You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to install kuberhealthy into a "hardened" Kubernetes 1.28.8 cluster, and the pods are failing to start because container "kuberhealthy" must set securityContext.capabilities.drop=["ALL"]. While I can set the rest of the required securityContext settings via. the helm chart values file, the capabilities key is missing from the securityContext set in deployment.yaml. (
Have there been any thoughts to either adding the capabilities key to the securityContext, or adding the ability to have an arbitrary map of values to be added?
Thanks!
The text was updated successfully, but these errors were encountered:
I too am having this issue with Kuberhealthy on a CIS hardened Kubernetes cluster. We are unable to set the capabilities because that option is unavailable in the deployment template, as you have pointed out, @sjthespian.
Beeing able to add the securityContext to the inital pod that is spawned, only solves half the issue sadly :(
As mentioned in #1243 the pods generated by the checks (through the daemonset check, or deployment check), don't have a full security context set either and will fail on a restricted cluster as well.
I am trying to install kuberhealthy into a "hardened" Kubernetes 1.28.8 cluster, and the pods are failing to start because
container "kuberhealthy" must set securityContext.capabilities.drop=["ALL"]
. While I can set the rest of the required securityContext settings via. the helm chart values file, the capabilities key is missing from the securityContext set in deployment.yaml. (kuberhealthy/deploy/helm/kuberhealthy/templates/deployment.yaml
Lines 90 to 98 in e7497d9
Have there been any thoughts to either adding the capabilities key to the securityContext, or adding the ability to have an arbitrary map of values to be added?
Thanks!
The text was updated successfully, but these errors were encountered: