-
-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agent-init init container failed due to the pod level security context #3745
Comments
I don't think the init-container should inherit the traffic-agent's securityContext. They have different requirements. The traffic-agent doesn't need any elevated privileges to run. The |
@thallgren, I second your point. In my use case, I need to debug an Airflow scheduler pod that has no service and no exposed container port to the outside. The Airflow architecture is built on top of a database. There is no incoming traffic in the scheduler. So I have to fake a mock container port. This requires the tel-init container to run as root. Thanks to the dev doc, I figured out how to patch it with a dirty fix and push it to a private registry. But the alternative is that we don't require the port option when |
Looks like you would benefit from the new telepresence ingest command that was introduced in 2.21.0 and this fix released in 2.21.1 that removes the need for a port altogether. I'm curious what it was that you patched. Is there something we can do to support it in telepresence? |
The ingest seems to be exactly what I need. My fix is just hard-code the additional security context so that it overwrites the hardening security context at the pod level: |
Describe the bug
I tried to debug security hardening Airflow pod. At the pod level, it has the following security context
So, I overrode the side care agent container security context with the following
values
:telepresence helm install -f values.yaml
But the init container failed
To Reproduce
Steps to reproduce the behavior:
runAsNonRoot: true
, the init container failed.Expected behavior
The init container should pass or inherit the overrode security context from
values.yaml
Versions (please complete the following information):
telepresence version
v2.20.3The text was updated successfully, but these errors were encountered: