Score:1

Consul containers are creating as privileged containers, how to change that?

ke flag

With the azure policy addon enabled(as per organization policy), we can’t create privileged containers on the aks, azure kubernetes.

Our application is set to security context as below.

    securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        runAsUser: 999

So our app can create without privileged access. But, when linked with consul(through annotations), the consul init containers are failing to create.

 Warning  FailedCreate  6s (x15 over 90s)  replicaset-controller  Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: envoy-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-connect-inject-init
Score:0
ng flag

The way the Azure policy for Kubernetes works, you need explicitly declare for each container the allowPrivilegeEscalation value being set to false. It is not enough for the container not to require it, this must be set in the manifest.

So, you need to amend your console deployment to make sure that this is being set on the sidecar pods. I am not all that familiar with Consul, but if it is being deployed with Helm, have a look at the options in the values file to see if you can set this.

uday avatar
ke flag
I didn't find much here, but there is one property enablePodSecurityPolicies . But it is with applying the policies only.No entry related to the ProvilegeEscalation. https://www.consul.io/docs/k8s/helm
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.