Skip to content

flagd sidecar injection fails PodSecurity "restricted" policy due to lowercase capabilities.drop value #805

New issue
New issue
Open
Open
flagd sidecar injection fails PodSecurity "restricted" policy due to lowercase capabilities.drop value#805
@RTJoe

Description

@RTJoe
RTJoe
opened on Feb 24, 2026

Describe the bug

When the operator injects the flagdsidecar viagenerateBasicFlagdContainer(), pods are rejected in namespaces enforcing the Kubernetes PodSecurity restricted policy with the following error:

pods "" is forbidden: violates PodSecurity "restricted:v1.24":
unrestricted capabilities (container "flagd" must set securityContext.capabilities.drop=["ALL"])

## Root Cause

The `getSecurityContext()` function in `internal/common/flagdinjector/flagdinjector.go` sets `capabilities.drop` to `"all"` (lowercase):

```go
Capabilities: &corev1.Capabilities{
    Drop: []corev1.Capability{
        "all",  // ❌ lowercase
    },
},

The Kubernetes Pod Security Admission controller performs a case-sensitive string comparison against the constant capabilityAll = "ALL" in check_capabilities_restricted.go:

const capabilityAll = "ALL"

if c == capabilityAll {  // "all" != "ALL" → never matches

This means "all" is never recognised, so all pods with an injected flagd sidecar are blocked in restricted namespaces.

Steps to Reproduce
Create a namespace with pod-security.kubernetes.io/enforce: restricted
Deploy a pod with the openfeature.dev/enabled: "true" annotation
Pod is rejected with the error above
Expected Behaviour
The injected flagd sidecar should pass PodSecurity restricted admission. The intent is clearly to drop all capabilities (per the comment in the code), so "ALL" is the correct value.

Actual Behaviour
All pods with an injected flagd sidecar are rejected in restricted namespaces with unrestricted capabilities.

Fix
Change the drop value in getSecurityContext() to uppercase "ALL":

Capabilities: &corev1.Capabilities{
    Drop: []corev1.Capability{
        "ALL",  // ✅ matches capabilityAll constant in PSA
    },
},

The unit tests in flagdinjector_test.go (Test_getSecurityContext and getExpectedPod) also need updating to use "ALL".

A fix has been submitted in PR #804.

Environment
open-feature-operator: v0.8.9
Kubernetes: v1.24+
PodSecurity policy: restricted

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions