Kubernetes securityContext.privileged:禁止：群集策略不允许_Kubernetes_Rbac_Kube Apiserver_Security Context

Kubernetes securityContext.privileged:禁止：群集策略不允许

kubernetes

Kubernetes securityContext.privileged:禁止：群集策略不允许,kubernetes,rbac,kube-apiserver,security-context,Kubernetes,Rbac,Kube Apiserver,Security Context,我无法启动需要特权安全上下文的pod。 PodSecurityPolicy： apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: pod-security-policy spec: privileged: true allowPrivilegeEscalation: true readOnlyRootFilesystem: false allowedCapabilities: - '*'

我无法启动需要特权安全上下文的pod。 PodSecurityPolicy：

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  allowedCapabilities:
  - '*'
  allowedProcMountTypes:
  - '*'
  allowedUnsafeSysctls:
  - '*'
  volumes:
  - '*'
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  hostNetwork: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

集群角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privileged
rules:
- apiGroups:
  - '*'
  resourceNames:
  - pod-security-policy
  resources:
  - '*'
  verbs:  
  - '*'

集群角色绑定：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: privileged-role-binding
roleRef:
  kind: ClusterRole
  name: privileged
  apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
  name: default 
  namespace: kube-system
- kind: ServiceAccount
  name: default 
  namespace: default 
- kind: Group
#  apiGroup: rbac.authorization.k8s.io
  name: system:authenticated
# Authorize specific users (not recommended):
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: admin

不确定是否需要，但我已将PodSecurityContext添加到args/kube apiserver

——启用准入插件
任何建议和见解都将不胜感激。WTF是这样的：“看起来你的帖子大部分是代码，请添加更多细节。”
 刚刚检查了我当前环境中的Pod安全配置：
kubeadm version: &version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"

我假设您已在当前守护程序清单文件中包含特权
securityContext:
  privileged: true

为了允许Kubernetes API生成容器，您可能必须将标志--allow privileged
设置为true
值
--allow privileged=true

因此，我在k8s集群中也面临同样的问题，一旦我禁止使用false
选项运行特权容器。
--allow privileged
已被弃用。是的，这个标志已从kubelet
配置中删除，但仍保留在kube-apiserver中。
securityContext:
  privileged: true