search

kubesphere / kubeeye

KubeEye aims to find various problems on Kubernetes, such as application misconfiguration, unhealthy cluster components and node problems.
https://kubesphere.io
Apache License 2.0
810 stars 126 forks source link

use ./ke install npd,then DaemonSet node-problem-detector created, but kubectl logs node-problem-detector pod find mang error. #306

Closed jjahg520 closed 11 months ago

jjahg520 commented 11 months ago

Please provide an in-depth description of the question you have:

What do you think about this question?:

Environment:

jjahg520 commented 11 months ago

npd-resources.yaml without serviceaccounts ;so the pod user defalut serviceaccounts. error : E1108 03:42:44.955770 1 manager.go:162] failed to update node conditions: nodes "10.150.67.46" is forbidden: User "system:serviceaccount:kube-system:default" cannot patch s/status" in API group "" at the cluster scope

but i found the node-problem-detector pod log

I1108 03:42:43.253753 1 log_monitor.go:235] Initialize condition generated: [{Type:KernelDeadlock Status:False Transition:2023-11-08 03:42:43.253689447 -0500 EST m=+310.79 :KernelHasNoDeadlock Message:kernel has no deadlock} {Type:ReadonlyFilesystem Status:False Transition:2023-11-08 03:42:43.25368994 -0500 EST m=+310.799476482 Reason:FilesystemIs ssage:Filesystem is not read-only}]

the pod logs
does it mean that the inspection has been successful?

i use ./ke audit -f config -o json >tem.txt

jjahg520 commented 11 months ago

i use ./ke audit -f config -o json >tem.txt tem.txt: "resourceType": "DaemonSet", "resourceInfos": { "name": "node-problem-detector", "items": [ { "level": "warning", "message": "NoLivenessProbe", "describe": "存活探测器用来发现并处理应用程序损坏状态。", "suggest": "设置存活探测器" }, { "level": "ignore", "message": "NoPriorityClassName", "describe": "PriorityClass 定义了从优先级类名到优先级数值的映射", "suggest": "为每个容器规范添加内存资源请求。由您决定为您的应用程序分配多少内存。将内存限制设置得太高可能会导致应用无法调度,而将其设置得太低可能会导致您的应用程序抢占资源。对于任务关键型或面向用户的应用程序,建议将内存资源请求与内存资源限制设置一直,这样可以确保应用程序资源独占。" }, { "level": "danger", "message": "PrivilegedAllowed", "describe": "在 Linux 中,Pod 中的任何容器都可以使用容器规约中的 安全性上下文中的 privileged(Linux)参数启用特权模式。 这对于想要使用操作系统管理权能(Capabilities,如操纵网络堆栈和访问设备) 的容器很有用。", "suggest": "禁止特权模式" }, { "level": "warning", "message": "NotReadOnlyRootFilesystem", "describe": "要求容器必须以只读方式挂载根文件系统来运行 (即不允许存在可写入层)。", "suggest": "设置 readOnlyRootFilesystem" }, { "level": "warning", "message": "NoReadinessProbe", "describe": "没有设置就绪状态检查", "suggest": "设置正确的 readinessProbe" }, { "level": "warning", "message": "NotRunAsNonRoot", "describe": "要求提交的 Pod 具有非零 runAsUser 值,或在镜像中 (使用 UID 数值)定义了 USER 环境变量。 如果 Pod 既没有设置 runAsNonRoot,也没有设置 runAsUser,则该 Pod 会被修改以设置 runAsNonRoot=true,从而要求容器通过 USER 指令给出非零的数值形式的用户 ID。 此配置没有默认值。采用此配置时,强烈建议设置 allowPrivilegeEscalation=false。", "suggest": "设置 runAsNonRoot" } ] } } ] },

does it mean that the inspection has been successful?