Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted) #660

Open
deB4SH opened this issue Feb 22, 2024 · 0 comments
Open

KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted) #660

deB4SH opened this issue Feb 22, 2024 · 0 comments

Comments

@deB4SH
Copy link

deB4SH commented Feb 22, 2024

We are hosting our kubernetes clusters with vmware vsphere with tanzu and are currently upgrading our infrastructure to v1.26 from v1.24.

This results in a rather harsh change from psp to pss and everything in this regard.

The provided securityContext provides most of the required fields for a successful deployment but sadly not the seccompProfile type. This results in error events unable to scale the deployments properly.

Involved Object:
  API Version:       apps/v1
  Kind:              ReplicaSet
  Name:              kubeclarity-kubeclarity-74564b8bd6
  Namespace:         kubeclarity
  Resource Version:  13480120
  UID:               116330d6-e76a-4795-ae03-557b5e20ffd2
Kind:                Event
Last Timestamp:      2024-02-22T07:58:35Z
Message:             Error creating: pods "kubeclarity-kubeclarity-74564b8bd6-ln5dz" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "kubeclarity-kubeclarity-wait-for-pg-db", "kubeclarity-kubeclarity-wait-for-sbom-db", "kubeclarity-kubeclarity-wait-for-grype-server", "kubeclarity" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

A possible solution could be adding configurable fields within the global area and apply them accordingly if set. For example:

global:
  securityContext:
    seccompProfile: 
      # options: Undefined / RuntimeDefault / Localhost
      type: 
      # only required when type = localhost
      localhostProfile:

Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container

What happened:

Upgrades on underlying kubernetes cluster and therefore stricter policies requiring more securityContext configuration are blocking successful scale of deployments.

What you expected to happen:

Successfully scaling deployments to configured replica size.

Are there any error messages in KubeClarity logs?

None - Deployment is not scaled

Environment:

  • Kubernetes version (use kubectl version --short): 1.26
  • KubeClarity Helm Chart version (use helm -n kubeclarity list) v2.23.1
  • Cloud provider or hardware configuration: onprem - vsphere with tanzu kubernetes
@deB4SH deB4SH changed the title KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext KubeClarity unable to start in VSphere Tanzu Kubernetes Cluster without additional securityContext (pss restricted) Feb 22, 2024
@grieshaber grieshaber mentioned this issue May 15, 2024
Closed
7 tasks
@ramizpolic ramizpolic transferred this issue from openclarity/openclarity Aug 8, 2024
@ramizpolic ramizpolic transferred this issue from another repository Aug 10, 2024
@ramizpolic ramizpolic removed this from OpenClarity Aug 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@deB4SH