Reloader
Reloader copied to clipboard
stakater
Helm: securityContext / containerSecurityContext not fully propagated ?
Given the following custom values.yaml:
reloader:
reloadStrategy: annotations
readOnlyRootFileSystem: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
I would expect Reloader to install without issue in a Restricted PSS environment (https://kubernetes.io/docs/concepts/security/pod-security-standards/).
However, instead, running helm install stakater-reloader -f path/to/my/stakater-reloader/values.yaml stakater/reloader
I am greeted with:
W0319 12:17:55.847256 5976 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "stakater-reloader-reloader" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "stakater-reloader-reloader" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "stakater-reloader-reloader" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
This therefore implies that the securityContext and containerSecurityContext are not fully propagated in the Helm chart ?
Unfortunatley I'm stll a bit of a Helm noob and so don't have the skills to troubelshoot and provide a PR but hopefully it should be a fairly simple fix ?
@faizanahmad055 tested it on Minikube and OpenShift but was not able to reproduce it
@karl-johan-grahn Was your environment setup to enforce ?
My environment is k3s, with security setup as per the docs (https://docs.k3s.io/security/hardening-guide), in particular the PSA:
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system, cis-operator-system]
@udf2457 We would like to reproduce it, can you provide template with values file that you use?
You are missing the deployment-key for your values, it should be:
reloader:
reloadStrategy: annotations
readOnlyRootFileSystem: true
deployment: # << currently missing
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
Is this working for below setting ?
capabilities: drop: [ALL]
What are the capabilities that are needed to run this image ?
I had the same issue i raised an MR with the fix https://github.com/stakater/Reloader/pull/540
I had the same issue i raised an MR with the fix #540
There is no need to add default-settings for containerSecurityContext, just use the correct keys within your values..
Is this working for below setting ?
capabilities: drop: [ALL]
Yes, this is templated properly
thx to @PatrickSpies for directing me in the right direction; had the same problem missing deployment-key
@MuneebAijaz Thanks for your message, unfortunately I don't know because I no longer use Reloader.
