strong-sunset-30
05/21/2023, 4:22 PMW0521 18:17:15.302970 19551 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.341817 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.341935 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.342215 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-recovery-backend" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-recovery-backend" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-recovery-backend" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-recovery-backend" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.342039 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-conversion-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-conversion-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-conversion-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-conversion-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.351320 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I can't find any values like securityContext.* inside teh Default Values.yaml which i get with the following command:
helm show values longhorn/longhorn > values.yaml
aloof-branch-69545
05/22/2023, 10:32 AMstrong-sunset-30
05/22/2023, 3:54 PMfaint-sunset-36608
05/22/2023, 9:50 PM<http://pod-security.kubernetes.io/warn|pod-security.kubernetes.io/warn>: privileged
label as discussed in @aloof-branch-69545's link. This may eliminate the warnings you are seeing. If it does, please let us know!eweber@laptop:~/longhorn> k get ns --show-labels longhorn-system
NAME STATUS AGE LABELS
longhorn-system Active 49s <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart
W0523 08:47:48.530223 4438 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.631284 4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.648475 4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:47:42 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!
Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.
Visit our documentation at <https://longhorn.io/docs/>
Example with namespace set to warn on privileged (the default in my cluster, but I labelled the namespace anyway):
eweber@laptop:~/longhorn> k get namespace --show-labels longhorn-system
NAME STATUS AGE LABELS
longhorn-system Active 43s <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart/
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:58:49 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!
Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.
Visit our documentation at <https://longhorn.io/docs/>
strong-sunset-30
05/23/2023, 2:03 PM