Openshift：无法针对任何安全性 > 上下文约束进行验证

Question

Openshift：无法针对任何安全性 > 上下文约束进行验证

我尝试创建以下 statefulSet：

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: es-cluster
  namespace: efk
spec:
  serviceName: elasticsearch
  replicas: 3
  selector:
    matchLabels:
      app: elasticsearch
  template:
    metadata:
      labels:
        app: elasticsearch
    spec:
      containers:
      - name: elasticsearch
        image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.2.0
        resources:
          limits:
            cpu: 1000m
          requests:
            cpu: 100m
        ports:
        - containerPort: 9200
          name: rest
          protocol: TCP
        - containerPort: 9300
          name: inter-node
          protocol: TCP
        volumeMounts:
        - name: data
          mountPath: /usr/share/elasticsearch/data
        env:
        - name: cluster.name
          value: k8s-logs
        - name: node.name
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: discovery.zen.ping.unicast.hosts
          value: "es-cluster-0.elasticsearch,es-cluster-1.elasticsearch,es-cluster-2.elasticsearch"
        - name: discovery.zen.minimum_master_nodes
          value: "2"
        - name: ES_JAVA_OPTS
          value: "-Xms256m -Xmx256m"
      initContainers:
      - name: fix-permissions
        image: busybox
        command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
        securityContext:
          privileged: true
        volumeMounts:
        - name: data
          mountPath: /usr/share/elasticsearch/data
      - name: increase-vm-max-map
        image: busybox
        command: ["sysctl", "-w", "vm.max_map_count=262144"]
        securityContext:
          privileged: true
      - name: increase-fd-ulimit
        image: busybox
        command: ["sh", "-c", "ulimit -n 65536"]
        securityContext:
          privileged: true
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "pv0002"
      resources:
        requests:
          storage: 100Mi

Run Code Online (Sandbox Code Playgroud)

不幸的是，我遇到了以下似乎无法解决的异常：

在 StatefulSet es-cluster 中创建 Pod es-cluster-0 失败错误：禁止 Pod“es-cluster-0”：无法针对任何安全上下文约束进行验证：[spec.initContainers[0].securityContext.privileged：无效值： true：不允许特权容器 spec.initContainers[1].securityContext.privileged：无效值：true：不允许特权容器 spec.initContainers[2].securityContext.privileged：无效值：true：不允许特权容器]

我补充说：

oc adm policy add-scc-to-user privileged developer

Run Code Online (Sandbox Code Playgroud)

不知道我还应该检查什么，我希望它可以工作。

注意：我在 Mac OSX 上本地使用 CRC。 https://github.com/code-ready/crc

编辑，我太过分了并添加了所有想到的可能用户：

oc describe scc 

Name:                                           privileged
Priority:                                       <none>
Access:                                         
  Users:                                        system:admin,system:serviceaccount:openshift-infra:build-controller,developer,deployer,default,builder,statefulset-controller
  Groups:                                       system:cluster-admins,system:nodes,system:masters
Settings:                                       
  Allow Privileged:                             true
  Allow Privilege Escalation:                   true
  Default Add Capabilities:                     <none>
  Required Drop Capabilities:                   <none>
  Allowed Capabilities:                         *
  Allowed Seccomp Profiles:                     *
  Allowed Volume Types:                         *
  Allowed Flexvolumes:                          <all>
  Allowed Unsafe Sysctls:                       *
  Forbidden Sysctls:                            <none>
  Allow Host Network:                           true
  Allow Host Ports:                             true
  Allow Host PID:                               true
  Allow Host IPC:                               true
  Read Only Root Filesystem:                    false
  Run As User Strategy: RunAsAny                
    UID:                                        <none>
    UID Range Min:                              <none>
    UID Range Max:                              <none>
  SELinux Context Strategy: RunAsAny            
    User:                                       <none>
    Role:                                       <none>
    Type:                                       <none>
    Level:                                      <none>
  FSGroup Strategy: RunAsAny                    
    Ranges:                                     <none>
  Supplemental Groups Strategy: RunAsAny        
    Ranges:                                     <none>

Run Code Online (Sandbox Code Playgroud)

同样的错误wtf...

Answer 1

Tra*_*ace 10

使用以下方法修复了此问题：

oc adm policy add-scc-to-user privileged -z default -n efk

Run Code Online (Sandbox Code Playgroud)

手动的：

-z, --serviceaccount=[]: 在当前命名空间中作为用户使用的服务帐户

归档时间：	5 年，7 月前
查看次数：	7889 次
最近记录：	5 年，7 月前

Openshift：无法针对任何安全性 &gt; 上下文约束进行验证

Openshift：无法针对任何安全性 > 上下文约束进行验证