[BUG] error from server(forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [denied by pod-allowed-capabilities] [azurepolicy-k8azurev2nonprivilege-19124c6401684452c142] privilege container not allowed: copy-azurekeyvault-env #817
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting
Components and versions
Select which component(s) the bug relates to with [X].
[ ] Controller, version:
1.7.3(docker image tag)[ ] Env-Injector (webhook), version:
1.7.3(docker image tag)[ ] Other
Describe the bug
A clear and concise description of what the bug is.
Getting error as denied by privilege container not allowed
error from server(forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [denied by pod-allowed-capabilities] [azurepolicy-k8azurev2nonprivilege-19124c6401684452c142] privilege container not allowed: copy-azurekeyvault-env, securityContext { "capabilities" : {"drop" } : [ "ALL" ]}, "privilege" : "true", "readOnlyRootFileSystem" : "true" , "runasNonRoot" : "false" }Seems below code is blocking above policy, is there any way to override below in file cmd/azure-keyvault-secrets-webhook/pod.go?
SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, ReadOnlyRootFilesystem: &[]bool{viper.GetBool("webhook_container_security_context_read_only")}[0], RunAsNonRoot: &[]bool{viper.GetBool("webhook_container_security_context_non_root")}[0], Privileged: &[]bool{viper.GetBool("webhook_container_security_context_privileged")}[0], },The text was updated successfully, but these errors were encountered: