kubernetes statefulset-controller特权用于Elasticsearch的初始化容器

时间:2019-11-12 16:45:15

标签: elasticsearch kubernetes

我正在尝试使用初始化容器创建ElasticSearch状态集(STS),以增加工作节点vm.max_map_count=262144以及ulimit -n 65536

但是,据我所知,某些PodSecurityPolicy(PSP)拒绝对私有容器进行升级。

  

警告失败创建1s(x12超过11s)statefulset-controller   在StatefulSet elasticsearch-node中创建Pod elasticsearch-node-0   失败的错误:“ pods”“ elasticsearch-node-0”被禁止:无法   根据任何Pod安全策略进行验证:   [spec.initContainers [0] .securityContext.privileged:无效值:   true:不允许使用特权容器   spec.initContainers [1] .securityContext.privileged:无效值:   true:不允许使用特权容器]

事实上,集群中有2倍PSP,分别是 privacy unprivilaged 。我是否需要以某种方式在STS中指定特权PSP?还是svc-acc?

k8s服务器版本为1.9.8-如果需要的话。

这是STS(带有一些头盔元素)

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: elasticsearch-node
  namespace: {{ .Release.Namespace }}
  labels:
    component: elasticsearch
    role: node
spec:
  replicas: {{ .Values.replicas }}
  serviceName: elasticsearch-discovery
  selector:
    matchLabels:
      component: elasticsearch
      role: node
  template:
    metadata:
      namespace: {{ .Release.Namespace }}
      labels:
        component: elasticsearch
        role: node
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: component
                operator: In
                values:
                - elasticsearch
              - key: role
                operator: In
                values:
                - node
            topologyKey: kubernetes.io/hostname
      terminationGracePeriodSeconds: 100
      securityContext:
        fsGroup: 1000
      initContainers:
        # To increase the default vm.max_map_count to 262144
      - name: increase-vm-max-map-count
        image: busybox
        command:
        - sysctl
        - -w
        - vm.max_map_count=262144
        securityContext:
          privileged: true
        # To increase the ulimit to 65536
      - name: increase-ulimit
        image: busybox
        command:
        - sh
        - -c
        - ulimit -n 65536
        securityContext:
          privileged: true
      containers:
      - name: elasticsearch
        image: docker.elastic.co/elasticsearch/elasticsearch:{{ .Values.global.version }}
        imagePullPolicy: Always
        ports:
        - name: http
          containerPort: 9200
        - name: transport
          containerPort: 9300
        volumeMounts:
        # - name: storage
        #   mountPath: /data
        - name: config
          mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
          subPath: elasticsearch.yml
        resources:
{{ toYaml .Values.resources | indent 12 }}
        env:
        - name: ES_JAVA_OPTS
          value: {{ .Values.java.options }}
      volumes:
      - name: config
        configMap:
          name: elasticsearch-node

$ kubectl describe sts elasticsearch-node

Name:               elasticsearch-node
Namespace:          default
CreationTimestamp:  Tue, 12 Nov 2019 17:09:50 +0100
Selector:           component=elasticsearch,role=node
Labels:             component=elasticsearch
                    role=node
Annotations:        <none>
Replicas:           2 desired | 0 total
Update Strategy:    RollingUpdate
  Partition:        824638159384
Pods Status:        0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:  component=elasticsearch
           role=node
  Init Containers:
   increase-vm-max-map-count:
    Image:      busybox
    Port:       <none>
    Host Port:  <none>
    Command:
      sysctl
      -w
      vm.max_map_count=262144
    Environment:  <none>
    Mounts:       <none>
   increase-ulimit:
    Image:      busybox
    Port:       <none>
    Host Port:  <none>
    Command:
      sh
      -c
      ulimit -n 65536
    Environment:  <none>
    Mounts:       <none>
  Containers:
   elasticsearch:
    Image:       docker.elastic.co/elasticsearch/elasticsearch:7.3.2
    Ports:       9200/TCP, 9300/TCP
    Host Ports:  0/TCP, 0/TCP
    Limits:
      cpu:     1
      memory:  3Gi
    Requests:
      cpu:     250m
      memory:  2Gi
    Environment:
      ES_JAVA_OPTS:  -Xms2G -Xmx2G
    Mounts:
      /usr/share/elasticsearch/config/elasticsearch.yml from config (rw,path="elasticsearch.yml")
  Volumes:
   config:
    Type:       ConfigMap (a volume populated by a ConfigMap)
    Name:       elasticsearch-node
    Optional:   false
Volume Claims:  <none>
Events:
  Type     Reason        Age                From                    Message
  ----     ------        ----               ----                    -------
  Warning  FailedCreate  1s (x17 over 78s)  statefulset-controller  create Pod elasticsearch-node-0 in StatefulSet elasticsearch-node failed error: pods "elasticsearch-node-0" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

现在盯着PSP文档一段时间:https://kubernetes.io/docs/concepts/policy/pod-security-policy/

0 个答案:

没有答案