You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When a pod has a securityContext, all its containers inherit that and have the option of overriding each setting in that map. If this podSecurityContext includes runAsNonRoot: true, then the proxy-initcontainer fails to run, because it requires running as root. The webhook does set runAsUser: 0, so I assume this is an oversight rather than a deliberate choice.
Steps To Reproduce
Create a pod configured to use workload identity and the annotation azure.workload.identity/inject-proxy-sidecar: "true", and include a spec.securityContext that includes runAsNonRoot: true. I ran into this installing the Hashicorp Vault Helm chart. Vault doesn't support MSAL yet, so it requires the proxy to use WI.
Expected behavior
The proxy-initinitContainer starts and executes correctly.
Logs
Scrolled off-screen, I'm afraid; the events in the output of kubectl describe pod are where the complaint can easily be found.
Environment
Kubernetes version (use kubectl version): server=1.23.12
Cloud provider or hardware configuration: Azure AKS
Additional context
I have a fix which works for me. I'll submit it as a PR.
The text was updated successfully, but these errors were encountered:
Describe the bug
When a pod has a
securityContext
, all its containers inherit that and have the option of overriding each setting in that map. If thispodSecurityContext
includesrunAsNonRoot: true
, then theproxy-init
container fails to run, because it requires running as root. The webhook does setrunAsUser: 0
, so I assume this is an oversight rather than a deliberate choice.Steps To Reproduce
Create a pod configured to use workload identity and the annotation
azure.workload.identity/inject-proxy-sidecar: "true"
, and include aspec.securityContext
that includesrunAsNonRoot: true
. I ran into this installing the Hashicorp Vault Helm chart. Vault doesn't support MSAL yet, so it requires the proxy to use WI.Expected behavior
The
proxy-init
initContainer
starts and executes correctly.Logs
Scrolled off-screen, I'm afraid; the events in the output of
kubectl describe pod
are where the complaint can easily be found.Environment
kubectl version
): server=1.23.12Additional context
I have a fix which works for me. I'll submit it as a PR.
The text was updated successfully, but these errors were encountered: