激活PodSecurityPolicy后,为什么不能使用RKE进行部署?

时间:2019-12-17 20:13:14

标签: kubernetes kubelet

如果我在RKE的cluster.yaml中的Kube-api上激活PodSecurityPolicy,我将无法再部署。

 enable-admission-plugins:  "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel,PodNodeSelector,AlwaysPullImages,DenyEscalatingExec,PodSecurityPolicy"

在使用rke v0.2.8部署期间,我收到以下错误:

INFO[0055] [healthcheck] Start Healthcheck on service [kubelet] on host [172.18.13.41] 
FATA[0112] [workerPlane] Failed to bring up Worker Plane: [Failed to verify healthcheck: Failed to check http://localhost:10248/healthz for service [kubelet] on host [172.18.13.41]: Get http://localhost:10248/healthz: Unable to access the service on localhost:10248. The service might be still starting up. Error: ssh: rejected: connect failed (Connection refused), log: ] 

我的kubelet码头工人日志如下:

Started kubelet
I1217 20:04:40.749400   26761 server.go:137] Starting to listen on 0.0.0.0:10250
F1217 20:04:40.749469   26761 server.go:174] Failed to create listener for podResources endpoint: listen unix /var/lib/kubelet/pod-resources/kubelet.sock: bind: no such file or directory
E1217 20:04:40.749402   26761 kubelet.go:1308] Image garbage collection failed once. Stats initialization may not have completed yet: failed to get imageFs info: unable to find data in memory cache

如果我从enable-admission-plugins中删除PodSecurityPolicy,它将起作用。

我的政策是

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: 000-privileged
  annotations:
        seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

知道为什么吗?

0 个答案:

没有答案