Error with PodSecurity restricted

[Syndlex]

Hey Thanks for implementing this Operator:

We have the Following Problem:

Our Cluster is Setup with higher restriced PodSecurity.

So when I create a Valkey cluster i get this with my Pods:

create Pod keyval-0 in StatefulSet keyval failed error: pods "keyval-0" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-permissions" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-permissions" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-permissions" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "volume-permissions" must not set runAsUser=0), seccompProfile (pod or container "volume-permissions" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

[dmolik]

this looks fixable I'll get to it in the next week or so. On an aside is this kyverno or OPA-Gatekeeper enforcing this?

[Syndlex]

Hey.

Oh this is something within k8s itself. In this case Tanzu (the k8s distro we use) has set it up clusterwide. But you can set this on a per namespace base.

Thanks for looking into it.

Dan Molik @.***> schrieb am Fr., 12. Sept. 2025, 01:59:

dmolik left a comment (hyperspike/valkey-operator#260) https://github.com/hyperspike/valkey-operator/issues/260#issuecomment-3283017138

this looks fixable I'll get to it in the next week or so. On an aside is this kyverno or OPA-Gatekeeper enforcing this?

— Reply to this email directly, view it on GitHub https://github.com/hyperspike/valkey-operator/issues/260#issuecomment-3283017138, or unsubscribe https://github.com/notifications/unsubscribe-auth/AENFNRCLFA6HAH4WWBS2QT33SIEELAVCNFSM6AAAAAB3WCL4YSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEOBTGAYTOMJTHA . You are receiving this because you authored the thread.Message ID: @.***>