Kyverno Policy Blocks Instrumentation-Injected Init Container Due to Security Context Violations

[ghpark870707]

Summary

When using k8s-agents-operator to inject New Relic instrumentation via an init container, Kyverno policies on our Kubernetes cluster prevent the init container from meeting required security standards, specifically regarding capabilities and privilege escalation restrictions. This causes the pod to fail to start upon creation or restart.

Desired Behavior

The k8s-agents-operator should ensure that the injected init container satisfies common security policies, such as setting allowPrivilegeEscalation: false and capabilities.drop: [ "ALL" ], to comply with security constraints enforced by tools like Kyverno. This would prevent Kubernetes pods from failing to start or restart due to security policy violations when instrumentation is injected.

Possible Solution

An update in the k8s-agents-operator configuration to allow specifying custom security context parameters for the init container, or defaulting to secure configurations that align with standard policy frameworks, could resolve this issue. Including these configurations directly in the Helm chart’s values.yaml file would give users flexibility in adapting to their specific security requirements.

Additional Context

This feature is critical for Kubernetes environments with stringent security policies, such as those enforced by Kyverno. Our organization’s policies require all containers (including init containers) to drop all Linux capabilities and disable privilege escalation. Without this feature, the operator’s instrumentation init container is blocked from starting, leading to deployment failures and affecting application observability.