Comments (6)
rodfrancisco
commented on July 22, 2024
from vault-helm.
jasonodonnell
commented on July 22, 2024
Hi @rodfrancisco, thanks for bringing this to my attention.
I can make this configurable to support your use case. Would this help?
from vault-helm.
rodfrancisco
commented on July 22, 2024
@jasonodonnell That works. Thanks for the quick turnaround.
from vault-helm.
jemc
commented on July 22, 2024
Why was this made to be configurable instead of removed altogether?
This is flat-out invalid Kubernetes config, so even if you want to turn it on, it won't work. As indicated in the error message, PodSecurityContext does not have this readOnlyRootFilesystem field at all. You can confirm this by checking the Kubernetes API docs for it
@jasonodonnell - did you ever do a successful deployment with the field present?
from vault-helm.
jasonodonnell
commented on July 22, 2024
Hi @jemc ,
I've just deployed it successfully to multiple Kubernetes clusters without error. I'm wondering if Kube isn't validating the object and just disregarding it.
I'll look into removing this and trying to understand why it's not showing up on my end or in the test clusters. Thanks
from vault-helm.
malnick
commented on July 22, 2024
@jemc @jasonodonnell Looking at the docs link it looks like this setting belongs in the container security context this line
, not the global line we already removed it from.PodSecurityPolicySpec v1beta1 policy (so unfortunate that we can't link to settings on this docs page) defines it under the container spec. So if we add it there, it should be picked up. I do think we should make it configurable.
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- Server side apply does not properly render volumeClaimTemplates
- Access denied to helm.releases.hashicorp.com HOT 2
- Test.dockerfile throwing an error while building. HOT 1
- Agent Injector on EKS is not working. HOT 4
- Prometheus metrics disappear in HA setup when all Vault pods are sealed
- Please release a new version of helm chart with the current vault versions HOT 4
- Ability to have top level label on StatefullSet
- Cannot use HOSTNAME env var in VAULT_API_ADDR env var
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.