【问题标题】:securityContext.privileged: Forbidden: disallowed by cluster policysecurityContext.privileged:禁止:集群策略不允许
【发布时间】:2019-12-01 01:45:10
【问题描述】:

我无法启动需要特权安全上下文的 pod。 PodSecurityPolicy:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  allowedCapabilities:
  - '*'
  allowedProcMountTypes:
  - '*'
  allowedUnsafeSysctls:
  - '*'
  volumes:
  - '*'
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  hostNetwork: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

集群角色:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privileged
rules:
- apiGroups:
  - '*'
  resourceNames:
  - pod-security-policy
  resources:
  - '*'
  verbs:  
  - '*'

ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: privileged-role-binding
roleRef:
  kind: ClusterRole
  name: privileged
  apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
  name: default 
  namespace: kube-system
- kind: ServiceAccount
  name: default 
  namespace: default 
- kind: Group
#  apiGroup: rbac.authorization.k8s.io
  name: system:authenticated
# Authorize specific users (not recommended):
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: admin
$ k auth can-i use psp/pod-security-policy
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'extensions'
yes
$ k apply -f daemonset.yml 
The DaemonSet "daemonset" is invalid: spec.template.spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

不确定是否需要,但我已将 PodSecurityContext 添加到 args/kube-apiserver --enable-admission-plugins

感谢任何建议和见解。 WTF 是这样的:“看起来你的帖子主要是代码;请添加更多细节。” !?!

【问题讨论】:

    标签: kubernetes rbac kube-apiserver security-context


    【解决方案1】:

    刚刚在我当前的环境中检查了您的 Pod Security Policy 配置:

    kubeadm version: &version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
    Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
    Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1"
    

    我假设您在当前的 DaemonSet 清单文件中包含了 Privileged securityContext

    securityContext:
      privileged: true
    

    为了允许 Kubernetes API 生成 Privileged 容器,您可能必须将 kube-apiserver 标志 --allow-privileged 设置为 true 值。

    --allow-privileged=true

    因此,一旦我不允许使用 false 选项运行特权容器,我在我的 k8s 集群中也面临同样的问题。

    【讨论】:

    • --allow-privileged 已弃用。
    • 是的,该标志已从 kubelet 配置中删除,但仍保留在 kube-apiserver 中。
    猜你喜欢
    • 2020-05-13
    • 1970-01-01
    • 2021-12-18
    • 2020-10-02
    • 2019-10-30
    • 2017-12-30
    • 2019-09-07
    • 2023-02-03
    • 2013-04-19
    相关资源
    最近更新 更多