securityContext.privileged: Forbidden: 集群策略不允许

Question

securityContext.privileged: Forbidden: 集群策略不允许

Kok*_*Teh 3 rbac security-context kubernetes kube-apiserver

我无法启动需要特权安全上下文的 pod。Pod 安全策略：

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  allowedCapabilities:
  - '*'
  allowedProcMountTypes:
  - '*'
  allowedUnsafeSysctls:
  - '*'
  volumes:
  - '*'
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  hostNetwork: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

Run Code Online (Sandbox Code Playgroud)

集群角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privileged
rules:
- apiGroups:
  - '*'
  resourceNames:
  - pod-security-policy
  resources:
  - '*'
  verbs:  
  - '*'

Run Code Online (Sandbox Code Playgroud)

集群角色绑定：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: privileged-role-binding
roleRef:
  kind: ClusterRole
  name: privileged
  apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
  name: default 
  namespace: kube-system
- kind: ServiceAccount
  name: default 
  namespace: default 
- kind: Group
#  apiGroup: rbac.authorization.k8s.io
  name: system:authenticated
# Authorize specific users (not recommended):
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: admin

Run Code Online (Sandbox Code Playgroud)

$ k auth can-i use psp/pod-security-policy
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'extensions'
yes
$ k apply -f daemonset.yml 
The DaemonSet "daemonset" is invalid: spec.template.spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

Run Code Online (Sandbox Code Playgroud)

不确定是否需要，但我已将 PodSecurityContext 添加到 args/kube-apiserver --enable-admission-plugins

任何建议和见解表示赞赏。WTF 是这样的：“看起来您的帖子主要是代码；请添加更多详细信息。” ！？！

Answer 1

Nic*_*_Kh 5

刚刚检查了我当前环境中的Pod 安全策略配置：

kubeadm version: &version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"

Run Code Online (Sandbox Code Playgroud)

我假设您已经在当前的 DaemonSet 清单文件中包含了 Privileged securityContext。

securityContext:
  privileged: true

Run Code Online (Sandbox Code Playgroud)

为了允许 Kubernetes API 产生特权容器，您可能必须将kube-apiserver标志设置--allow-privileged为truevalue。

--allow-privileged=true

因此，一旦我禁止使用false选项运行特权容器，我在 k8s 集群中就面临着同样的问题。

是的，这个标志已从“kubelet”配置中删除，但它仍然保留在“kube-apiserver”中。 (2认同)

归档时间：	6 年，1 月前
查看次数：	4704 次
最近记录：	4 年，8 月前