PodSecurityPolicy Errors with ClusterAdmin Roles for sa/helm-controller & sa/kustomize-controller #889
Unanswered
breygonsnow
asked this question in
General
PodSecurityPolicy Errors with ClusterAdmin Roles for sa/helm-controller & sa/kustomize-controller
#889
Replies: 1 comment 1 reply
-
|
Please see #829 |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thank you for the reply. I had not seen the PSP deprecation notice. We will plan accordingly. --Kevin |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We are trying to work through PSPs and Flux V2.
With CusterAdmin Privs granted to sa/helm-controller & sa/kustomize-controller, they will be able to use any PSP. For what we think best practices are, our PSPs are listed as most restrictive to least restrictive (we have 3 simple PSPs, very restrictive - osu-10-restricted, moderate - osu-40-baseline, and privileged - osu-80-privileged). The pod deployments for pod/helm-controller & pod/kustomize-controller seem to be ok with a very restrictive policy, on first glance, in its configuration, but under the covers it needs higher levels of pod security.
Since the first PSP, in order, appears to be able to fulfill the deployment, the pod fails with: Warning Failed 11s (x3 over 13s) kubelet Error: container has runAsNonRoot and image has non-numeric user (controller), cannot verify user is non-root (pod: "helm-controller-.....)
The other SAs (sa/notification-controller and sa/source-controller) work great as I granted all CAs in flux-system clustrolerole to the osu-80-privileged, but that is the only one they can use, unlike the other CAs that have been granted cluster-admin.
If I am missing something with PSPs, I claim no expertise with PSP as they have been entertaining especially with replicaset-controllers, etc.
I appreciate any assistance that can be provided.
--Kevin
Beta Was this translation helpful? Give feedback.
All reactions