1

With the azure policy addon enabled(as per organization policy), we can’t create privileged containers on the aks, azure kubernetes.

Our application is set to security context as below.

    securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        runAsUser: 999

So our app can create without privileged access. But, when linked with consul(through annotations), the consul init containers are failing to create.

 Warning  FailedCreate  6s (x15 over 90s)  replicaset-controller  Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: envoy-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-connect-inject-init
uday
  • 257
  • 2
  • 21

1 Answers1

0

The way the Azure policy for Kubernetes works, you need explicitly declare for each container the allowPrivilegeEscalation value being set to false. It is not enough for the container not to require it, this must be set in the manifest.

So, you need to amend your console deployment to make sure that this is being set on the sidecar pods. I am not all that familiar with Consul, but if it is being deployed with Helm, have a look at the options in the values file to see if you can set this.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • I didn't find much here, but there is one property enablePodSecurityPolicies . But it is with applying the policies only.No entry related to the ProvilegeEscalation. https://www.consul.io/docs/k8s/helm – uday Aug 03 '21 at 10:16