How to avoid the following error "Privilege escalation container is not allowed: linkerd-init'"

[Vamsi0473]

Hi all, we have OPA rules configured in our cluster which blocks any container that runs with allowPrivilegeEscalation: true, so I have set all the allowPrivilegeEscalation references to false in helm charts with linkerd 2.12.2 version i.e linkerd-control-plane and linkerd-crds charts and installed in our cluster. After which when I try to inject linkerd to one of our application pod I am ended OPA gatekeeper blocking with following error message: 'admission webhook "validation.gatekeeper.sh" denied the request: [psp-allow-privilege-escalation-container]
Privilege escalation container is not allowed: linkerd-init'.
Can someone please help me in understanding what I am missing here
Note: I did go through this link #7282 but I believe this is different from latest linkerd helm charts, since 2.12.2 charts doesn't contain "privilegeEscalationEnabled" this field

[kleimkuhler]

privilegeEscalationEnabled is not a chart value. You'll notice in that PR you linked, the original description introduced that value, but it did not end up in the final iteration.

The proxy initContainer only runs privileged when using the proxyInit.closeWaitTimeoutSecs or proxyInit.runAsRoot—as you can see in template file here. Are you setting either of these values when installing?

[Vamsi0473]

Hi @kleimkuhler, irrespective of their values I have modified the charts to set allowPrivilegeEscalation to false as below

and deployed linkerd crds and linkerd control plane but I am ending up with same issue. I did also check the security contexts after deploying where I can see allowPrivilegeEscalation to be false. Can you please guide me here what I am missing