[Bug] kyverno chart: unable to set webhooksCleanup securityContext #7962
Description
Kyverno Version
1.10.2
Description
A restricted security policy standard is enforced on the namespace kyverno is deployed in with a helm chart. The following message can be observed in policy report. Kyverno helm chart doesn't offer any way to adjust securityContext for this cleanup webhook.
Message: Validation rule 'default restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:allowPrivilegeEscalation != false ForbiddenDetail:container "kubectl" must set securityContext.allowPrivilegeEscalation=false})
({Allowed:false ForbiddenReason:seccompProfile ForbiddenDetail:pod or container "kubectl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"})
Policy: pss-cluster-policy
Properties:
Controls: allowPrivilegeEscalation,seccompProfile_restricted
Standard: restricted
Version: latest
Resources:
API Version: v1
Kind: Pod
Name: kyverno-hook-pre-delete-xwggj
Namespace: policies
UID: 78f603b5-33d4-4883-b439-9b59691d5d40
Result: fail
Rule: default restricted
Scored: true
Source: kyverno
Timestamp:
Nanos: 0
Seconds: 1691066098
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.