vault-secrets-webhook
vault-secrets-webhook copied to clipboard
bank-vaults
[ Openshift ] Default security capabilities
Preflight Checklist
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I am not looking for support or already pursued the available support channels without success.
- [X] I agree to follow the Code of Conduct.
Vault Secrets Webhook Version
1.21.0
Installation Type
Official Helm chart
Bank-Vaults Version
No response
Kubernetes Version
1.25.16
Kubernetes Distribution/Provisioner
Openshift (4.12.46)
Expected Behavior
Ref #69 solved by @sagikazarmark in #149. It seems like only the UUID issue was resolved? Not the extended capabilities introduced in 1.15.2.
Actual Behavior
Not able to fetch secrets from vault due to to capabilities being added by default.
35s Warning FailedCreate replicaset/test-deployment-init-seccontext-6bf988cf8d Error creating: pods "test-deployment-init-seccontext-6bf988cf8d-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "CHOWN": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETFCAP": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETGID": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETPCAP": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETUID": capability may not be added.
Steps To Reproduce
Try to fetch secrets from vault using vault-secrets-webhook with version < 1.15.2 on Openshift
Configuration
- Webhook helm chart
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: vault-secrets-webhook
namespace: vault
spec:
interval: 5m
chart:
spec:
chart: vault-secrets-webhook
version: 1.21.0
sourceRef:
kind: HelmRepository
name: bank-vaults
namespace: vault
values:
resources:
limits:
memory: 512Mi
secretsFailurePolicy: Fail
configMapMutation: false
podsFailurePolicy: Fail
securityContext: {}
env:
REGISTRY_SKIP_VERIFY: true
- Test manifest
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment-init-seccontext
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: test-deployment-init-seccontext
template:
metadata:
labels:
app.kubernetes.io/name: test-deployment-init-seccontext
annotations:
vault.security.banzaicloud.io/vault-skip-verify: "true"
vault.security.banzaicloud.io/vault-path: "kubernetes"
vault.security.banzaicloud.io/run-as-non-root: "true"
spec:
containers:
- name: hallo
image: ubuntu:latest
command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
env:
- name: AWS_SECRET_ACCESS_KEY
value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
resources:
limits:
memory: "128Mi"
cpu: "100m"
Thanks for reporting this @andloh, we also noticed a lot of issues coming from the OpenShift. Will address this in the upcoming releases!
@ramizpolic Any update on this? Do the https://github.com/bank-vaults/secrets-webhook project have better support for this? If it's possible to use as a drop-in replacement that is.
