GKE AutoPilot - No Write Mode Hostpath

[brianjflowhub]

Tagged version: 7.12.0

Is it possible to run APM-Server on GKE AutoPilot where GKE best security practice are required? Here's the error I'm receiving when I deploy the helm chart.

Error from server ([denied by autogke-no-write-mode-hostpath] hostPath volume data in container busybox is accessed in write mode; disallowed in Autopilot. Requesting user: <gitlab-deploy@company-dev.iam.gserviceaccount.com> and groups: <["system:authenticated"]>
[denied by autogke-no-write-mode-hostpath] hostPath volume data in container apm-server is accessed in write mode; disallowed in Autopilot. Requesting user: <gitlab-deploy@company-dev.iam.gserviceaccount.com> and groups: <["system:authenticated"]>): error when creating "1122201989/manifest.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-no-write-mode-hostpath] hostPath volume data in container busybox is accessed in write mode; disallowed in Autopilot. Requesting user: <gitlab-deploy@company-dev.iam.gserviceaccount.com> and groups: <["system:authenticated"]>
[denied by autogke-no-write-mode-hostpath] hostPath volume data in container apm-server is accessed in write mode; disallowed in Autopilot. Requesting user: <gitlab-deploy@company-dev.iam.gserviceaccount.com> and groups: <["system:authenticated"]>

[jmlrt]

Hi @brianjflowhub,
We didn't investigate into GKE AutoPilot support yet.
Without knowing anything about it, I see references to hostpath volume and busybox container, however this chart doesn't use any busybox image and the only mounted volume is the configMap with default values.

[joshpurvis]

I ran into a similar error on the ES chart.

Error: failed to create resource: admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-disallow-privilege] container <configure-sysctl> is privileged; not allowed in Autopilot. Requesting user: <REDACTED@REDACTED.iam.gserviceaccount.com> and groups: <["system:authenticated"]>

After some digging, I came across an issue in an unrelated project: DataDog/helm-charts#182

According to one of the comments there, their chart works in GKE AutoPilot's "rapid release" channel -- so I assume the issue is GCP's problem and will eventually resolve itself in the next release?

[jmlrt]

I ran into a similar error on the ES chart.

Error: failed to create resource: admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-disallow-privilege] container <configure-sysctl> is privileged; not allowed in Autopilot. Requesting user: <REDACTED@REDACTED.iam.gserviceaccount.com> and groups: <["system:authenticated"]>

After some digging, I came across an issue in an unrelated project: DataDog/helm-charts#182

According to one of the comments there, their chart works in GKE AutoPilot's "rapid release" channel -- so I assume the issue is GCP's problem and will eventually resolve itself in the next release?

This error is different and is related to the initContainer running on privileged mode to configure virtual memory on K8S nodes (https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count).

If AutoPilot don't allow privileged container, you can still disable it using sysctlInitContainer.enabled=false

[alphayax]

I ran into a similar error on the ES chart.

Error: failed to create resource: admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-disallow-privilege] container <configure-sysctl> is privileged; not allowed in Autopilot. Requesting user: <REDACTED@REDACTED.iam.gserviceaccount.com> and groups: <["system:authenticated"]>

After some digging, I came across an issue in an unrelated project: DataDog/helm-charts#182
According to one of the comments there, their chart works in GKE AutoPilot's "rapid release" channel -- so I assume the issue is GCP's problem and will eventually resolve itself in the next release?

This error is different and is related to the initContainer running on privileged mode to configure virtual memory on K8S nodes (https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count).

If AutoPilot don't allow privileged container, you can still disable it using sysctlInitContainer.enabled=false

I've got the same error on the ES Chart too.
But setting sysctlInitContainer.enabled=false doesn't help : ES doesn't start because memory is too low without the sysctl init container.

ERROR: [1] bootstrap checks failed
[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

[maiconbaum]

I ran into a similar error on the ES chart.

Error: failed to create resource: admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-disallow-privilege] container <configure-sysctl> is privileged; not allowed in Autopilot. Requesting user: <REDACTED@REDACTED.iam.gserviceaccount.com> and groups: <["system:authenticated"]>

After some digging, I came across an issue in an unrelated project: DataDog/helm-charts#182
According to one of the comments there, their chart works in GKE AutoPilot's "rapid release" channel -- so I assume the issue is GCP's problem and will eventually resolve itself in the next release?

This error is different and is related to the initContainer running on privileged mode to configure virtual memory on K8S nodes (https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count).
If AutoPilot don't allow privileged container, you can still disable it using sysctlInitContainer.enabled=false

I've got the same error on the ES Chart too.
But setting sysctlInitContainer.enabled=false doesn't help : ES doesn't start because memory is too low without the sysctl init container.

ERROR: [1] bootstrap checks failed
[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

This is still an issue.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[orlandothoeny]

This is still an ongoing issue. Blocks running Elasticserarch on a GKE Autopilot cluster.

[jvkubjg]

Any updates on that?
We want to run ES on GKE Autopilot

[nakabonne]

I'm running into the sysctlInitContainer issue too. Forcing us to run containers in privileged mode is not desirable for everyone from a security standpoint, not just for GKE Autopilot.

Hopefully we have another way to increase the operating system limits on mmap counts.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.