如果我在RKE的cluster.yaml中的Kube-api上激活PodSecurityPolicy,我将无法再部署。
enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel,PodNodeSelector,AlwaysPullImages,DenyEscalatingExec,PodSecurityPolicy"
在使用rke v0.2.8部署期间,我收到以下错误:
INFO[0055] [healthcheck] Start Healthcheck on service [kubelet] on host [172.18.13.41]
FATA[0112] [workerPlane] Failed to bring up Worker Plane: [Failed to verify healthcheck: Failed to check http://localhost:10248/healthz for service [kubelet] on host [172.18.13.41]: Get http://localhost:10248/healthz: Unable to access the service on localhost:10248. The service might be still starting up. Error: ssh: rejected: connect failed (Connection refused), log: ]
我的kubelet码头工人日志如下:
Started kubelet
I1217 20:04:40.749400 26761 server.go:137] Starting to listen on 0.0.0.0:10250
F1217 20:04:40.749469 26761 server.go:174] Failed to create listener for podResources endpoint: listen unix /var/lib/kubelet/pod-resources/kubelet.sock: bind: no such file or directory
E1217 20:04:40.749402 26761 kubelet.go:1308] Image garbage collection failed once. Stats initialization may not have completed yet: failed to get imageFs info: unable to find data in memory cache
如果我从enable-admission-plugins中删除PodSecurityPolicy,它将起作用。
我的政策是
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: 000-privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
知道为什么吗?