UNCLASSIFIED - NO CUI

Skip to content

Fix eso_mount.yaml kyverno policy issues

Bug

Description

While running in BB pipeline eso_mount.yaml test script is throwing kyverno policy errors

disallow-image-tags:
  require-image-tag: '\''validation failure: validation error: Images without tags are
    mutable and not allowed. rule require-image-tag failed at path /image/'\''
require-drop-all-capabilities:
  drop-all-capabilities: '\''validation failure: Containers must drop all Linux capabilities
    by setting the fields spec.containers[*].securityContext.capabilities.drop, spec.initContainers[*].securityContext.capabilities.drop,
    and spec.ephemeralContainers[*].securityContext.capabilities.drop to `ALL`.'\''
require-non-root-group:
  run-as-group: '\''validation failure: validation error: runAsGroup must be set to an
    id > 0 in either spec.securityContext.runAsGroup or (spec.containers[*].securityContext.runAsGroup,
    spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup).
    rule run-as-group[0] failed at path /securityContext/'\''
require-non-root-user:
  non-root-user: '\''validation failure: validation error: Either `runAsNonRoot` must
    be set to true or `runAsUser` must be > 0 in spec.securityContext or (spec.containers[*].securityContext,
    spec.initContainers[*].securityContext, and spec.ephemeralContainers[*].securityContext).
    rule non-root-user[0] failed at path /securityContext/ rule non-root-user[1] failed
    at path /securityContext/'\''
restrict-host-path-write:
  require-readonly-hostpath: rule skipped
restrict-image-registries:
  validate-registries: '\''validation failure: validation error: Image registry is not
    in the approved list. rule validate-registries failed at path /image/'\'''

Example https://repo1.dso.mil/big-bang/bigbang/-/jobs/36206724

UNCLASSIFIED - NO CUI