Security

Custom PodSecurityPolicy errors

Vertica on Kubernetes requires the following Linux capabilities that enable SSH communications between the pods:

  • SYS_CHROOT

  • AUDIT_WRITE

In some circumstances, these capabilities might conflict with custom security policy restrictions and cause errors. For example:

$ kubectl describe statefulset subcluster-name
...
Events:
  Type     Reason        Age                     From                    Message
  ----     ------        ----                    ----                    -------
  Warning  FailedCreate  29m (x73 over 15h)      statefulset-controller  create Pod subcluster-name-0 in StatefulSet subcluster-name failed error: pods "subcluster-name-0" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.capabilities.add: Invalid value: "AUDIT_WRITE": capability may not be added spec.containers[0].securityContext.capabilities.add: Invalid value: "SYS_CHROOT": capability may not be added]

When a similar error is returned, you must update your PodSecurityPolicy. For details, see the Kubernetes documentation.