kubernetes google-kubernetes-engine openldap kubernetes-pod podsecuritypolicy

why does my Openldap container keeps crashing due to pod security policy

I have successfully created a PodSecurityPolicy, CluserRole and a ClusterRoleBinding on GKE. I am now trying to use OpenLDap from here. Without my PodSecurityPolicy installed on the k8s cluster, the helm installation of this OpenLDap works fine.

However when i install the PSP, and i try to install the OpenLDap, i the container stays in a CrashLoopBackOff state.

I am aware than openldap requires connection to ldapPort: and 389 sslLdapPort: 636 and i am aware that those are privileged ports. I already tried changing my just the privileged setting in the psp yaml to true, that did not work.

PodSecurityPolicy yaml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: test-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  allowedCapabilities:
  - NET_ADMIN
  - NET_RAW
  defaultAddCapabilities: []
  requiredDropCapabilities:
  - ALL
  hostPID: false
  hostIPC: false
  hostNetwork: false
#  requiredDropCapabilities: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

ClusterRole

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-cluster-role
rules:
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - test-psp

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: test-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts

when i do a describe on the openldap pod, i get Back-off restarting failed container what could i be doing wrong here thats stopping the openldap to run.

Solution

I resolved this issue by removing the "ALL" under the requiredDropCapabilities. It seems as if this conflicts with the allowedCapabilities.

In this case, i am allowing 2 capabilities but at the same time dropping all capabilities, this was this issue in my case and by removing "ALL" flag and instead specifying the other capabilities i want to drop one by one, it worked.