Baseline Pod Security Standard and service meshes - how to reconcile?

Take for example the linkerd service mesh. Using it with the baseline PSS results in the following error:

Error from server (Forbidden): pods "test" is forbidden: violates PodSecurity "baseline:v1.25": non-default capabilities (container "linkerd-init" must not include "NET_ADMIN", "NET_RAW" in securityContext.capabilities.add)

I wonder what can be done about it? On one hand, linkerd-init must have these capabilities. On the other hand, I do not see how this can reconcile with the PSS. The currently implemented exemptions mechanism (through user name, runtime class or namespace) is not fine enough to apply to a sidecar.

Any ideas on how this conundrum can be resolved?

1 Like

Hi Mark! Did you find anything useful somewhere else? I searched for the same question and found your question without any answers here.

Thanks
Mathias

No, I have not found anything.