Helm install fails in PSS restricted clusters because of hardcoded securityContext values

Question

Helm install fails in PSS restricted clusters because of hardcoded securityContext values

m00nyONE opened this issue 10 months ago · 4 comments

m00nyONE commented 10 months ago

What happened:

i wanted to deploy kubeclarity via Helm on a PSS (restriced mode) secured cluster

What you expected to happen:

that the helm chart gives the oportunity to set seccompProfiles

How to reproduce it (as minimally and precisely as possible):

create cluster with PSS and try install kubeclarify in a restricted namespace

Are there any error messages in KubeClarity logs?

no

Anything else we need to know?:

pods "kubeclarity-kubeclarity-grype-server-59f88f8f8d-x8mzb" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or container "grype-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

The Problem can easily be solved by not hardcoding the securityContext and allow a manual override in the Helm Chart

Environment:

Kubernetes version (use kubectl version --short): 1.26
Helm version (use helm version): 3.13.2
KubeClarity version (use kubectl -n kubeclarity exec deploy/kubeclarity -- ./backend version): 2.23.1
KubeClarity Helm Chart version (use helm -n kubeclarity list): 2.23.1
Cloud provider or hardware configuration: i can not tell you about that. The only thing i am allowed to tell is that it is a gardener provisioned cluster
Others:

Answer 1 · 2024-03-24T00:24:24.000Z

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 14 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

Answer 2 · 2024-04-04T10:10:17.000Z

+1 facing the same issue right now

Answer 3 · 2024-06-23T00:25:53.000Z

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 14 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

Answer 4 · 2024-07-07T00:26:55.000Z

This issue has been marked stale for 14 days, and is now closed due to inactivity. If the issue is still relevant, please re-open this issue or file a new one. Thank you!