【发布时间】:2020-06-27 10:50:27
【问题描述】:
我正在尝试在 Kubernetes Kind 集群中部署一个容器。我尝试部署的容器需要设置几个 sysctls 标志。
部署失败
forbidden sysctl: "kernel.msgmnb" not whitelisted
更新
我已经按照建议添加了集群策略,创建了一个授予使用权限的角色并将集群角色分配给默认服务帐户:
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: sysctl-psp
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
allowedUnsafeSysctls:
- kernel.msg*
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role_allow_sysctl
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['*']
resourceNames:
- sysctl-psp
- apiGroups: ['']
resources:
- replicasets
- services
- pods
verbs: ['*']
- apiGroups: ['apps']
resources:
- deployments
verbs: ['*']
集群角色绑定是这样的:
kubectl -n <namespace> create rolebinding default:role_allow_sysctl --clusterrole=role_allow_sysctl --serviceaccount=<namespace>:default
然后我尝试在同一个命名空间中创建部署和服务:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-app
labels:
app: test-app
spec:
selector:
matchLabels:
app: test-app
tier: dev
strategy:
type: Recreate
template:
metadata:
labels:
app: test-app
tier: dev
spec:
securityContext:
sysctls:
- name: kernel.msgmnb
value: "6553600"
- name: kernel.msgmax
value: "1048800"
- name: kernel.msgmni
value: "32768"
- name: kernel.sem
value: "128 32768 128 4096"
containers:
- image: registry:5000/<container>:1.0.0
name: test-app
imagePullPolicy: IfNotPresent
ports:
- containerPort: 10666
name:port-1
---
问题仍然存在,但是我生成了多个 pod,所有这些都失败并显示相同的消息 forbidden sysctl: "kernel.msgmnb" not whitelisted
【问题讨论】:
标签: kubernetes containers sysctl kind