kubeclarity icon indicating copy to clipboard operation
kubeclarity copied to clipboard

Published 20 hours ago verified publisher icon openclarity

KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted)

Open deB4SH opened this issue 1 year ago • 0 comments

We are hosting our kubernetes clusters with vmware vsphere with tanzu and are currently upgrading our infrastructure to v1.26 from v1.24.

This results in a rather harsh change from psp to pss and everything in this regard.

The provided securityContext provides most of the required fields for a successful deployment but sadly not the seccompProfile type. This results in error events unable to scale the deployments properly.

Involved Object:
  API Version:       apps/v1
  Kind:              ReplicaSet
  Name:              kubeclarity-kubeclarity-74564b8bd6
  Namespace:         kubeclarity
  Resource Version:  13480120
  UID:               116330d6-e76a-4795-ae03-557b5e20ffd2
Kind:                Event
Last Timestamp:      2024-02-22T07:58:35Z
Message:             Error creating: pods "kubeclarity-kubeclarity-74564b8bd6-ln5dz" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "kubeclarity-kubeclarity-wait-for-pg-db", "kubeclarity-kubeclarity-wait-for-sbom-db", "kubeclarity-kubeclarity-wait-for-grype-server", "kubeclarity" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

A possible solution could be adding configurable fields within the global area and apply them accordingly if set. For example:

global:
  securityContext:
    seccompProfile: 
      # options: Undefined / RuntimeDefault / Localhost
      type: 
      # only required when type = localhost
      localhostProfile:

Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container

What happened:

Upgrades on underlying kubernetes cluster and therefore stricter policies requiring more securityContext configuration are blocking successful scale of deployments.

What you expected to happen:

Successfully scaling deployments to configured replica size.

Are there any error messages in KubeClarity logs?

None - Deployment is not scaled

Environment:

  • Kubernetes version (use kubectl version --short): 1.26
  • KubeClarity Helm Chart version (use helm -n kubeclarity list) v2.23.1
  • Cloud provider or hardware configuration: onprem - vsphere with tanzu kubernetes

deB4SH avatar Feb 22 '24 08:02 deB4SH