With the azure policy addon enabled(as per organization policy), we can’t create privileged containers on the aks, azure kubernetes.
Our application is set to security context as below.
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 999
So our app can create without privileged access. But, when linked with consul(through annotations), the consul init containers are failing to create.
Warning FailedCreate 6s (x15 over 90s) replicaset-controller Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: envoy-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-sidecar
[azurepolicy-psp-container-no-privilege-esc-30132221bc21e5b724da] Privilege escalation container is not allowed: consul-connect-inject-init
The way the Azure policy for Kubernetes works, you need explicitly declare for each container the
allowPrivilegeEscalationvalue being set to false. It is not enough for the container not to require it, this must be set in the manifest.So, you need to amend your console deployment to make sure that this is being set on the sidecar pods. I am not all that familiar with Consul, but if it is being deployed with Helm, have a look at the options in the values file to see if you can set this.