NSX-T NCP Pod Security Policy (PSP) missing capability AUDIT_WRITE
Article ID: 322449
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- Running NCP 3.1.1.
- The yaml file used to configure NCP is missing a capability entry under policy PSP (PodSecurityPolicy).
- The ncp-psp PodSecurityPolicy does not have AUDIT_WRITE capability, like below:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ncp-psp
spec:
hostNetwork: true
hostIPC: false
hostPID: false
privileged: false
defaultAddCapabilities: null
kind: PodSecurityPolicy
metadata:
name: ncp-psp
spec:
hostNetwork: true
hostIPC: false
hostPID: false
privileged: false
defaultAddCapabilities: null
Environment
VMware NSX-T Data Center
Cause
This capability was incorrectly omitted from the configuration file.
Resolution
This issue is resolved in NCP 3.1.2.
Workaround:
You can manually add the capability to the file like the following:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ncp-psp
spec:
hostNetwork: true
hostIPC: false
hostPID: false
privileged: false
defaultAddCapabilities: null
allowedCapabilities:
- AUDIT_WRITE
Workaround:
You can manually add the capability to the file like the following:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ncp-psp
spec:
hostNetwork: true
hostIPC: false
hostPID: false
privileged: false
defaultAddCapabilities: null
allowedCapabilities:
- AUDIT_WRITE
Feedback
Yes
No
Powered by
