You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In security-hardened Kubernetes clusters, the eck-diagnostics pod often fails to schedule or run because the hardcoded pod template does not meet cluster policies. Common blockers include:
Kyverno / OPA Gatekeeper policies that require dropping all Linux capabilities, restricting seccompProfile, or enforcing readOnlyRootFilesystem
Network policies that block egress/ingress unless pods carry specific labels or annotations
Pod security standards (Restricted profile) that reject containers without a locked-down securityContext
The --image-pull-secrets flag (shipped in 1.10.0) solved the air-gap case, but users hitting policy enforcement still have to fork the tool and recompile with a modified job.tpl.yml — that's not a sustainable workaround.
What Users Need to Customize
Field
Why
securityContext (container + pod)
Drop capabilities, set runAsNonRoot, readOnlyRootFilesystem, seccompProfile
metadata.labels
Match network policy selectors that gate pod-to-pod communication
The tool would inject its runtime values (image, ES password env, volume mounts, command) into the user-provided template using the existing Go template variables ({{ .PodName }}, {{ .DiagnosticImage }}, etc.).
Pros: Maximum flexibility — users can customize anything. Solves all current and future customization requests in one shot. Cons: Users must maintain a template that tracks internal changes (new template variables, command args). Breaking changes to the template contract are hard to communicate. Higher support burden.
Option B: --pod-template-patch flag (strategic merge patch)
Allow users to supply a partial YAML that is strategically merged into the built-in template:
Pros: Users only specify what they need to change. The base template evolves independently — patches survive template updates as long as the patched fields still exist. Cons: Strategic merge patch semantics can be surprising (list replacement vs merge). Slightly more complex to implement.
Option C: Individual flags for common fields
Add targeted flags for the most common customization needs:
Pros: Self-documenting, easy to use, no external files needed. Each flag can be validated independently. Cons: Flag explosion over time. Will never cover every policy requirement — always one more field someone needs. Does not solve the general case.
Recommendation
Option B (strategic merge patch) provides the best balance. It solves the general case without requiring users to track template internals, and avoids flag proliferation. Option C flags could be added later for the most common fields (--pod-labels, --security-context-drop-all) as convenience shortcuts.
Problem
In security-hardened Kubernetes clusters, the eck-diagnostics pod often fails to schedule or run because the hardcoded pod template does not meet cluster policies. Common blockers include:
readOnlyRootFilesystem20Mimemory /100mCPU (see Allow configuring resources in diagnostic pod template #390)securityContextThe
--image-pull-secretsflag (shipped in 1.10.0) solved the air-gap case, but users hitting policy enforcement still have to fork the tool and recompile with a modifiedjob.tpl.yml— that's not a sustainable workaround.What Users Need to Customize
securityContext(container + pod)runAsNonRoot,readOnlyRootFilesystem, seccompProfilemetadata.labelsmetadata.annotationsresources.requests/resources.limitsserviceAccountNameApproach Options
Option A:
--pod-templateflag (user-provided template file)Allow users to supply their own complete pod template that overrides the built-in one:
The tool would inject its runtime values (image, ES password env, volume mounts, command) into the user-provided template using the existing Go template variables (
{{ .PodName }},{{ .DiagnosticImage }}, etc.).Pros: Maximum flexibility — users can customize anything. Solves all current and future customization requests in one shot.
Cons: Users must maintain a template that tracks internal changes (new template variables, command args). Breaking changes to the template contract are hard to communicate. Higher support burden.
Option B:
--pod-template-patchflag (strategic merge patch)Allow users to supply a partial YAML that is strategically merged into the built-in template:
Pros: Users only specify what they need to change. The base template evolves independently — patches survive template updates as long as the patched fields still exist.
Cons: Strategic merge patch semantics can be surprising (list replacement vs merge). Slightly more complex to implement.
Option C: Individual flags for common fields
Add targeted flags for the most common customization needs:
Pros: Self-documenting, easy to use, no external files needed. Each flag can be validated independently.
Cons: Flag explosion over time. Will never cover every policy requirement — always one more field someone needs. Does not solve the general case.
Recommendation
Option B (strategic merge patch) provides the best balance. It solves the general case without requiring users to track template internals, and avoids flag proliferation. Option C flags could be added later for the most common fields (
--pod-labels,--security-context-drop-all) as convenience shortcuts.Relationship to Other Issues
--image-pull-secrets(already shipped in 1.10.0)