when deploying Weaviate in our Azure Kubernetes Cluster, two policies currently prevent the weaviate container “configure-sysctl” from being created/started.
Policies:
Kubernetes cluster should not allow container privilege escalation
Kubernetes cluster should not allow privileged containers
Does someone know what this container is doing and if it is essential? Why does it not fulfill these privileges?
@DudaNogueira Unfortunately. This did not help.
But we would like to try the option @dassum mentioned. However, before doing so, does anyone know what the “sysctlInitContainer” is used for?
# it is possible to change the sysctl's 'vm.max_map_count' using initContainer for Weaviate,
# the init Container runs before Weaviate Container and sets the value for the WHOLE node
# to the one provided below.
# it is possible to run additional initContainer before Weaviate is up and running. You can specify the
# containers as a list in `extraInitContainers`, exactly how they are defined in a kubernetes manifest:
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
@DudaNogueira Thank you again for your help. I checked also with my colleagues. Problem is still, that we do not know what this container is doing and therefore we don’t want to just disable it.
Any idea how to find out what this privileged container is doing?
Those settings, as fair as I could understand, will run a init container to just set the proper ownerships if this deployment didn’t have the security context.
I believe for new deployments ensureFileOwnershipContainer may not be required.
# it is possible to change the sysctl's 'vm.max_map_count' using initContainer for Weaviate,
# the init Container runs before Weaviate Container and sets the value for the WHOLE node
# to the one provided below.
# it is possible to run additional initContainer before Weaviate is up and running. You can specify the
# containers as a list in `extraInitContainers`, exactly how they are defined in a kubernetes manifest:
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers:
sysctlInitContainer:
enabled: true
sysctlVmMaxMapCount: 524288
image:
registry: docker.io
repo: alpine
tag: latest
pullPolicy: IfNotPresent
ensureFileOwnershipContainer:
# This init container sets the file ownerships of /var/lib/weaviate directory to the ones set in
# containerSecurityContext.runAsUser and containerSecurityContext.fsGroup settings to ensure that Weaviate is able
# to start in unprivileged configuration.
# Enable this init container only if Weaviate was configured previously without security context
# and now containerSecurityContext is provided to run Weaviate container with non-root user.
# Please be sure to set at least containerSecurityContext.runAsUser and containerSecurityContext.fsGroup.
enabled: false