Comments (11)
I created kyverno/policies#348 which should resolve your issue and the Policy should no longer the Policy Reporter deployment.
from policy-reporter.
If i set automountServiceAccountToken: "false"
in deployment, pod falling back to crash with the following error:
Error: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
Any ideas how to make it run without setting it true
?
from policy-reporter.
The SA is required to get permissions for accessing the K8s API. Thats because it is set to true. There is no really work around for it. Only possible solution could be to add a manual volume and volumeMount instead the automount feature.
from policy-reporter.
So it's something we can fix in the deployment manifests? I prefer to handle all that manual stuff in the helm side during installation.
Currently, it's unable to run this project with Kyverno's default policy enforcement, which decreases the UX a bit in the first place.
from policy-reporter.
But you will have the same problem with all tools that access the K8s API in some case, the Policy description also says that the intention is to prevent automount for pods that are not interacting with the K8s API.
Kubernetes automatically mounts ServiceAccount credentials in each Pod.
The ServiceAccount may be assigned roles allowing Pods to access API resources.
Blocking this ability is an extension of the least privilege best practice and should
be followed if Pods do not need to speak to the API server to function.
This policy ensures that mounting of these ServiceAccount tokens is blocked.
Because the SA secret name has a dynamic suffix like policy-reporter-token-vdt6m
, the manual mount is not really an option because I don't know the secret name before it is created.
from policy-reporter.
You could add an exclude label and add this label to the policy-reporter pods and other K8s API related tools.
Would it make sense to add some kind of exclusion (e.g. label) to the Kyverno Policy directly @chipzoller @realshuting?
from policy-reporter.
Sure, should it exclude by name?
from policy-reporter.
If you want to add a policy-reporter specific exclude I would suggest the label app.kubernetes.io/part-of: policy-reporter
. Its currently only added on the deployment but I can create a minor version which also add it on pod level. So we don't need multiple values for the different components.
from policy-reporter.
Glad to accept a PR to the policy if one is made.
from policy-reporter.
Thanks @chipzoller . I will open one
from policy-reporter.
The updated Policy has now an exclude filter for Policy Reporter (kyverno/policies#348) which should fix this issue.
from policy-reporter.
Related Issues (20)
- [UI] Standalone UI HOT 56
- Add ability to set request headers in Loki target HOT 2
- Download report html via api HOT 6
- Policy Reporter no longer working after kyverno 1.11.0 upgrade HOT 2
- Cant work with Workload Identity HOT 15
- Splunk as a target HOT 1
- [DOCS] The external-cluster section needs to mention that rest.enabled: true is required HOT 1
- Policy Reporter Targets as CRDs HOT 4
- Include the timestamp HOT 7
- Policy Reporter not aligned with Kyverno HOT 5
- Helm chart won't start due to "Error: unknown flag: --template-dir" HOT 2
- Kyverno Policy Reporter writes extensively on node disk storage in certain ocassions. HOT 2
- strange S3 config error when using SecurityHub as target HOT 3
- Helm: Ingress template has wrong selection for pathType
- Allow for not rendering a Kubernetes Secret HOT 2
- policy-reporter presents incomplete results HOT 7
- Slack Channel Override does not work HOT 4
- Support for new reports.x-k8s.io reports group
- Support for multicluster HOT 1
- Loki not receiving/showing logs HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-reporter.