You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The admission webhook injects azwi-proxy as a sidecar container. The injected container defines a securityContext that defines that the container will run as non-root.
Edited the original repro steps (which explained how to replicate using ExternalDNS) to replace them with steps that doesn't depend on a third party chart and can be tested isolated.
@ldardick FYI:
The same issue is happening with Velero deployment as well. Unable to store PVC data with restic when using azure workload identity to access Azure storage account.
@ldardick FYI: The same issue is happening with Velero deployment as well. Unable to store PVC data with restic when using azure workload identity to access Azure storage account.
For what it's worth, if you downgrade to 1.0.0, that version doesn't have the security context hardcoded and works
Describe the bug
The admission webhook injects
azwi-proxy
as a sidecar container. The injected container defines asecurityContext
that defines that the container will run as non-root.However, in some scenarios this may violate the existing non-root policy defined by the pod causing the sidecar container not being able to progress.
Version
0.15
(that we were using prior to the release of1.10
) didn't have thesecurityContext
definedSteps To Reproduce
[edited to add repro steps that doesn't depends on any third party chart]
1.1.0
of the admission webhookExpected behavior
The admission webhook chart should allow configuring if the sidecar proxy will run as root or not.
Logs
N/A, the container won't be able to progress
Environment
kubectl version
): 1.25.6cat /etc/os-release
): Ubuntu 22.04.2 LTSuname -a
): 5.15.0-1039-azureAdditional context
N/A
The text was updated successfully, but these errors were encountered: