KafkaConnect Reconciliation encounter: disallow-capabilities-strict:\n require-drop-all: 'validation failure: Containers must drop ALL
capabilities
#10597
-
Hi Team, There is one issue as below for KafkaConnect Reconciliation. {"instant":{"epochSecond":1726618252,"nanoOfSecond":192783309},"thread":"StrimziPodSetController","level":"ERROR","loggerName":"io.strimzi.operator.cluster.operator.assembly.StrimziPodSetController","marker":{"name":"StrimziPodSet(XXXX/XXXX-connect)"},"message":"Reconciliation #1080(watch) StrimziPodSet(XXXX/XXXX-connect): StrimziPodSet XXXX-connect in namespace XXXX reconciliation failed","thrown":{"commonElementCount":0,"localizedMessage":"Failure executing: POST at: https://api.025qaauto01.hxmnonprod.internal.live.k8s.ondemand.com:443/api/v1/namespaces/XXXX/pods. Message: admission webhook "validate.kyverno.svc-fail" denied the request: \n\nresource Pod/XXXX/XXXX-connect-0 was blocked due to the following policies \n\ndisallow-capabilities-strict:\n require-drop-all: 'validation failure: Containers must drop The KafkaConnect configuration as below, and I think the securityContext configuration should resolve current issue, but it does not work, could you help on that?
---------kafka-connect.yaml-------
Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Unfortunately, the error message about the issue is not completely clear. So you might need to check with whoever configured that to tell you what exactly the issue is. But with rack awareness enabled, you might need to configure the security context also for the init container used to gather the rack information. So that might be something worth trying. |
Beta Was this translation helpful? Give feedback.
Unfortunately, the error message about the issue is not completely clear. So you might need to check with whoever configured that to tell you what exactly the issue is.
But with rack awareness enabled, you might need to configure the security context also for the init container used to gather the rack information. So that might be something worth trying.