Illuminatio runner daemonset fails with enabled Pod Security Policy

[ytsarev]

  Warning  FailedCreate      5m34s (x17 over 11m)  daemonset-controller  Error creating: pods 
"illuminatio-runner-" is forbidden: unable to validate against any pod security policy: 
[spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used 
spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used 
spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used 
spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [{1 65535}] 
spec.containers[0].securityContext.capabilities.add: Invalid value: "SYS_ADMIN": capability may not 
be added spec.containers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing 
privilege escalation for containers is not allowed]

[johscheuer]

I assume that you are running in an environment with PodSecurityPolicy enabled? Currently it's required to give illuminatio rights to access the hostpath and call nsenter this is related to the fact how illuminatio is designed.

We probably should state this better in the docs.

I close this issue since it's a known drawback (and won't be fixed). Feel free to reopen if you have further questions.

[ytsarev]

@johscheuer yeah, that's true, where can i find this documentation bit ?

[maxbischoff]

It is currently being worked on in #68

[johscheuer]

I also created an issue to provide a "ready-to-use" PSP #73 if you have some time / want to tackle this one your welcome (we can support you if you want) otherwise I hope I will be able to solve this one next week.