[k8s] Error with bootstrap in k8s cluster with pod security

The security policies being enforced are not allowing the juju agent to operate. What policy are you enforcing? "baseline"? "restricted"?

The jujud agent expects to operate as root in order to do it's job. So at this stage, only a policy of "privileged" would be possible I suspect.

You can see that the jujud agent is not being allowed to do its job:

/bin/sh: 1: cannot create /root/mongo.sh: Permission denied
mkdir: cannot create directory '/var/lib/juju/tools': Permission denied

etc

You could set up the cluster to warn/audit on policy violations instead of erroring and run juju and then set up your admission rules to allow the access that juju needs to operate.

I'll mark as Wishlist so we don't lose the bug but there are not currently plans support anything other than "privileged" for jujud

I think we should be looking deeper into this. I can't see a particular reason why `jujud` needs to run as root in the context of a Kubernetes deployment.

In this particular case, just adding a `juju` user to the container as part of the Dockerfile, pre-creating the `/var/lib/juju` directory and ensuring it's owned by the right user would probably allow jujud to run as a non-privileged user, no?

I think things are different on machines, but I can't see a particularly compelling reason to require root on Kubernetes?

I think this is a general issue that we need to start addressing for the next minor release of Juju. It isn't one that I'd do a 'quick bugfix' for, but is worth making some plans for external acceptance of the juju ecosystem and stronger confinement support.

I think this should be addressed in Juju 3.4, which should enable "rootless" deployments on Kubernetes.