search

deis / workflow

The open source PaaS for Kubernetes.
https://deis.com/workflow/
MIT License
1.3k stars 181 forks source link

securityContext.privileged: Forbidden: disallowed by policy #200

Closed cphrmky closed 8 years ago

cphrmky commented 8 years ago

I'm running into this error when I try to install v2 on a freshly created kubernetes cluster. It's possible I have my kubernetes configured wrong, but I'm not sure. Any suggestions for where I should begin poking around to debug this install issue would be greatly appreciated. Error output below.


root@kube-master:~/kubernetes/cluster# helm repo add deis https://github.com/deis/charts
[WARN] Oops! Looks like we had some issues running your command! Running `helm doctor` to ensure we have all the necessary prerequisites in place...
---> Checking things locally...
---> Creating /root/.helm/config.yaml
---> Everything looks good! Happy helming!
---> Continuing onwards and upwards!
---> Cloning into '/root/.helm/cache/deis'...
---> Hooray! Successfully added the repo.
root@kube-master:~/kubernetes/cluster# helm fetch deis/workflow-beta2 
---> Fetched chart into workspace /root/.helm/workspace/charts/workflow-beta2
---> Done
root@kube-master:~/kubernetes/cluster# helm generate -x manifests workflow-beta2
---> Ran 13 generators.
root@kube-master:~/kubernetes/cluster# helm install workflow-beta2
---> Running `kubectl create -f` ...
namespace "deis" created

secret "builder-key-auth" created

secret "django-secret-key" created

secret "database-creds" created

secret "minio-user" created

secret "objectstorage-keyfile" created

secret "deis-router-dhparam" created

serviceaccount "deis-builder" created

serviceaccount "deis-controller" created

serviceaccount "deis-database" created

serviceaccount "deis-logger-fluentd" created

serviceaccount "deis-logger" created

serviceaccount "deis-minio" created

serviceaccount "deis-registry" created

serviceaccount "deis-router" created

serviceaccount "deis-workflow-manager" created

service "deis-builder" created

service "deis-controller" created

service "deis-database" created

service "deis-logger" created

service "deis-minio" created

service "deis-registry" created

service "deis-router" created

service "deis-workflow-manager" created

replicationcontroller "deis-builder" created

replicationcontroller "deis-controller" created

replicationcontroller "deis-database" created

replicationcontroller "deis-logger" created

replicationcontroller "deis-minio" created

replicationcontroller "deis-registry" created

replicationcontroller "deis-router" created

replicationcontroller "deis-workflow-manager" created

The DaemonSet "deis-logger-fluentd" is invalid.
spec.template.spec.containers[0].securityContext.privileged: Forbidden: disallowed by policy

[ERROR] Failed to upload manifests: exit status 1
root@kube-master:~/kubernetes/cluster#
bacongobbler commented 8 years ago

could you please provide the documentation you followed to create the cluster? I'm pretty sure this is because fluentd requires privileged mode (ping @jchauncey; is this still required?), which you'll have to set --allow-privileged on all of your kubelets.

cphrmky commented 8 years ago

These are the docs that I followed to stand up the kube cluster. http://kubernetes.io/docs/getting-started-guides/ubuntu/

What's the best way to go about passing --allow-privileged to the kubelets?

I started the cluster just by using the kube-up.sh script that comes with the kubernetes from github.

jchauncey commented 8 years ago

it is possible that flag isnt needed anymore. Try removing:

securityContext:
  privileged: true

from the deis-logger-fluentd-daemon.yaml file and redeploying and seeing if that fixes it.

bacongobbler commented 8 years ago

thanks for the report, @cphrmky! You should be able to install the workflow-dev chart if you want to install workflow on your cluster (after a helm update, of course), or wait until we've released beta3 which we're in the process of testing. :)