exporter Chart v0.9.5 breaks daemonset when PSP is activated

[hardwarefresser]

Describe the bug
PR #487 introduces a security context in values.yaml for falco-exporter which includes a seccomp profile:

securityContext:
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  privileged: false
  seccompProfile:
    type: RuntimeDefault

When the chart is deployed on an environment with PSP enabled, the PSP delivered with the Chart seems not to allow the Seccomp Profile to be set and therefore prevents the pod admission:

$ k get events  | grep exporter
Warning   FailedCreate daemonset/falco-falco-exporter  Error creating: pods "falco-falco-exporter-" is forbidden: 
PodSecurityPolicy: unable to admit pod: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/falco-exporter]:
Forbidden: seccomp may not be set

According to this comment, adding seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' to the PSP annotations should solve the problem. I did a quick test and admission was not prevented anymore.
However, as we want to use the seccomp profile RuntimeDefault, it would be better to add seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'RuntimeDefault' as PSP annotation. I will also try this and get back. But I would appreciate of someone could double check the whole issue.

Expected behaviour
PSP should not prevent the pods with seccomp

Environment

• Falco version: Falco version: 0.34.1 (x86_64)

• Installation method: Kubernetes using Helm, PSP activated

Additional context
Issue #481

[hardwarefresser]

Setting seccompProfile: null in the values.yaml to override the default value also works.

[hardwarefresser]

The best solution should be configuring the PSP as follows via values.yaml:

podSecurityPolicy:
  # Specifies whether a PSP, Role and RoleBinding should be created
  create: true
  # Annotations to add to the PSP, Role and RoleBinding
  annotations:
    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default

With this annotations, the PSP will allow the seccomp profile set in the default security context introduced in PR #487
I will open a PR to add the above mentioned annotations by default in values.yaml. This way, the admission of the pods will not be prevented anymore in environments with enabled PSP.

[alacuku]

Hi @hardwarefresser,

PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. I think we should remove the PSP shipped with the chart. cc @leogr

[leogr]

Hi @hardwarefresser,

PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. I think we should remove the PSP shipped with the chart. cc @leogr

Totally agree

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[hardwarefresser]

Will close this as PSPs are now deprecated.