Support additional securityContext options

Feature Requests
1

In our kubernetes setup, we set the namespaces to use “Restricted” level of security (Pod Security Standards | Kubernetes).

With this level of security, containers must with a secuirtyContext equivalent to:

securityContext:
  runAsUser: 1001
  runAsNonRoot: true
  capabilities:
    drop:
      - ALL
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault

Currently, according to the okteto docs (Okteto Manifest | Okteto Documentation) , “allowPrivilegeEscalation” and “seccompProfile” are not supported.

This yields the following error message when attempting “okteto up”:

 x  Couldn't activate your development container
    allowPrivilegeEscalation != false (containers "okteto-bin", "okteto-init-volume" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or containers "okteto-bin", "okteto-init-volume" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Would it be possible to add support for these options?

Thanks!

1 Like
2

Hey @dimeoa ! To ensure we understand this: is the ask to let you define a custom securityContext, or for the init containers that Okteto creates to inherit the securityContext configuration from the existing deployment?

3

This will be available on version 2.12 of the Okteto CLI. You can try the beta today by downloading the binary from Release Okteto CLI [beta] - 2.12.0-beta.1 · okteto/okteto · GitHub

4

Hi,
I tried okteto cli version 2.29.3 but the seccompProfile option is not supported in the manifest. Will this be available any time soon?

5

Hey @bmusat, as of Okteto CLI 3.0, we only support the following overrides:

securityContext:
  runAsUser: 1000
  runAsGroup: 2000
  fsGroup: 3000
  capabilities:
    add:
      - SYS_PTRACE

Our docs has more information on this on the supported elements of the securityContext.

It is now deprecated, but Kubernetes allows you to define the seccomp profile via annotations. If want to go that route, you can configure okteto to set them up for you during development in the manifest.