deployment/gatekeeper-policy-manager fails with restricted PSS
brsolomon-deloitte opened this issue · 2 comments
When upgrading to Kubernetes 1.24 and rolling out this app, we get the following failure:
Error creating: pods "gatekeeper-policy-manager-658d8c8988-wrzqr" is forbidden: violates PodSecurity "restricted:v1.24": unrestricted capabilities (container "gatekeeper-policy-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "gatekeeper-policy-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
This is using chart version 0.3.1 with the following values.yaml:
# $ cat values.yaml
gatekeeper-policy-manager:
image:
tag: "v1.0.2"
replicaCount: 2
serviceAccount:
create: true
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/auth-url: "http://<REDACTED>svc.cluster.local/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://<REDACTED>oauth2/start?rd=https%3A%2F%2F$host$escaped_request_uri"
hosts:
- host: opa.<REDACTED>
paths:
- "/"
config:
logLevel: info
secretKey: <REDACTED>Kubernetes provider is Amazon EKS 1.24.
Here is the manifest that Helm attempts to deploy:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: gatekeeper-policy-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: gatekeeper-policy-manager
app.kubernetes.io/version: v1.0.2
helm.sh/chart: gatekeeper-policy-manager-0.3.1
name: gatekeeper-policy-manager
namespace: gatekeeper-system
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/instance: gatekeeper-policy-manager
app.kubernetes.io/name: gatekeeper-policy-manager
template:
metadata:
labels:
app.kubernetes.io/instance: gatekeeper-policy-manager
app.kubernetes.io/name: gatekeeper-policy-manager
spec:
containers:
- env:
- name: GPM_LOG_LEVEL
value: INFO
- name: GPM_PREFERRED_URL_SCHEME
value: http
- name: GPM_SECRET_KEY
valueFrom:
secretKeyRef:
key: secretKey
name: gatekeeper-policy-manager
image: 'quay.io/sighup/gatekeeper-policy-manager:v1.0.2'
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /health
port: http
name: gatekeeper-policy-manager
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
httpGet:
path: /health
port: http
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
securityContext:
runAsNonRoot: true
serviceAccountName: gatekeeper-policy-managerFix:
gatekeeper-policy-manager:
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
runAsNonRoot: truehttps://kubernetes.io/docs/tutorials/security/cluster-level-pss/
Hi Brad,
Thank you for pointing this out :) I personally would not call this a bug, but an enhancement.
The issue is not related to the upgrade to K8s v1.24, but to having the PSS set to restricted, Even using baseline, for example, does not trigger the issue.
Notice that OPA Gatekeeper v3.9 also is not compliant with restricted (seems to be fixed in 3.10):
$ kubectl label --dry-run=server --overwrite ns gatekeeper-system pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "gatekeeper-system" violate the new PodSecurity enforce level "restricted:latest"
Warning: gatekeeper-audit-6d67868587-qfkhc (and 3 other pods): unrestricted capabilities
Warning: gatekeeper-policy-manager-7bf7fd6fd6-rlh5k: unrestricted capabilities, seccompProfile
namespace/gatekeeper-system labeledWould you like to open a PR to improve the chart and the manifests security defaults?
Thanks!