search

astefanutti / kubebox

⎈❏ Terminal and Web console for Kubernetes
http://astefanutti.github.io/kubebox
MIT License
2.14k stars 142 forks source link

cAdvisor PodSecurityPolicy does not allow what the DaemonSet requires #91

Closed ledroide closed 4 years ago

ledroide commented 4 years ago

Hello,

The PodSecurityPolicy provided with the cAdvisor implementation, in file cadvisor.yaml, is wrong and leads to a error when applying the cAdvisor DaemonSet.

 Warning  FailedCreate  24s (x8 over 65s)  daemonset-controller  Error creating: pods "cadvisor-" is forbidden: unable to validate against any pod security policy: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[5]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[6]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true

Here is my PodSecurityPolicy that works : 

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  labels:
    app: cadvisor
  name: cadvisor
spec:
  allowedHostPaths:
  - pathPrefix: /dev/disk
    readOnly: true
  - pathPrefix: /
    readOnly: true
  - pathPrefix: /var/log
    readOnly: true
  - pathPrefix: /var/run
    readOnly: true
  - pathPrefix: /sys
    readOnly: true
  - pathPrefix: /var/lib/containers
    readOnly: true
  - pathPrefix: /var/lib/docker
    readOnly: true
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - hostPath

FYI, I have used kube-psp-advisor to help me solve the issue and build this PodSecurityPolicy.

Serge

astefanutti commented 4 years ago

Thanks a lot for the report. That looks good to me. would you be able to create a PR?

astefanutti commented 4 years ago

Fixes with #92.

ledroide commented 4 years ago

Additional notes :

astefanutti commented 4 years ago

Since this is a common pattern for containerd in Kubernetes, I suggest you add this rule by default, or as a comment in the psp manifest

Thanks for the suggestion. I've added it in 6320993dc8d1d2f9e4c1e694c354cc60b05dac44.