Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

securityContext capabilities drop value of instana-instrumentation-init containers is lowercase #12

Open
Thorien opened this issue May 16, 2023 · 0 comments
Open

securityContext capabilities drop value of instana-instrumentation-init containers is lowercase #12

Thorien opened this issue May 16, 2023 · 0 comments

Comments

@Thorien
Copy link

Thorien commented May 16, 2023

Hello,

Problem description

I am setting up TektonCD operators in IKS Cluster. This cluster is enabled with instana autotrace webhook.
When starting the tekton controller pods they won`t start as they are breaking PodSecurity with following message:

Error creating: pods "tekton-operator-proxy-webhook-59dff97bb9-fhvkh" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "instana-instrumentation-init" must set securityContext.capabilities.drop=["ALL"])

I have doublechecked and the instana-instrumentation-init container is instrumented with correct securityContext (on the bottom of the yaml).

      initContainers:
        - name: instana-instrumentation-init
          image: >-
            icr.io/instana/instrumentation@sha256:92db1d8a0b40bc7cc54a90ee53abd6911dce0d8637679977512360e1905d69f9
          env:
            - name: INSTANA_AGENT_HOST
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: status.hostIP
          resources:
            limits:
              cpu: 250m
              memory: 64Mi
            requests:
              cpu: 150m
              memory: 16Mi
          volumeMounts:
            - name: instana-instrumentation-volume
              mountPath: /opt/instana/instrumentation
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              drop:
                - all
            privileged: false
            runAsUser: 1001
            runAsNonRoot: true
            allowPrivilegeEscalation: false

The problem is that the "all" is lowercase in drop: all. And the pod security is checking exactly for upercase "ALL".
The instana operator documentation specifies uppercase value {"drop":["ALL"]}
https://www.ibm.com/docs/en/instana-observability/current?topic=installing-instana-operator

Expecteed result

The "all" value is spelled/generated "ALL" in the securityContext of the instana-instrumentation-init containers.

Workround

I have fixed this by modyfing instana-autotrace-webhook deployment resouce yaml in my cluster and changed environment variable to:

- name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_SECURITY_CONTEXT
              value: >-
                {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"runAsNonRoot":true,"runAsUser":1001}

with upercase "ALL"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Thorien