[SOLVED] Ability to add exception to RKE2 securitypolicy for root pods or specific namespace

Ability to add exception to RKE2 securitypolicy for root pods or specific namespace

Good afternoon.

So I have an RKE2 cluster with the security policy in place that does not allow root pods to run. I have a pod that has to run as root and have been trying to figure out how to allow my pod to deploy on this cluster without success.

So far I have tried to explicitly set the following:

securityContext:
  runAsUser: 0
  runAsGroup: 0

The pod still fails to be allowed to run on the environment. Is there a way to not totally disable the security policy and perhaps an an exception for a single namespace? Thank you.

Solution

To create a pod that has to run as root when cluster with the security policy in place that does not allow root pods to run you need to create a security policy for each namespace. Role Based Access Control (RBAC) allows you to create fine-grained roles and policies to manage access control for users and software running on your cluster, you can find more information in this document.

PodSecurityPolicy is deprecated and will be completely removed in v1.25, you should start considering migrating to Pod Security Admission where "kube-system" namespace is explicitly exempted from PodSecurity.

Known limitations: Namespace policy update warnings

Follow this document for more information