デプロイメントの PodSecurity Admission 警告を修正する
Issue
- デプロイメントが
restricted-v2SCC で実行されているにもかかわらず、Pod セキュリティーに関連する警告が表示される理由は?
$ oc create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "agnhost" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "agnhost" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "agnhost" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "agnhost" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/hello-node created
$ oc describe pod hello-node-855787d74c-h99pg | grep scc
openshift.io/scc: restricted-v2
- openshift-operators namespace 内で実行されている Pod でも、同様の警告が表示されます。
Environment
- Red Hat OpenShift Container Platform 4.11 以降
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
