Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Volsync does not start in cluster with PodSecurityAdmission set to restricted #1430

Open
davralin opened this issue Oct 22, 2024 · 5 comments
Open

Volsync does not start in cluster with PodSecurityAdmission set to restricted #1430

davralin opened this issue Oct 22, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@davralin
Copy link

davralin commented Oct 22, 2024
edited
Loading

Describe the bug
VolSync fails to start in a cluster with Pod Security Configuration enforced to restricted, due to missing SecCompProfile.

Steps to reproduce
Enforce pod security configuration to restricted in your cluster.
Deploy volsync

Expected behavior
Volsync is actually deployed

Actual results

Error creating: pods "volsync-554964465c-lw8t4" is forbidden:
violates PodSecurity "restricted:latest":
seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")

Additional context
#292 is somewhat related, but deals with the implementation in kind I guess.
@davralin davralin added the bug Something isn't working label Oct 22, 2024
@tesshuflower
Copy link
Contributor

You may need to set podSecurityContext.seccompProfile.type in your values.yaml

https://github.com/backube/volsync/blob/main/helm/volsync/values.yaml#L66

@davralin
Copy link
Author

davralin commented Oct 22, 2024
edited
Loading

Right... not sure how I missed that...
Anyway;

    podSecurityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Leads to:

pod/volsync-5cc98f9b59-plvkf
Error: container has runAsNonRoot and image will run as root
(pod: "volsync-5cc98f9b59-plvkf_volsync(d7b7b3c9-8959-48ca-b8b3-b8a226c21c12)", container: manager)

So, new thing failed - but runAsRoot needs to be set in order to reach restricted.

@tesshuflower
Copy link
Contributor

I think it sounds like you also will need to set podSecurityContext.runAsUser in your system. By default we normally set this to 65534 if you don't specify a podSecurityContext.

@davralin
Copy link
Author

davralin commented Oct 24, 2024
edited
Loading

So, this is the conclussion I chose:

    podSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

This will allow volsync to work under restricted.

In order to do backup/restores:

    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      fsGroup: 1000
      fsGroupChangePolicy: "OnRootMismatch"
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Maybe some of these values should be the defaults?

My issue is closed however, I solved it with some configuration, I'll leave it open in-case someone needs/wants to change the default securityContext of volsync.

@onedr0p
Copy link
Contributor

onedr0p commented Oct 26, 2024

I think it would be fine to set this as a default on the helm chart?

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
  seccompProfile:
    type: RuntimeDefault

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
VolSync project tracking
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@onedr0p @davralin @tesshuflower