For DCAE PRH & VES-COLLECTOR to be compliant with Kyverno policies, there are certain changes required in the charts with respect to Pod & Container security, volumes & health check. The summary of changes is as below,

1. Security Context

• Pod Security Context:

  • User and Group IDs: The pod runs with specific user and group IDs, enhancing security by avoiding root access.

  • Seccomp Profile: The default profile restricts the system calls containers can make, further improving security.

• Container Security Context:

  • Privilege Escalation: Prevented by setting this to false, which stops the container from gaining extra privileges.

  • Capabilities: All capabilities are dropped, reducing permissions and minimizing security risks.

  • Read-Only Filesystem: The container’s root filesystem is read-only, protecting against unauthorized changes.

  • Non-Root User: The container runs as a non-root user, enhancing security by limiting access.

2. Volumes

• Assigning size limits to a few volumes with volume type: EmptyDir and adding additional volumes to prevent failures caused by the read-only root filesystem

3. Annotations

• Instructing Istio to leave the HTTP readiness and liveness probes unchanged(use application healthcheck endpoint). This ensures that these probes work correctly without any interference from the Istio sidecar, allowing the application to monitor its health effectively

4. InitContainer

• We are introducing an initContainer to copy files from one directory to another because the main application may have a read-only root filesystem, which prevents it from modifying files in the original directory. Although we mount a volume (an emptyDir) at the original directory, this creates issues since the directory is initialized with some files, yet it is treated as empty when mounted.

• To address this, the initContainer copies the necessary files from the original directory to a writable location. This allows the application to access these files and make any necessary modifications. By copying the files to a writable directory, we ensure that the application can operate without restrictions, maintaining both stability and flexibility in its configuration management.