Ability to set securitycontext for harness images
long-term
P
Powerful Salmon
Need to set supplementalgroups and fsgroups and runAsGroup and others under container securityContext for gatekeeper policy compliance for the harness ci-addon ci-lite and drone images.
Log In
Canny AI
Merged in a post:
Container run failed to create due to container security settings
D
Dew Gibbon
How to configure seccompProfile? it's not in container run step.
N
Nofar Bluestein
long-term
N
Nofar Bluestein
under review
Pranav Rastogi
Merged in a post:
Support for seccompProfile as a field in K8 configuration in CI
N
Neat Perch
Support for seccompProfile as a field in K8 configuration in CI
O
Obvious Trout
support the spec.template.spec.runtimeClassName as a field in k8 configuration in CI.
D
Dew Gibbon
We need to configure seccompProfile in harness UI.
D
Dew Gibbon
Hello, we have our delegate running in a namespace with with "pod-security.kubernetes.io/enforce" = "restricted"
and we have the following security context in pod manifest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
We also configured the container run step ( see attachment)
But we got
Error: Container creation ran into error: pods "harnesscd-container1-pnd1zrly" is forbidden: violates PodSecurity "restricted:v1.27": allowPrivilegeEscalation != false (containers "setup-addon", "step-container1", "lite-engine" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "setup-addon", "step-container1", "lite-engine" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "setup-addon", "step-container1", "lite-engine" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
How to configure seccompProfile? it's not in container run step