Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-548

Drop MKNOD kernel capability from sidecar so app pods can run with the anyuid SCC

XMLWordPrintable

    • Maistra TP sprint 12

      When the sidecar is injected into an application pod, the pod fails the SecurityContextConstraint (SCC) check, because it doesn't drop the CAP_MKNOD capability. The SCC admission controller tries to drop it, but it tries to do that in the validation phase instead of the mutation phase (admission controllers get invoked twice - during the first invocation, they are supposed to mutate the pod if needed, during the second invocation, they should only validate the pod). The reason behind this is that the sidecar was injected after the SCC admission controller was invoked the first time.

      To ensure the SCC controller doesn't need to mutate the pod during the validation phase, the sidecar spec must drop all capabilities that the applied SCC requires to be dropped. For the anyuid SCC, it needs to drop CAP_MKNOD.

              mluksa@redhat.com Marko Luksa
              mluksa@redhat.com Marko Luksa
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: