volsync icon indicating copy to clipboard operation
volsync copied to clipboard
verified publisher icon backube

Volsync does not start in cluster with PodSecurityAdmission set to restricted

Open davralin opened this issue 1 year ago • 5 comments

Describe the bug VolSync fails to start in a cluster with Pod Security Configuration enforced to restricted, due to missing SecCompProfile.

Steps to reproduce Enforce pod security configuration to restricted in your cluster. Deploy volsync

Expected behavior Volsync is actually deployed

Actual results

Error creating: pods "volsync-554964465c-lw8t4" is forbidden:
violates PodSecurity "restricted:latest":
seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")

Additional context #292 is somewhat related, but deals with the implementation in kind I guess.

davralin avatar Oct 22 '24 19:10 davralin

You may need to set podSecurityContext.seccompProfile.type in your values.yaml

https://github.com/backube/volsync/blob/main/helm/volsync/values.yaml#L66

tesshuflower avatar Oct 22 '24 20:10 tesshuflower

Right... not sure how I missed that... Anyway;

    podSecurityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Leads to:

pod/volsync-5cc98f9b59-plvkf
Error: container has runAsNonRoot and image will run as root
(pod: "volsync-5cc98f9b59-plvkf_volsync(d7b7b3c9-8959-48ca-b8b3-b8a226c21c12)", container: manager)

So, new thing failed - but runAsRoot needs to be set in order to reach restricted.

davralin avatar Oct 22 '24 22:10 davralin

I think it sounds like you also will need to set podSecurityContext.runAsUser in your system. By default we normally set this to 65534 if you don't specify a podSecurityContext.

tesshuflower avatar Oct 23 '24 13:10 tesshuflower

So, this is the conclussion I chose:

    podSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

This will allow volsync to work under restricted.

In order to do backup/restores:

    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      fsGroup: 1000
      fsGroupChangePolicy: "OnRootMismatch"
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Maybe some of these values should be the defaults?

My issue is closed however, I solved it with some configuration, I'll leave it open in-case someone needs/wants to change the default securityContext of volsync.

davralin avatar Oct 24 '24 21:10 davralin

I think it would be fine to set this as a default on the helm chart?

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
  seccompProfile:
    type: RuntimeDefault

onedr0p avatar Oct 26 '24 13:10 onedr0p

/close

seccompProfile set to RuntimeDefault is now be set by default with @davralin 's change: https://github.com/backube/volsync/pull/1564

tesshuflower avatar Mar 04 '25 15:03 tesshuflower