Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Capabilities are not rendered when containerSecurityContext.privileged is set to true #2331

Open
Tracked by #1
drodriguez-305 opened this issue Sep 11, 2024 · 1 comment
Open
Tracked by #1

[ISSUE] Capabilities are not rendered when containerSecurityContext.privileged is set to true #2331

drodriguez-305 opened this issue Sep 11, 2024 · 1 comment
Labels
kind/issue Unidentified issue, it could be a bug, misconfig, or anything in between platform/aws Issues related to AWS platform/gcp Issues related to GCP

Comments

@drodriguez-305
Copy link
Contributor

drodriguez-305 commented Sep 11, 2024
edited
Loading

Describe the issue:
Capabilities are not rendered when containerSecurityContext.privileged is set to true. This affects all of our components.

This line seems to be the culprit.

camunda-platform-helm/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml

Line 51 in 025e1d8

securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebe.containerSecurityContext "context" $) | nindent 12 }}

Which references a common _compatibility.tpl file I found this reference which tells it to omit capabilities if privileged is set


{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

Actual behavior:

When setting containerSecurityContext.privileged=true and containerSecurityContext.capabilities the capabilities do not render. However if containerSecurityContext.privileged=false then containerSecurityContext.capabilities renders.

containerSecurityContext:
   ## @param securityContext.allowPrivilegeEscalation
   allowPrivilegeEscalation: true
   ## @param securityContext.privileged
   privileged: true
   ## @param securityContext.readOnlyRootFilesystem
   readOnlyRootFilesystem: true
   ## @param securityContext.runAsUser
   runAsUser: 1000
   capabilities:
     add: [ "NET_ADMIN" ]

Expected behavior:
capabilities should render with any containerSecurityContext.privileged set

How to reproduce:

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

  • Platform:
  • Helm CLI version:
  • Chart version: Alpha
  • Values file:
@drodriguez-305 drodriguez-305 added the kind/issue Unidentified issue, it could be a bug, misconfig, or anything in between label Sep 11, 2024
@github-actions github-actions bot added platform/aws Issues related to AWS platform/gcp Issues related to GCP labels Sep 11, 2024
@hamza-m-masood
Copy link
Contributor

relevant slack thread: https://camunda.slack.com/archives/C03UR0V2R2M/p1725264529353669

@aabouzaid aabouzaid mentioned this issue Oct 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/issue Unidentified issue, it could be a bug, misconfig, or anything in between platform/aws Issues related to AWS platform/gcp Issues related to GCP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hamza-m-masood @drodriguez-305