Kubernetes: Privileged container in Linux docker-multinode cluster

Question

(I have looked at some other threads, but apparently the privilege mode is now supported in the latest code, so am wondering if I have hit a bug.)

I have two physical servers: both running Linux (ubuntu), with the latest kubernetes code from github yesterday.

I am running docs/getting-started-guides/docker-multinode/master.sh (& worker.sh ).

On Master node:

$ kubectl create -f examples/nfs/nfs-server-rc.yaml
The ReplicationController "nfs-server" is invalid. 
spec.template.spec.containers[0].securityContext.privileged: forbidden '<*>(0xc208389770)true'

Question: Is this supported? Or am I doing something wrong. Or is this a bug, please?

master.sh code already has the option --allow-privileged=true provided.

These following options were set, but not with a great conviction, and just because I saw some discussion elsewhere setting them.

/etc/default/kubelet: 
    `KUBELET_OPTS="--allow_privileged=true"`

/etc/default/kube-apiserver: 
    `KUBE_APISERVER_OPTS="--allow_privileged=true"`

Master configuration:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"2+", GitVersion:"v1.2.0-alpha.5.833+2e5da8b881e2f5", GitCommit:"2e5da8b881e2f5b6dfb66653acf4aaa1ca1f398e", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"1", GitVersion:"v1.1.3", GitCommit:"6a81b50c7e97bbe0ade075de55ab4fa34f049dc2", GitTreeState:"clean"}

$ docker version
Client:
Version:      1.9.1
API version:  1.21
Go version:   go1.4.2
Git commit:   a34a1d5
Built:        Fri Nov 20 13:12:04 UTC 2015
OS/Arch:      linux/amd64
Server:
Version:      1.9.1
API version:  1.21
Go version:   go1.4.2
Git commit:   a34a1d5
Built:        Fri Nov 20 13:12:04 UTC 2015
OS/Arch:      linux/amd64

Answer 1

From kubernetes v1.1, any container in a pod can enable privileged mode, using the privileged flag on the SecurityContext of the container spec.

To enable privileged mode nest privileged:true inside securityContext decleration of the container spec:

"securityContext": {
    "privileged": true

And as Janet said set --allow-privileged=true for both kubelet and kube-apiserver and restart them:

sudo /etc/init.d/kubelet restart
sudo /etc/init.d/kube-apiserver restart

and validate that the flags are changed by using ps -ef | grep kube ps -ef | grep kube command.

Answer 2

You need to set --allow-privileged=true for both kubelet and kube-apiserver . It looks like master.sh only sets that in kubelet . You may modify the file ./cluster/images/hyperkube/master-multi.json to set --allow-privileged=true for apiserver (should be around line 21 to 30) and rebuild hyperkube images.