proxy-init container doesn't set runAsNonRoot: false
#697
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When a pod has a
securityContext, all its containers inherit that and have the option of overriding each setting in that map. If thispodSecurityContextincludesrunAsNonRoot: true, then theproxy-initcontainer fails to run, because it requires running as root. The webhook does setrunAsUser: 0, so I assume this is an oversight rather than a deliberate choice.Steps To Reproduce
Create a pod configured to use workload identity and the annotation
azure.workload.identity/inject-proxy-sidecar: "true", and include aspec.securityContextthat includesrunAsNonRoot: true. I ran into this installing the Hashicorp Vault Helm chart. Vault doesn't support MSAL yet, so it requires the proxy to use WI.Expected behavior
The
proxy-initinitContainerstarts and executes correctly.Logs
Scrolled off-screen, I'm afraid; the events in the output of
kubectl describe podare where the complaint can easily be found.Environment
kubectl version): server=1.23.12Additional context
I have a fix which works for me. I'll submit it as a PR.
The text was updated successfully, but these errors were encountered: