UNCLASSIFIED - NO CUI

Skip to content

Multiple Policy Violations when `csi.enabled=true`

It appears that when csi.enabled=true, the DaemonSet fails to create pods due to multiple Kyverno policy violations. See violations below:

resource DaemonSet/default/vault-csi-provider was blocked due to the following policies 

require-drop-all-capabilities:
  autogen-drop-all-capabilities: 'validation failure: Containers must drop all Linux
    capabilities by setting the fields spec.containers[*].securityContext.capabilities.drop,
    spec.initContainers[*].securityContext.capabilities.drop, and spec.ephemeralContainers[*].securityContext.capabilities.drop
    to `ALL`.'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies 

require-non-root-group:
  autogen-run-as-group: 'validation failure: validation error: runAsGroup must be
    set to an id > 0 in either spec.securityContext.runAsGroup or (spec.containers[*].securityContext.runAsGroup,
    spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup).
    rule autogen-run-as-group[0] failed at path /securityContext/runAsGroup/'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies 

restrict-host-path-mount:
  autogen-restrict-hostpath-dirs: 'validation error: hostPath volume paths are restricted
    to the allowed list. rule autogen-restrict-hostpath-dirs failed at path /spec/template/spec/volumes/0/hostPath/path/'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies 

restrict-host-path-write:
  autogen-require-readonly-hostpath: 'validation failure: hostPath volumes must be
    mounted as readOnly.'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies 

restrict-volume-types:
  autogen-restrict-volume-types: 'validation failure: validation error: One or more
    volume types used in the pod is not in the allowed list. rule autogen-restrict-volume-types[0]
    failed at path / rule autogen-restrict-volume-types[1] failed at path / rule autogen-restrict-volume-types[2]
    failed at path / rule autogen-restrict-volume-types[3] failed at path / rule autogen-restrict-volume-types[4]
    failed at path / rule autogen-restrict-volume-types[5] failed at path / rule autogen-restrict-volume-types[6]
    failed at path / rule autogen-restrict-volume-types[7] failed at path /'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies 

require-non-root-user:
  autogen-non-root-user: 'validation failure: validation error: Either `runAsNonRoot`
    must be set to true or `runAsUser` must be > 0 in spec.securityContext or (spec.containers[*].securityContext,
    spec.initContainers[*].securityContext, and spec.ephemeralContainers[*].securityContext).
    rule autogen-non-root-user[0] failed at path /securityContext/runAsNonRoot/ rule
    autogen-non-root-user[1] failed at path /securityContext/runAsUser/'

Violations can also be found in this pipeline run.

UNCLASSIFIED - NO CUI