With Azure policies enabled in AKS(Azure Kubernetes), we can’t deploy privileged containers.
We have changed our deployments to deploy as non-privileged containers.
we deployed with the below specification and it is working.
securityContext:
runAsUser: 999
runAsNonRoot: true
But, istio deployment is failing to deploy.
But when we try to setup istio now. The istio labelled namespaces are not able to create side car containers. Even when I try to install latest istio, it is getting stuck at the istiod deplyoment only.
istioctl install --set profile=demo -y
✔ Istio core installed
Processing resources for Istiod. Waiting for Deployment/istio-system/istiod
✔ Istio core installed
✘ Istiod encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
Deployment/istio-system/istiod
✘ Ingress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
Deployment/istio-system/istio-ingressgateway
✘ Egress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
Deployment/istio-system/istio-egressgateway
- Pruning removed resources
The error I am getting in the events is:
Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed