Support additional securityContext options

dimeoa · December 5, 2022, 7:37pm

In our kubernetes setup, we set the namespaces to use “Restricted” level of security (Pod Security Standards | Kubernetes).

With this level of security, containers must with a secuirtyContext equivalent to:

securityContext:
  runAsUser: 1001
  runAsNonRoot: true
  capabilities:
    drop:
      - ALL
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault

Currently, according to the okteto docs (Okteto Manifest | Okteto Documentation) , “allowPrivilegeEscalation” and “seccompProfile” are not supported.

This yields the following error message when attempting “okteto up”:

 x  Couldn't activate your development container
    allowPrivilegeEscalation != false (containers "okteto-bin", "okteto-init-volume" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or containers "okteto-bin", "okteto-init-volume" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Would it be possible to add support for these options?

Thanks!

ramiro · December 12, 2022, 6:20pm

Hey @dimeoa ! To ensure we understand this: is the ask to let you define a custom securityContext, or for the init containers that Okteto creates to inherit the securityContext configuration from the existing deployment?

ramiro · January 24, 2023, 12:19am

This will be available on version 2.12 of the Okteto CLI. You can try the beta today by downloading the binary from Release Okteto CLI [beta] - 2.12.0-beta.1 · okteto/okteto · GitHub

bmusat · August 27, 2024, 5:08pm

Hi,
I tried okteto cli version 2.29.3 but the seccompProfile option is not supported in the manifest. Will this be available any time soon?

ramiro · October 10, 2024, 2:56pm

Hey @bmusat, as of Okteto CLI 3.0, we only support the following overrides:

securityContext:
  runAsUser: 1000
  runAsGroup: 2000
  fsGroup: 3000
  capabilities:
    add:
      - SYS_PTRACE

Our docs has more information on this on the supported elements of the securityContext.

It is now deprecated, but Kubernetes allows you to define the seccomp profile via annotations. If want to go that route, you can configure okteto to set them up for you during development in the manifest.

bmusat · March 13, 2026, 3:16pm

Hi,

I came back to check on this issue and it seems that the kubernetes cluster has some security restrictions that do not allow the seccomp profile to be set via annotations.

I have the required modifications myself (from a colleague) but I am not familiarized at all with golang development on github.

Would it be possible to find some contributor who is willing to implement those modifications?

It seems there are aprox 10 lines of code.

Topic		Replies	Views
Any plans to support setting the "readOnlyRootFilesystem" securityContext via okteto manifest? Feature Requests	0	722	September 23, 2022
[Support Guide] Self-Hosted Customers Should Update Okteto to 1.8 Before Using Kubernetes 1.25 Help	0	572	May 11, 2023
UPGRADE FAILED with 'no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"' Help	1	3835	May 5, 2023
Unable to create container due to seccomp error Help	12	3547	April 17, 2023
Install Okteto on GKE AutoPilot Feature Requests	1	912	May 7, 2024

Support additional securityContext options

Related topics