Kubernetes: security context and IPC_LOCK capability

8/7/2018

I'm trying to install a helm package that needs IPC_LOCK capability. So, I'm getting this message:

Error creating: pods "pod..." is forbidden: unable to validate against any security context constraint: [capabilities.add: Invalid value: "IPC_LOCK": capability may not be added capabilities.add: Invalid value: "IPC_LOCK": capability may not be added]

You can see the DeploymentConfig here.

I'm installing Vault using a Helm chart, so I'm not able to change DeploymentConfig.

I guess the only way to get it would be using a service account with an scc associated allowing it to perform the container.

How could I solve that?

-- Jordi
kubernetes
openshift

1 Answer

8/7/2018

I haven't worked on vault yet, so my answers might not be accurate.

But I think you can remove that capability and disable m_lock in vault config. https://www.vaultproject.io/docs/configuration/index.html#disable_mlock

Having said that, I don't think kubernetes supports memory swapping anyway (someone needs to verify this) therefore a syscall to mlock might not be needed.

-- Bal Chua
Source: StackOverflow