With the azure policy addon enabled(as per organization policy), we can’t create privileged containers on the aks, azure kubernetes.
Our application is set to security context as below.
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 999
So our app can create without privileged access.
But, when linked with consul(through annotations), the consul init containers are failing to create.
Warning FailedCreate 6s (x15 over 90s) replicaset-controller Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: envoy-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-connect-inject-init