Consul containers are creating as privileged containers, how to change that?

uday

12/3/22, 9:34 AM

With the azure policy addon enabled(as per organization policy), we can’t create privileged containers on the aks, azure kubernetes.

Our application is set to security context as below.

    securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        runAsUser: 999

So our app can create without privileged access. But, when linked with consul(through annotations), the consul init containers are failing to create.

 Warning  FailedCreate  6s (x15 over 90s)  replicaset-controller  Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: envoy-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-connect-inject-init

1 + 0

azure

kubernetes

aks

Score:0

Server

Sam Cogan

12/3/22, 9:47 AM

The way the Azure policy for Kubernetes works, you need explicitly declare for each container the allowPrivilegeEscalation value being set to false. It is not enough for the container not to require it, this must be set in the manifest.

So, you need to amend your console deployment to make sure that this is being set on the sidecar pods. I am not all that familiar with Consul, but if it is being deployed with Helm, have a look at the options in the values file to see if you can set this.

0 + 1

uday

12/3/22, 10:16 AM

I didn't find much here, but there is one property enablePodSecurityPolicies . But it is with applying the policies only.No entry related to the ProvilegeEscalation. https://www.consul.io/docs/k8s/helm

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Consul containers are creating as privileged containers, how to change that?

TH: คอนเทนเนอร์ Consul กำลังสร้างเป็นคอนเทนเนอร์พิเศษ จะเปลี่ยนได้อย่างไร

RO: Containerele consul se creează ca containere privilegiate, cum să schimb asta?

RU: Контейнеры Consul создаются как привилегированные контейнеры, как это изменить?

VI: Vùng chứa lãnh sự đang tạo dưới dạng vùng chứa đặc quyền, làm cách nào để thay đổi điều đó?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.