Kubernetes securityContext.privileged:禁止:群集策略不允许
我无法启动需要特权安全上下文的pod。 PodSecurityPolicy:Kubernetes securityContext.privileged:禁止:群集策略不允许,kubernetes,rbac,kube-apiserver,security-context,Kubernetes,Rbac,Kube Apiserver,Security Context,我无法启动需要特权安全上下文的pod。 PodSecurityPolicy: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: pod-security-policy spec: privileged: true allowPrivilegeEscalation: true readOnlyRootFilesystem: false allowedCapabilities: - '*'
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: pod-security-policy
spec:
privileged: true
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
allowedCapabilities:
- '*'
allowedProcMountTypes:
- '*'
allowedUnsafeSysctls:
- '*'
volumes:
- '*'
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
hostNetwork: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: privileged
rules:
- apiGroups:
- '*'
resourceNames:
- pod-security-policy
resources:
- '*'
verbs:
- '*'
集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: privileged-role-binding
roleRef:
kind: ClusterRole
name: privileged
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: ServiceAccount
name: default
namespace: default
- kind: Group
# apiGroup: rbac.authorization.k8s.io
name: system:authenticated
# Authorize specific users (not recommended):
- kind: User
apiGroup: rbac.authorization.k8s.io
name: admin
不确定是否需要,但我已将PodSecurityContext添加到args/kube apiserver——启用准入插件
任何建议和见解都将不胜感激。WTF是这样的:“看起来你的帖子大部分是代码,请添加更多细节。” 刚刚检查了我当前环境中的Pod安全配置:
kubeadm version: &version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
我假设您已在当前守护程序清单文件中包含特权
securityContext:
privileged: true
为了允许Kubernetes API生成容器,您可能必须将标志--allow privileged
设置为true
值
--allow privileged=true
因此,我在k8s集群中也面临同样的问题,一旦我禁止使用false
选项运行特权容器。--allow privileged
已被弃用。是的,这个标志已从kubelet
配置中删除,但仍保留在kube-apiserver
中。
securityContext:
privileged: true