granwizzard
granwizzard
> We should probably default this to run as non-root. > > If we did this, do you need further customization? This would be a step in a good direction,...
> I'll call out that this is technically the initContainer and not the sidecar; the init container needs some root privileges (i.e. NET_RAW and NET_ADMIN) in order to change iptables...
> Can your security policies have an exception list based on container name? Only a single container (the initcontainer) requires those privileges. This initContainers always have the same name? In...
> > > Can your security policies have an exception list based on container name? Only a single container (the initcontainer) requires those privileges. > > > > > >...
Hi @stephaneey, I'm already investigating the workaround, now I'm only receiving a denied message, and is related to the securityContext where you need to pass "MustRunAsNonRoot" on the osm-init container...