Error 'PodSecurity: seccompProfile (pod or containers istio-validation, istio-proxy must set securityContext.seccompProfile.type to RuntimeDefault or Localhost)' when deploying vFunction Server on Kubernetes via Helm Charts
Overview of the Issue
This issue occurs in the following circumstances:
- An organization uses Istio Sidecars to route traffic to specific Pods in their Kubernetes Cluster(s)
- The organization runs the install.sh script to install the vFunction Server in a Kubernetes Cluster via Helm Charts
- The installation fails with the following errors on all Pods:
105s Warning FailedCreate replicaset/vfunction-vfapi-parser-64c9cbf7dc Error creating: pods "vfunction-vfapi-parser-64c9cbf7dc-xw6rv" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "istio-validation", "istio-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
105s Warning FailedCreate replicaset/vfunction-vfapi-users-f8bd76c98 Error creating: pods "vfunction-vfapi-users-f8bd76c98-s5ngt" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "istio-validation", "istio-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Steps to Resolve the Issue
Take the following steps to resolve this issue:
- On the Linux VM with access to the Kubernetes Cluster via Kubectl, open the installation.yaml
cd vfunction-server-for-kubernetes
vi config/installation.yaml
- To the Labels of each Deployment, add a Key and Value to disable the Istio Sidecars for that Deployment
server:
...
affinity:
additional_labels:
- key: "sidecar.istio.io/inject"
value: "false"
services: "mysql, nginx, storage, vfapi-parser, vfapi-users, vfapi-organizations, vfapi-idp, vfapi-mcp, vfapi-measurements, vfapi-otlp, vfapi-dm"
- Run the installation script again
### Replace $NAMESPACE with the actual value
bash install.sh -n $NAMESPACE