AWS Secrets Manager CSI Doc Issue
Closed this issue · 1 comments
Attempted to follow the doc below with a customer on ROSA with Openshift Version 4.13.4:
Weblink:
https://mobb.ninja/docs/rosa/aws-secrets-manager-csi/
When we tried to boot up a pod we kept getting the following error:
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "my-application-deployment" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "my-application-deployment" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "my-application-deployment" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "my-application-deployment" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Error from server (Forbidden): error when creating "STDIN": pods "my-application" is forbidden: my-application uses an inline volume provided by CSIDriver secrets-store.csi.k8s.io and namespace my-application has a pod security enforce level that is lower than privileged
Which sounded like something at the namespace level was blocking us from using the privileged scc. We found this documentation:
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/
And the customer was able to work around the issue by removing the pod-security.kubernetes.io/enforce: privileged flag which we assume was added by default since we are using ROSA.
Going to try to work this week to see if we can use a lesser SCC policy since it looks to me like the DaemonSet does not actually require privileged access:
securityContext:
privileged: false
allowPrivilegeEscalation: false
Fixed by #456