertmanager-my-prometheus-kube-prometh-alertmanager-0 in StatefulSet alertmanager-my-prometheus-kube-prometh-alertmanager failed error: pods "alertmanager-my-prometheus-kube-prometh-alertmanager-0" is forbidden: violates PodSecurity "restricted:v1.29": runAsNonRoot != true (pod or container "init-config-reloader" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "init-config-reloader" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Prometheus Operator Version

0.71.2

Kubernetes Version

1.29.x

Kubernetes Cluster Type

kubeadm

How did you deploy Prometheus-Operator?

Other (please comment)

Manifests

No response

prometheus-operator log output

NA

Anything else?

No response
@rajan123456 rajan123456 added kind/bug needs-triage Issues that haven't been triaged yet labels Mar 3, 2024
@simonpasquier simonpasquier added kind/feature help wanted and removed kind/bug needs-triage Issues that haven't been triaged yet labels Mar 26, 2024
@simonpasquier
Copy link
Contributor

In the meantime, you should be able to use https://prometheus-operator.dev/docs/operator/strategic-merge-patch/ to override the default settings.

@yp969803
Copy link
Contributor

/assign

yp969803 added a commit to yp969803/prometheus-operator that referenced this issue Apr 3, 2024
@yp969803
feat: prometheus-server podSecurity (prometheus-operator#6361)
e6ed494
@yp969803 yp969803 mentioned this issue Apr 3, 2024
Open
5 tasks
yp969803 added a commit to yp969803/prometheus-operator that referenced this issue May 16, 2024
@yp969803
feat: podSecurity configuration for init-containers (prometheus-opera…
a61005c 
…tor#6361)

feat: added restricted pss for thanos and alertmanager inti loader
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonpasquier @rajan123456 @yp969803