Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File system restore cannot work in PSA enabled Kubernetes cluster #8229

Open
ywk253100 opened this issue Sep 19, 2024 · 0 comments
Open

File system restore cannot work in PSA enabled Kubernetes cluster #8229

ywk253100 opened this issue Sep 19, 2024 · 0 comments
Labels
1.16-candidate downstream-integration The issue originated from downstream integration PodVolume

Comments

@ywk253100
Copy link
Contributor

ywk253100 commented Sep 19, 2024
edited
Loading

Got the following error:

time="2024-09-16T17:14:27Z" level=error msg="Namespace wordpress, resource restore error: error restoring pods/wordpress/wordpress-845697cddc-pcpqw: pods \"wordpress-845697cddc-pcpqw\" is forbidden: violates PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"restore-wait\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"restore-wait\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"restore-wait\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"restore-wait\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")" logSource="pkg/controller/restore_controller.go:580" restore=velero/restore-from-bl-dev-01
time="2024-09-16T17:14:27Z" level=error msg="Namespace wordpress, resource restore error: error restoring pods/wordpress/wordpress-mariadb-0: pods \"wordpress-mariadb-0\" is forbidden: violates PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"restore-wait\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"restore-wait\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"restore-wait\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"restore-wait\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")" logSource="pkg/controller/restore_controller.go:580" restore=velero/restore-from-bl-dev-01

The necessary SecurityContext should be added to the init container to not break the pod security policy.

Environment:

  • Velero version (use velero version):
  • Velero features (use velero client config get features):
  • Kubernetes version (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

  • 👍 for "I would like to see this bug fixed as soon as possible"
  • 👎 for "There are more important bugs to focus on right now"
@ywk253100 ywk253100 added PodVolume downstream-integration The issue originated from downstream integration 1.16-candidate labels Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.16-candidate downstream-integration The issue originated from downstream integration PodVolume
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ywk253100