Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to install kubebench due to kubebench nfs deploy failed #147

Open
jinchihe opened this issue Dec 12, 2018 · 4 comments
Open

Failed to install kubebench due to kubebench nfs deploy failed #147

jinchihe opened this issue Dec 12, 2018 · 4 comments

Comments

@jinchihe
Copy link
Member

jinchihe commented Dec 12, 2018
edited

Install kubebench by following Readme file, but failed, that's caused the nfs cannot be deployment, please see below for details.

[root@test ks_app]# kubectl -n kubeflow describe replicaSet kubebench-nfs-deploy-776496876f |tail -n 5
  ReplicaFailure   True    FailedCreate
Events:
  Type     Reason        Age                From                   Message
  ----     ------        ----               ----                   -------
  Warning  FailedCreate  42s (x34 over 1h)  replicaset-controller  Error creating: pods "kubebench-nfs-deploy-776496876f-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

[root@test ks_app] kubectl -n kubeflow get Deployment/kubebench-nfs-deploy -o json |grep -i privileged
                            **"privileged": true**
@jinchihe
Copy link
Member Author

Checked the problem, that should be caused by the the serviceaccount has no privileged security policy, see below.

[root@test ks_app]# kubectl --as=system:serviceaccount:kubeflow:default -n kubeflow auth can-i use podsecuritypolicy/privileged
no

Suggest that ensure the pod security policy in the install script before deploy nfs. Thanks.

@jinchihe
Copy link
Member Author

worked around solution:

    kubectl -n ${K8S_NAMESPACE} create role psp:privileged --verb=use --resource=podsecuritypolicy --resource-name=privileged
    kubectl -n ${K8S_NAMESPACE} create rolebinding ${KB_ENV}:psp:privileged --role=psp:privileged --serviceaccount=${K8S_NAMESPACE}:default

But I think we should better to update install script to ensure that automatically.

This was referenced Dec 12, 2018
Closed
Closed
Closed
@andreyvelich
Copy link
Member

@jinchihe Can you show me your PodSecurityPolicy?

@jinchihe
Copy link
Member Author

@andreyvelich

Below is PodSecurityPolicy which has been modified as above steps. Thanks.

[root@test hejinchi]# kubectl get PodSecurityPolicy -n kubeflow
NAME         PRIV      CAPS      SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
default      false               RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
privileged   true      *         RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jinchihe @andreyvelich