kube-arangodb: ArangoDB Operator fail with unprivileged PodSecurityPolicy

Hello all,

I have a problem when I try to install the ArangoDB operator on Kubernetes with an unprivileged policy. The error looks like: Warning FailedCreate 5m35s (x18 over 16m) replicaset-controller Error creating: pods "arango-ts-operator-7c8cf4cf7d-" is forbidden: PodSecurityPolicy: unable to admit pod: []

The policy is:

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
    # apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
    # apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
spec:
  privileged: false
  # Required to prevent escalations to root.
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - 'KILL'
    - 'MKNOD'
    - 'SETUID'
    - 'SETGID'
  # Allow core volume types.
  volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'
  seLinux:
    # This policy assumes the nodes are using AppArmor rather than SELinux.
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false

CRD: helm -n arangodb-operator install arangodb-operator-crd https://github.com/arangodb/kube-arangodb/releases/download/1.2.3/kube-arangodb-crd-1.2.3.tgz Operator: helm -n arangodb-operator install ts https://github.com/arangodb/kube-arangodb/releases/download/1.2.3/kube-arangodb-1.2.3.tgz

Does anyone know how to resolve that? Or is it possible to resolve that? #677 This problem may be related

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (6 by maintainers)

Most upvoted comments

sure here is the issue sadly no one has replied to it from the arangodb team!

+1
vbasem on Nov 8, 2021

while fsGroup is not used from the securitycontext to be used into the id container, we found out that the problem lies with the docker image sof the id container itself.

The alpine image has echo chmod -R 775 /var/lib/arangodb3 /var/lib/arangodb3-apps which doesnt do much other than echo the command instead of changing the permissions on the folder to be root group writeable.

With that fixed, setting the user group to 0, solves the issue. Now I have to create an issue in that repo for it!

+1
vbasem on Oct 15, 2021

sadly fsGroup is the only parameter that is not considered in the securityContext, and in my environment I endup with permission denied to the PVC that has restriction on root fsGroup

+1
vbasem on Oct 15, 2021
Read more comments on GitHub
← arangojs: Transactions don't play nicely with round-robin load balancing strategy
spring-data: 2.0.x don't work →