UNCLASSIFIED - NO CUI

Default kyverno policies do not allow Jira to be installed with default settings

Bug

Description

Describe the problem, what were you doing when you noticed the bug? received these kyverno errors:

require-drop-all-capabilities:
  drop-all-capabilities: 'validation failure: Containers must drop all Linux capabilities
    by setting the fields spec.containers[*].securityContext.capabilities.drop, spec.initContainers[*].securityContext.capabilities.drop,
    and spec.ephemeralContainers[*].securityContext.capabilities.drop to `ALL`.'
require-non-root-user:
  non-root-user: 'validation failure: validation error: Either `runAsNonRoot` must
    be set to true or `runAsUser` must be > 0 in spec.securityContext or (spec.containers[*].securityContext,
    spec.initContainers[*].securityContext, and spec.ephemeralContainers[*].securityContext).
    rule non-root-user failed at path /securityContext/runAsNonRoot/'

Provide any steps possible used to reproduce the error (ideally in an isolated fashion). Attempt to deploy Jira with these settings:

packages:
  # This will be used as the namespace for the install, as well as the name of the helm release. If this is changed, the destination service (below) needs to also be changed.
  jira:
    dependsOn:
      #- name: authservice
      #  namespace: bigbang
    enabled: true
    # Disabling this will bypass creating the istio VirtualService and NetworkPolicies.
    wrapper:
      enabled: true
    git:
      repo: https://repo1.dso.mil/big-bang/product/community/jira
      # It is recommended to update this to the latest bb tag
      tag: 1.21.4-bb.6
      path: chart
    # This section is ignored if `wrapper.enabled`, above, is false. In this case, creation of an ingress for web access is left as an exercise for the reader.
    istio:
      enabled: true
      hosts:
        - names:
            # Sub-URL for reaching the web UI; it will be reachable with this, plus your bigbang domain, eg, jira.dev.bigbang.mil
            - jira
          gateways:
            - public
          destination:
            # The second portion of this URL is the namespace; if it was changed above, it needs to be changed here as well.
            service: jira.jira.svc.cluster.local
            port: 8080
    # Anything in this section is passed to the jira chart directly; this allows all of your bigbang configuration to be in a single place.
    values:
      jira:
        service:
          port: 8080

BigBang Version

What version of BigBang were you running? 2.40.0 (master branch)

This can be retrieved multiple ways:

# via helm
helm ls -n bigbang

# via the deployed umbrella git tag
kubectl get gitrepository -n bigbang

UNCLASSIFIED - NO CUI