Skip to content

[bitnami/mongodb] generate-tls-certs init container in backup cronjob does not respect tls securityContext #33802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kdward opened this issue May 20, 2025 · 1 comment · May be fixed by #33803
Open

[bitnami/mongodb] generate-tls-certs init container in backup cronjob does not respect tls securityContext #33802

kdward opened this issue May 20, 2025 · 1 comment · May be fixed by #33803
Assignees
@javsalgar
Labels
mongodb tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@kdward
Copy link
Contributor

kdward commented May 20, 2025

Name and Version

bitnami/mongodb:16.5.9

What architecture are you using?

amd64

What steps will reproduce the bug?

In a namespace with restricted Pod Security Standards applied the backup cronjob fails to deploy because the generate-tls-certs init container does not apply the securityContext values from tls.securityContext as it does in the stateful set.

To reproduce create a namsespace with restricted PSS labels:

kubectl create ns mongodb-test
kubectl label --overwrite ns "mongodb-test" \
  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/enforce-version=latest

Then deploy the mongodb chart to the namespace backups enabled, tls enabled, and the required securityContext settings for TLS:

helm install mongodb oci://registry-1.docker.io/bitnamicharts/mongodb --namespace mongodb-test  --set backup.enabled=true --set tls.enabled=true --set tls.securityContext.allowPrivilegeEscalation=false --set tls.securityContext.seccompProfile.type=RuntimeDefault --set "tls.securityContext.capabilities.drop[0]=ALL" --set tls.securityContext.allowPrivilegeEscalation=false --set tls.securityContext.runAsNonRoot=true

you will see the following error when the chart deploys:

W0520 13:25:12.648544   60818 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "generate-tls-certs" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "generate-tls-certs" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "generate-tls-certs" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "generate-tls-certs" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Are you using any custom parameters or values?

--set backup.enabled=true --set tls.enabled=true --set tls.securityContext.allowPrivilegeEscalation=false --set tls.securityContext.seccompProfile.type=RuntimeDefault --set "tls.securityContext.capabilities.drop[0]=ALL" --set tls.securityContext.allowPrivilegeEscalation=false --set tls.securityContext.runAsNonRoot=true

What is the expected behavior?

The CronJob deploys and the generate-tls-certs initContainer within it respects the settings from tls.securityContext

What do you see instead?

The CronJob violates the restricted PSS because it's init container does not have any securityContext setting.

Additional information

No response
@kdward kdward added the tech-issues The user has a technical issue about an application label May 20, 2025
@kdward kdward linked a pull request May 20, 2025 that will close this issue
Open
4 tasks
@github-actions github-actions bot added the triage Triage is needed label May 20, 2025
@carrodher
Copy link
Member

Thank you for opening this issue and submitting the associated Pull Request. Our team will review and provide feedback. Once the PR is merged, the issue will automatically close.

Your contribution is greatly appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
mongodb tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
3 participants
@javsalgar @kdward @carrodher