You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Is your feature request related to a problem? Please describe.
When installing Consul 1.3.1 into a cluster running Kubernetes 1.25 or later with CNI and ConnectInject enabled, and with the application services we run making use of the Pod Security Admission feature via the namespace label pod-security.kubernetes.io/enforce: "restricted" we are unable to deploy our application services with envoy proxy/connect injector sidecars due to missing seccompProfile field under pod spec containers.securityContext field. This is visible in the pod YAML:
To be clear, this is NOT consul service pods, this is our application pods which are being injected with the Consul envoy proxy sidecar. Our pod manifests have the workload containers defined with seccompProfile field but the envoy proxy sidecar container is missing it, as this seems not to be in the code for the injected container.
This forces us to downgrade the namespace label from "restricted" value to "baseline" value until Consul supports any/all of the missing fields.
Feature Description
As I can see that the sidecar proxy containers already have appArmorProfile field set to type: RuntimeDefault I will request for the seccompProfile field to also be set to the same type: RuntimeDefault key and value pair.
Use Case(s)
Allows for Consul to run (with CNI enabled) in clusters where namespaces are configured for the restricted policy.
Contributions
Maybe but my Go is not very good so it would take a long time and likely be very poor quality code. I would recommend for someone else to tackle this.
The text was updated successfully, but these errors were encountered:
The error we get actually covers several issues; some which will be easier to solve (such as the seccompProfile field) and some which won't (privileges/capabilities, given that the CNI is enabled and these should already have lower privileges/caps):
Warning FailedCreate 9s (x4 over 27s) replicaset-controller (combined from similar events): Error creating: pods my-pod-5579699465-bf4tm" is forbidden: violates PodSecurity "restricted:latest":
allowPrivilegeEscalation != false (containers "consul-connect-inject-init",
"consul-dataplane" must set securityContext.allowPrivilegeEscalation=false),
unrestricted capabilities (container "consul-dataplane" must set securityContext.capabilities.drop=["ALL"]),
seccompProfile (pod or containers "consul-connect-inject-init",
"consul-dataplane" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Community Note
Is your feature request related to a problem? Please describe.
When installing Consul 1.3.1 into a cluster running Kubernetes 1.25 or later with CNI and ConnectInject enabled, and with the application services we run making use of the Pod Security Admission feature via the namespace label
pod-security.kubernetes.io/enforce: "restricted"
we are unable to deploy our application services with envoy proxy/connect injector sidecars due to missingseccompProfile
field under pod speccontainers.securityContext
field. This is visible in the pod YAML:To be clear, this is NOT consul service pods, this is our application pods which are being injected with the Consul envoy proxy sidecar. Our pod manifests have the workload containers defined with
seccompProfile
field but the envoy proxy sidecar container is missing it, as this seems not to be in the code for the injected container.This forces us to downgrade the namespace label from
"restricted"
value to"baseline"
value until Consul supports any/all of the missing fields.Feature Description
As I can see that the sidecar proxy containers already have
appArmorProfile
field set totype: RuntimeDefault
I will request for theseccompProfile
field to also be set to the sametype: RuntimeDefault
key and value pair.Use Case(s)
Allows for Consul to run (with CNI enabled) in clusters where namespaces are configured for the restricted policy.
Contributions
Maybe but my Go is not very good so it would take a long time and likely be very poor quality code. I would recommend for someone else to tackle this.
The text was updated successfully, but these errors were encountered: