enable containersecuritycontext and resources limit for initcontainers
louisgls opened this issue · 5 comments
I would like to be able to set the containerSecurityPolicy and the resources for the init-tls-secret initContainer.
At the moment, because of policies configured in our cluster, I can't deploy the chart. I've found a quickfix that consists in adding the missing parameters with kustomize but it would be awesome that we could have resources and containerSecurityContext configurable for initContainers, just as they are for the openldap container.
An other solution could be to make init-tls-secret optional so it can be removed or updated like this :
initContainers:
- name: init-tls-secret
image: alpine/openssl:latest
imagePullPolicy: Always
command:
- sh
- -c
- |
cp -Lr /tmp-certs/* /certs
volumeMounts:
- name: certs
mountPath: "/certs"
- name: secret-certs
mountPath: "/tmp-certs"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
resources:
limits:
cpu: 50m
memory: 64Mi
Hi @louisgls
The parameters in this part can be customized. So I think it might be a usage issue
Hi @opencmit2, thank you for your answer.
My problem is that I can't start any container that does not have containerSecurityContext which is the case of init-tls-secret and update-reclation.
would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init-tls-secret", "update-replication" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-tls-secret", "update-replication" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "init-tls-secret", "update-replication" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "init-tls-secret", "update-replication" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I also need to configure resources for each containers.
create Pod openldap-0 in StatefulSet openldap failed error: pods "openldap-0" is forbidden: failed quota: default-ktkk5: must specify limits.cpu for: init-tls-secret,update-replication; limits.memory for: init-tls-secret,update-replication
The fact that containerSecurityContext and resources are not configurable prevent the statefulset from being started at all.
Hi @louisgls
I have added the required content based on your needs, please download the latest content to try it out. and close this issue
Hi @opencmit2 , thank you very much for your work, I'll test it this week.
Hi @opencmit2 , this is perfect, thank you very much.