[英]securityContext.privileged: Forbidden: disallowed by cluster policy
我無法啟動需要特權安全上下文的 pod。 Pod 安全策略:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: pod-security-policy
spec:
privileged: true
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
allowedCapabilities:
- '*'
allowedProcMountTypes:
- '*'
allowedUnsafeSysctls:
- '*'
volumes:
- '*'
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
hostNetwork: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: privileged
rules:
- apiGroups:
- '*'
resourceNames:
- pod-security-policy
resources:
- '*'
verbs:
- '*'
集群角色綁定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: privileged-role-binding
roleRef:
kind: ClusterRole
name: privileged
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: ServiceAccount
name: default
namespace: default
- kind: Group
# apiGroup: rbac.authorization.k8s.io
name: system:authenticated
# Authorize specific users (not recommended):
- kind: User
apiGroup: rbac.authorization.k8s.io
name: admin
$ k auth can-i use psp/pod-security-policy
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'extensions'
yes
$ k apply -f daemonset.yml
The DaemonSet "daemonset" is invalid: spec.template.spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
不確定是否需要,但我已將 PodSecurityContext 添加到 args/kube-apiserver --enable-admission-plugins
任何建議和見解表示贊賞。 WTF 是這樣的:“看起來您的帖子主要是代碼;請添加更多詳細信息。” !?!
剛剛在我當前的環境中檢查了您的 Pod 安全策略配置:
kubeadm version: &version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
我假設您已經在當前的 DaemonSet 清單文件中包含了 Privileged securityContext 。
securityContext:
privileged: true
為了允許 Kubernetes API 生成特權容器,您可能必須將kube-apiserver標志--allow-privileged
為true
值。
--allow-privileged=true
因此,一旦我禁止使用false
選項運行特權容器,我在 k8s 集群中就面臨着同樣的問題。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.