How to update kubernetes pod securityContext of vault agent init container

nishantn3 · April 17, 2023, 3:44pm

Hi,

We want to change the spec.initContainers[*].securityContext in the vault-agent-init container that runs as a init container to inject secrets into application pod. We are using Vault helm chart to deploy vault and it has securityContext configuration for injector pod and vault statefulset. Couldn’t find anything to configure the same for the init containers here.

I can see that the pod has the below securityContext

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsGroup: 1000
  runAsNonRoot: true
  runAsUser: 100

which is missing

seccompProfile:
  type: RuntimeDefault

based on the restricted pod security standards

Need to know a way to add the seccompProfile to the init container

macmiranda · April 17, 2023, 5:54pm

Please see Add ability to run Vault Agent Sidecar in the namespace compliant with restricted Pod Security Standard · Issue #377 · hashicorp/vault-k8s · GitHub

Topic		Replies	Views
Can't get vault-agent-init container to get a secret from Vault Vault k8s , vault	1	3079	September 28, 2021
K8s init container secrets injection Vault k8s , vault	0	378	July 22, 2021
Vault-agent-injector racing condition when application pods utilizing vault-sidecar come up faster then vault Vault k8s , vault	7	2841	November 2, 2021
Vault: init container cannot authenticate to Vault Vault k8s , vault	9	1843	June 26, 2023
Vault init container authorization fails when running multiple pods (error="context deadline exceeded") Vault k8s , vault	1	919	December 22, 2021

How to update kubernetes pod securityContext of vault agent init container

Related topics