Fatal编程技术网
  • kubernetes/
  • Kubernetes 为什么可以';当PodSecurityPolicy激活时,我是否使用RKE部署?

Kubernetes 为什么可以';当PodSecurityPolicy激活时,我是否使用RKE部署?

kubernetes

Kubernetes 为什么可以';当PodSecurityPolicy激活时,我是否使用RKE部署?,kubernetes,kubelet,Kubernetes,Kubelet,如果我在RKE的cluster.yaml中的Kube api上激活PodSecurityPolicy,我将无法再部署 enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeR

如果我在RKE的cluster.yaml中的Kube api上激活PodSecurityPolicy,我将无法再部署

 enable-admission-plugins:  "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel,PodNodeSelector,AlwaysPullImages,DenyEscalatingExec,PodSecurityPolicy"
在使用rke v0.2.8进行部署期间,我收到以下错误:

INFO[0055] [healthcheck] Start Healthcheck on service [kubelet] on host [172.18.13.41] 
FATA[0112] [workerPlane] Failed to bring up Worker Plane: [Failed to verify healthcheck: Failed to check http://localhost:10248/healthz for service [kubelet] on host [172.18.13.41]: Get http://localhost:10248/healthz: Unable to access the service on localhost:10248. The service might be still starting up. Error: ssh: rejected: connect failed (Connection refused), log: ]
我的kubelet docker日志如下:

Started kubelet
I1217 20:04:40.749400   26761 server.go:137] Starting to listen on 0.0.0.0:10250
F1217 20:04:40.749469   26761 server.go:174] Failed to create listener for podResources endpoint: listen unix /var/lib/kubelet/pod-resources/kubelet.sock: bind: no such file or directory
E1217 20:04:40.749402   26761 kubelet.go:1308] Image garbage collection failed once. Stats initialization may not have completed yet: failed to get imageFs info: unable to find data in memory cache
如果我从启用许可插件中删除PodSecurityPolicy,它就会工作

我的政策是

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: 000-privileged
  annotations:
        seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
你知道为什么吗?

你能分享你的podsecurity策略吗?刚刚更新添加了psp。你创建了ClusterRole和ClusterRoleBinding来使用psp吗?是的,它是绑定的,我可以毫无问题地部署pod和守护程序