https://rancher.com/ logo
Title
s

strong-sunset-30

05/21/2023, 4:22 PM
Hey, is it possible to set the following Values inside the Helm chart to get this error away?
W0521 18:17:15.302970   19551 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.341817   19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.341935   19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.342215   19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-recovery-backend" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-recovery-backend" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-recovery-backend" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-recovery-backend" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.342039   19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-conversion-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-conversion-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-conversion-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-conversion-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.351320   19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I can't find any values like securityContext.* inside teh Default Values.yaml which i get with the following command:
helm show values longhorn/longhorn > values.yaml
a

aloof-branch-69545

05/22/2023, 10:32 AM
s

strong-sunset-30

05/22/2023, 3:54 PM
PSP is Deprecated in Kubernetes 1.25
f

faint-sunset-36608

05/22/2023, 9:50 PM
Hello @strong-sunset-30. Could you clarify what version of Kubernetes you are using and how you have the longhorn-system namespace labeled? It sounds like you are already on Kubernetes v1.25+ with the Pod Security Admission Controller enabled. If so, it may be configured by default to warn against the restricted standard in any namespace that is not otherwise labeled (e.g. https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller). If this is the case, consider labeling the longhorn-system namespace with the
<http://pod-security.kubernetes.io/warn|pod-security.kubernetes.io/warn>: privileged
label as discussed in @aloof-branch-69545's link. This may eliminate the warnings you are seeing. If it does, please let us know!
Example with namespace set to warn on restricted:
eweber@laptop:~/longhorn> k get ns --show-labels longhorn-system
NAME              STATUS   AGE   LABELS
longhorn-system   Active   49s   <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart
W0523 08:47:48.530223    4438 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.631284    4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.648475    4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:47:42 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!

Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.

Visit our documentation at <https://longhorn.io/docs/>
Example with namespace set to warn on privileged (the default in my cluster, but I labelled the namespace anyway):
eweber@laptop:~/longhorn> k get namespace --show-labels longhorn-system
NAME              STATUS   AGE   LABELS
longhorn-system   Active   43s   <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart/
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:58:49 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!

Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.

Visit our documentation at <https://longhorn.io/docs/>
❤️ 1
s

strong-sunset-30

05/23/2023, 2:03 PM
Thanks i try it out