Multiple Policy Violations when `csi.enabled=true`
It appears that when csi.enabled=true
, the DaemonSet
fails to create pods due to multiple Kyverno policy violations. See violations below:
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies
require-drop-all-capabilities:
autogen-drop-all-capabilities: 'validation failure: Containers must drop all Linux
capabilities by setting the fields spec.containers[*].securityContext.capabilities.drop,
spec.initContainers[*].securityContext.capabilities.drop, and spec.ephemeralContainers[*].securityContext.capabilities.drop
to `ALL`.'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies
require-non-root-group:
autogen-run-as-group: 'validation failure: validation error: runAsGroup must be
set to an id > 0 in either spec.securityContext.runAsGroup or (spec.containers[*].securityContext.runAsGroup,
spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup).
rule autogen-run-as-group[0] failed at path /securityContext/runAsGroup/'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies
restrict-host-path-mount:
autogen-restrict-hostpath-dirs: 'validation error: hostPath volume paths are restricted
to the allowed list. rule autogen-restrict-hostpath-dirs failed at path /spec/template/spec/volumes/0/hostPath/path/'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies
restrict-host-path-write:
autogen-require-readonly-hostpath: 'validation failure: hostPath volumes must be
mounted as readOnly.'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies
restrict-volume-types:
autogen-restrict-volume-types: 'validation failure: validation error: One or more
volume types used in the pod is not in the allowed list. rule autogen-restrict-volume-types[0]
failed at path / rule autogen-restrict-volume-types[1] failed at path / rule autogen-restrict-volume-types[2]
failed at path / rule autogen-restrict-volume-types[3] failed at path / rule autogen-restrict-volume-types[4]
failed at path / rule autogen-restrict-volume-types[5] failed at path / rule autogen-restrict-volume-types[6]
failed at path / rule autogen-restrict-volume-types[7] failed at path /'
resource DaemonSet/default/vault-csi-provider was blocked due to the following policies
require-non-root-user:
autogen-non-root-user: 'validation failure: validation error: Either `runAsNonRoot`
must be set to true or `runAsUser` must be > 0 in spec.securityContext or (spec.containers[*].securityContext,
spec.initContainers[*].securityContext, and spec.ephemeralContainers[*].securityContext).
rule autogen-non-root-user[0] failed at path /securityContext/runAsNonRoot/ rule
autogen-non-root-user[1] failed at path /securityContext/runAsUser/'
Violations can also be found in this pipeline run.