I am trying to install a consul on kubernetes version 1.24. I am using a namespace annotated with pod security standards with policy profile restricted.
apiVersion: v1
kind: Namespace
metadata:
name: restricted-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.24
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.24
I am installing the consul chart into this namespace using the following command
helm upgrade --install --debug consul --namespace restricted-namespace --create-namespace --wait --timeout "10m0s" --values consul-helm-values.yaml https://dependencies.openet.com/artifactory/helm-hashicorp/consul-1.1.0.tgz
the values file ( consul-helm-values.yaml) is as below
ui:
service:
type: NodePort
global:
image: dependencies.openet.com:5000/hashicorp/consul:1.15.2
imageK8S: dependencies.openet.com:5000/hashicorp/consul-k8s-control-plane:1.1.0
acls:
manageSystemACLs: true
server:
resources:
requests:
memory: "100Mi"
cpu: "100m"
limits:
memory: "500Mi"
cpu: "1000m"
However i get some security violations in the terminal
would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sidecar-injector" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sidecar-injector" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sidecar-injector" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sidecar-injector" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0421 11:32:39.671683 1131925 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "webhook-cert-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "webhook-cert-manager" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook-cert-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook-cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0421 11:32:39.704295 1131925 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "consul" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "consul" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "consul" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0421 11:32:39.764181 1131925 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "server-acl-init-job" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "server-acl-init-job" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "server-acl-init-job" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "server-acl-init-job" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I was wondering if i could remove any of these exceptions ? I know consul not rolled out support for kubernetes Pod security admission controllers for 1.25 versions.I don't want to use pod security policy resource to be created to fix this issue.
appreciate any help thanks