Kubernetes 为什么可以';当PodSecurityPolicy激活时,我是否使用RKE部署?
如果我在RKE的cluster.yaml中的Kube api上激活PodSecurityPolicy,我将无法再部署Kubernetes 为什么可以';当PodSecurityPolicy激活时,我是否使用RKE部署?,kubernetes,kubelet,Kubernetes,Kubelet,如果我在RKE的cluster.yaml中的Kube api上激活PodSecurityPolicy,我将无法再部署 enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeR
enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel,PodNodeSelector,AlwaysPullImages,DenyEscalatingExec,PodSecurityPolicy"
在使用rke v0.2.8进行部署期间,我收到以下错误:
INFO[0055] [healthcheck] Start Healthcheck on service [kubelet] on host [172.18.13.41]
FATA[0112] [workerPlane] Failed to bring up Worker Plane: [Failed to verify healthcheck: Failed to check http://localhost:10248/healthz for service [kubelet] on host [172.18.13.41]: Get http://localhost:10248/healthz: Unable to access the service on localhost:10248. The service might be still starting up. Error: ssh: rejected: connect failed (Connection refused), log: ]
我的kubelet docker日志如下:
Started kubelet
I1217 20:04:40.749400 26761 server.go:137] Starting to listen on 0.0.0.0:10250
F1217 20:04:40.749469 26761 server.go:174] Failed to create listener for podResources endpoint: listen unix /var/lib/kubelet/pod-resources/kubelet.sock: bind: no such file or directory
E1217 20:04:40.749402 26761 kubelet.go:1308] Image garbage collection failed once. Stats initialization may not have completed yet: failed to get imageFs info: unable to find data in memory cache
如果我从启用许可插件中删除PodSecurityPolicy,它就会工作
我的政策是
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: 000-privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
你知道为什么吗?你能分享你的podsecurity策略吗?刚刚更新添加了psp。你创建了ClusterRole和ClusterRoleBinding来使用psp吗?是的,它是绑定的,我可以毫无问题地部署pod和守护程序