3

when I try to create a pods with non-root fsgroup (here 2000)

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: gcr.io/google-samples/node-hello:1.0
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: true

hitting error

Error from server (Forbidden): error when creating "test.yml": pods "security-context-demo" is forbidden: pod.Spec.SecurityContext.RunAsUser is forbidden

Version

root@ubuntuguest:~# kubectl  version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:22:21Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:10:24Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Can any one help me how to set ClusterRoleBinding in cluster.

Ravichandra
  • 2,162
  • 4
  • 24
  • 36

3 Answers3

0

If the issue is indeed because of RBAC permissions, then you can try creating a ClusterRoleBinding with cluster role as explained here.

Instead of the last step in that post (using the authentication token to log in to dashboard), you'll have to use that token and the config in your kubectl client when creating the pod.

For more info on the use of contexts, clusters, and users visit here

code
  • 2,283
  • 2
  • 19
  • 27
0

Need to disable admission plugins SecurityContextDeny while setting up Kube-API

On Master node

ps -ef | grep kube-apiserver

And check enable plugins

--enable-admission-plugins=LimitRanger,NamespaceExists,NamespaceLifecycle,ResourceQuota,ServiceAccount,DefaultStorageClass,MutatingAdmissionWebhook,DenyEscalatingExec

Ref: SecurityContextDeny

Ravichandra
  • 2,162
  • 4
  • 24
  • 36
0
cd /etc/kubernetes

cp apiserver.conf apiserver.conf.bak

vim apiserver.conf

find SecurityContextDeny keywords and delete it.

:wq 

systemctl restart kube-apiserver

then fixed it

Cà phê đen
  • 1,883
  • 2
  • 21
  • 20
Nick.Jane
  • 31
  • 5