我尝试使用kubeadm在ubuntu 16.04上安装的1.10.1群集上设置PodSecurityPolicy,并按照https://kubernetes.io/docs/concepts/policy/pod-security-policy/上的说明进行操作
所以我在/etc/kubernetes/manifests/kube-apiserver.yaml修改了主人的apiserver清单
将",PodSecurityPolicy"添加到--admission-control arg
当我这样做并运行kubectl get pods -n kube-system时
api-server没有列出,显然我已经设法点击了一个正在运行的apiserver实例,因为我得到了一个kube-system命名空间中所有其他pod的列表
我可以看到已经使用PodSecurityPolicy许可控制器启动了一个新的docker容器,它显然正在提供kubectl请求
当我使用journalctl -u kubelet检查kubelet日志时,我可以看到
Apr 15 18:14:23 pmcgrath-k8s-3-master kubelet[993]: E0415 18:14:23.087361 993 kubelet.go:1617] Failed creating a mirror pod for "kube-apiserver-pmcgrath-k8s-3-master_kube-system(46dbb13cd345f9fbb9e18e2229e2e
dd1)": pods "kube-apiserver-pmcgrath-k8s-3-master" is forbidden: unable to validate against any pod security policy: []
我已经添加了特权PSP并创建了一个集群角色和绑定,并确认PSP正在运行
只是不确定为什么apiserver kubelet会出现此错误,因此没有出现在pod列表中,会认为kubelet会创建此pod并且不确定是否必须为apiserver,控制器管理器,调度程序创建角色绑定和kube-dns
没有文档说明如何处理这个,我认为这是一个鸡和蛋的情况,我必须引导集群,添加一些PSP,ClusterRoles和ClusterRolebindings之前我可以改变api服务器的许可控制arg
任何人都有同样的问题或对此有任何指示?
由于 专利
答案 0 :(得分:1)
我写了一篇关于如何弄清楚这些东西的博客文章,简短的回答是
请参见https://pmcgrath.net/using-pod-security-policies-with-kubeadm
答案 1 :(得分:0)
看起来不能只将PodSecurityPolicy添加到插件列表的末尾。例如,带来群集的script会从选项列表(security_admission,SecurityContextDeny,PodSecurityPolicy)中仅选择一个NodeRestriction,因此他们可能会在一起使用时会引起冲突。
在create_psp_policy之后调用函数start_apiserver,因此我们假设您可以在更改api-server参数后创建策略,角色和绑定,但是在所有必需对象之后,某些pod变为Running已经到位。
请参阅文件https://github.com/kubernetes/kubernetes/blob/master/hack/local-up-cluster.sh
从第412行开始:
function start_apiserver {
security_admission=""
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
security_admission=",SecurityContextDeny"
fi
if [[ -n "${PSP_ADMISSION}" ]]; then
security_admission=",PodSecurityPolicy"
fi
if [[ -n "${NODE_ADMISSION}" ]]; then
security_admission=",NodeRestriction"
fi
if [ "${ENABLE_POD_PRIORITY_PREEMPTION}" == true ]; then
security_admission=",Priority"
if [[ -n "${RUNTIME_CONFIG}" ]]; then
RUNTIME_CONFIG+=","
fi
RUNTIME_CONFIG+="scheduling.k8s.io/v1alpha1=true"
fi
# Admission Controllers to invoke prior to persisting objects in cluster
#
# The order defined here dose not matter.
ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset,StorageObjectInUseProtection
<skipped>
}
<skipped>
从第864行开始:
function create_psp_policy {
echo "Create podsecuritypolicy policies for RBAC."
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create -f ${KUBE_ROOT}/examples/podsecuritypolicy/rbac/policies.yaml
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create -f ${KUBE_ROOT}/examples/podsecuritypolicy/rbac/roles.yaml
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create -f ${KUBE_ROOT}/examples/podsecuritypolicy/rbac/bindings.yaml
}
<skipped>
从第986行开始
echo "Starting services now!"
if [[ "${START_MODE}" != "kubeletonly" ]]; then
start_etcd
set_service_accounts
start_apiserver
start_controller_manager
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
start_cloud_controller_manager
fi
start_kubeproxy
start_kubedns
start_kubedashboard
fi
if [[ "${START_MODE}" != "nokubelet" ]]; then
## TODO remove this check if/when kubelet is supported on darwin
# Detect the OS name/arch and display appropriate error.
case "$(uname -s)" in
Darwin)
warning "kubelet is not currently supported in darwin, kubelet aborted."
KUBELET_LOG=""
;;
Linux)
start_kubelet
;;
*)
warning "Unsupported host OS. Must be Linux or Mac OS X, kubelet aborted."
;;
esac
fi
if [[ -n "${PSP_ADMISSION}" && "${AUTHORIZATION_MODE}" = *RBAC* ]]; then
create_psp_policy
fi
if [[ "$DEFAULT_STORAGE_CLASS" = "true" ]]; then
create_storage_class
fi
print_success
<skipped>