Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted) #626

Open
deB4SH opened this issue Feb 22, 2024 · 0 comments · May be fixed by #641
Open

KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted) #626

deB4SH opened this issue Feb 22, 2024 · 0 comments · May be fixed by #641

Comments

@deB4SH
Copy link

deB4SH commented Feb 22, 2024

We are hosting our kubernetes clusters with vmware vsphere with tanzu and are currently upgrading our infrastructure to v1.26 from v1.24.

This results in a rather harsh change from psp to pss and everything in this regard.

The provided securityContext provides most of the required fields for a successful deployment but sadly not the seccompProfile type. This results in error events unable to scale the deployments properly.

Involved Object:
  API Version:       apps/v1
  Kind:              ReplicaSet
  Name:              kubeclarity-kubeclarity-74564b8bd6
  Namespace:         kubeclarity
  Resource Version:  13480120
  UID:               116330d6-e76a-4795-ae03-557b5e20ffd2
Kind:                Event
Last Timestamp:      2024-02-22T07:58:35Z
Message:             Error creating: pods "kubeclarity-kubeclarity-74564b8bd6-ln5dz" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "kubeclarity-kubeclarity-wait-for-pg-db", "kubeclarity-kubeclarity-wait-for-sbom-db", "kubeclarity-kubeclarity-wait-for-grype-server", "kubeclarity" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

A possible solution could be adding configurable fields within the global area and apply them accordingly if set. For example:

global:
  securityContext:
    seccompProfile: 
      # options: Undefined / RuntimeDefault / Localhost
      type: 
      # only required when type = localhost
      localhostProfile:

Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container

What happened:

Upgrades on underlying kubernetes cluster and therefore stricter policies requiring more securityContext configuration are blocking successful scale of deployments.

What you expected to happen:

Successfully scaling deployments to configured replica size.

Are there any error messages in KubeClarity logs?

None - Deployment is not scaled

Environment:

  • Kubernetes version (use kubectl version --short): 1.26
  • KubeClarity Helm Chart version (use helm -n kubeclarity list) v2.23.1
  • Cloud provider or hardware configuration: onprem - vsphere with tanzu kubernetes
@deB4SH deB4SH changed the title KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted) Feb 22, 2024
@grieshaber grieshaber linked a pull request May 15, 2024 that will close this issue
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
OpenClarity
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow configurable securityContext for all involved components grieshaber/kubeclarity
1 participant
@deB4SH