Skip to content

Java init container missing securityContext breaks restricted Pod Security Standard #361

New issue
New issue
Open
#360
Open
Java init container missing securityContext breaks restricted Pod Security Standard#361
#360
@ab0utbla-k

Description

@ab0utbla-k
ab0utbla-k
opened on Mar 10, 2026

What happened?

The Java auto-instrumentation init container (opentelemetry-auto-instrumentation-java) is created without any securityContext, causing pod creation to fail in namespaces enforcing pod-security.kubernetes.io/enforce: restricted.

Error

Error creating: pods "app-789564bdf9-c6wm4" is forbidden: violates PodSecurity
"restricted:latest": allowPrivilegeEscalation != false (container
"opentelemetry-auto-instrumentation-java" must set
securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container
"opentelemetry-auto-instrumentation-java" must set
securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container
"opentelemetry-auto-instrumentation-java" must set
securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Root Cause

In pkg/instrumentation/sdk.go, setInitContainerSecurityContext is commented out for Java due to upstream opentelemetry-operator#2272 (runAsNonRoot conflict with root-based Java agent image). However, this leaves the init container with no securityContext at all, violating the restricted Pod Security Standard.

Other languages (NodeJS, Python, DotNet, Apache) are not affected — they all call setInitContainerSecurityContext.

Expected behavior

The Java init container should receive a minimal restricted-compliant securityContext:

  • allowPrivilegeEscalation: false
  • capabilities.drop: ["ALL"]
  • seccompProfile.type: RuntimeDefault

Without setting runAsNonRoot or runAsUser (to avoid the #2272 conflict).

Environment

  • EKS add-on: amazon-cloudwatch-observability
  • Namespace PSS: restricted:latest
  • Deployment: Pod-level runAsUser: 1001, runAsNonRoot: true, full restricted securityContext on app container

Reproduction

  1. Create namespace with pod-security.kubernetes.io/enforce: restricted
  2. Install amazon-cloudwatch-observability EKS add-on
  3. Deploy a Java app with instrumentation.opentelemetry.io/inject-java: "true" and restricted-compliant securityContext
  4. Observe FailedCreate event on the ReplicaSet

Fix

Submitted in #360.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions