What happened?
The Java auto-instrumentation init container (opentelemetry-auto-instrumentation-java) is created without any securityContext, causing pod creation to fail in namespaces enforcing pod-security.kubernetes.io/enforce: restricted.
Error
Error creating: pods "app-789564bdf9-c6wm4" is forbidden: violates PodSecurity
"restricted:latest": allowPrivilegeEscalation != false (container
"opentelemetry-auto-instrumentation-java" must set
securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container
"opentelemetry-auto-instrumentation-java" must set
securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container
"opentelemetry-auto-instrumentation-java" must set
securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Root Cause
In pkg/instrumentation/sdk.go, setInitContainerSecurityContext is commented out for Java due to upstream opentelemetry-operator#2272 (runAsNonRoot conflict with root-based Java agent image). However, this leaves the init container with no securityContext at all, violating the restricted Pod Security Standard.
Other languages (NodeJS, Python, DotNet, Apache) are not affected — they all call setInitContainerSecurityContext.
Expected behavior
The Java init container should receive a minimal restricted-compliant securityContext:
allowPrivilegeEscalation: falsecapabilities.drop: ["ALL"]seccompProfile.type: RuntimeDefault
Without setting runAsNonRoot or runAsUser (to avoid the #2272 conflict).
Environment
- EKS add-on: amazon-cloudwatch-observability
- Namespace PSS:
restricted:latest
- Deployment: Pod-level
runAsUser: 1001, runAsNonRoot: true, full restricted securityContext on app container
Reproduction
- Create namespace with
pod-security.kubernetes.io/enforce: restricted
- Install amazon-cloudwatch-observability EKS add-on
- Deploy a Java app with
instrumentation.opentelemetry.io/inject-java: "true" and restricted-compliant securityContext
- Observe
FailedCreate event on the ReplicaSet
Fix
Submitted in #360.
What happened?
The Java auto-instrumentation init container (
opentelemetry-auto-instrumentation-java) is created without anysecurityContext, causing pod creation to fail in namespaces enforcingpod-security.kubernetes.io/enforce: restricted.Error
Root Cause
In
pkg/instrumentation/sdk.go,setInitContainerSecurityContextis commented out for Java due to upstream opentelemetry-operator#2272 (runAsNonRoot conflict with root-based Java agent image). However, this leaves the init container with nosecurityContextat all, violating the restricted Pod Security Standard.Other languages (NodeJS, Python, DotNet, Apache) are not affected — they all call
setInitContainerSecurityContext.Expected behavior
The Java init container should receive a minimal restricted-compliant
securityContext:allowPrivilegeEscalation: falsecapabilities.drop: ["ALL"]seccompProfile.type: RuntimeDefaultWithout setting
runAsNonRootorrunAsUser(to avoid the #2272 conflict).Environment
restricted:latestrunAsUser: 1001,runAsNonRoot: true, full restrictedsecurityContexton app containerReproduction
pod-security.kubernetes.io/enforce: restrictedinstrumentation.opentelemetry.io/inject-java: "true"and restricted-compliantsecurityContextFailedCreateevent on the ReplicaSetFix
Submitted in #360.