Pods should have seccompProfile RuntimeDefault

[haslersn]

In my K8s 1.19 cluster which implements Pod Security Standards with default Restricted, I cannot deploy cert-manager.yaml from the releases, because in all three deployments, the PodSpec is missing:

securityContext:
  seccompProfile:
    type: RuntimeDefault

Expected behaviour:

Since cert-manager seems to still work when applying those security best-practices, it should just apply in a cluster like mine.

Environment details::

• Kubernetes version: 1.19
• Cloud-provider/provisioner: kubeadm on Debian 10
• cert-manager version: 1.6.1
• Install method: apply cert-manager.yaml as kustomize resource

/kind bug

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[haslersn]

/remove-lifecycle rotten

[joebowbeer]

I can repro against cert-manager v1.8.2 using the following command:

kustomize build https://github.com/kyverno/policies//pod-security | \
  kyverno apply --policy-report -r \
  <(wget -qO- https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.yaml) \
  -

Six failures are reported, two failures for each of the three Deployments: cert-manager, cert-manager-cainjector, and cert-manager-webhook.

The first missing property is the one reported in the description. This can be declared per-pod or per-container:

securityContext:
  seccompProfile:
    type: RuntimeDefault

The second missing property must be declared per-container:

securityContext:
  capabilities:
    drop:
    - ALL

In the helm chart these can be added by editing the securityContext and containerSecurityContext properties corresponding to cert-manager, webhook and cainjector in values.yaml

[joebowbeer]

Related to #3721

[joebowbeer]

Note that the kyverno version and policies used internally are out of date: #5258