Tanzu Mission Control OPA settings not enforcing runAsRoot on vSphere with Tanzu
Article ID: 375113
Updated On:
Products
Issue/Introduction
Using Tanzu Mission Control (TMC) Open Policy Agents to create security policies and impose constraints on Tanzu Kubernetes releases (TKr) 1.25+ does not enforce runAsRoot permissions on pods deployed to the cluster.
Environment
- vSphere with Tanzu clusters attached Tanzu Mission Control (TMC).
- Open Policy Agents (OPA) security settings configured to impose security settings in TMC for runAsRoot permissions.
- Kubernetes version 1.25+ with Pod Security Admission (PSA)controller.
Cause
For vSphere with Tanzu deployed workload clusters on Tanzu Kubernetes release (TKr) 1.25+ to configure podSecurityStandard it is now required to set the Pod Security Admission (PSA) controller policy manually or via ClusterClass. The default podSecurityStandard on 1.25+ is set to restricted. This is defined in the vSphere with Tanzu docs.
Tanzu Mission Control (TMC) Open Policy Agents (OPA) can not override PSA settings to allow pods to runAsRoot. This is mentioned in the TMC docs notes section.
Resolution
To resolve this issue follow the below docs to change the Pod Security Admission (PSA) controller to allow pods to runAsRoot then set the Tanzu Mission Control (TMC) Open Policy Agents to manage security policies. You can set the PSA settings in one of two ways:
1. Manually set the PSA settings per namespace as described in the following vSphere with Tanzu Configuring PSA Using Namespace Labels docs
--OR--
2. Set the default PSA settings via the Cluster's ClusterClass configuration, described in the following vSphere with Tanzu Pod Security Standard docs
Feedback
