When I install cpu-device-plugin on Kubernetes 1.15 with PodSecurityPolicy enabled it fails to start because of
Type Reason Age From Message
Warning FailedCreate 4m3s (x17 over 9m30s) daemonset-controller Error creating: pods "cpu-device-plugin-" is forbidden: unable to validate against any pod security policy: [spec.volumes[0].hostPath.pathPrefix: Invalid value: "/var/lib/kubelet/device-plugins/": is not allowed to be used]
I think the deployment templates should also create custom psp that meet cpupooler requirements or at least describe what PSP should be created and binded to cpupooler ServiceAccount.
The webhook-svc-depl.yaml does not specif any ServiceAccount and also has problems when using default ServiceAccount .
Error: container has runAsNonRoot and image will run as root
To Reproduce
Install CPU-Pooler on Kubernetes with admission-plugins PodSecurityPolicy
Expected behavior
Be able to run with PSP enabled.
Levovar
commented
1 year ago
When I install cpu-device-plugin on Kubernetes 1.15 with PodSecurityPolicy enabled it fails to start because of
Type Reason Age From Message
Warning FailedCreate 4m3s (x17 over 9m30s) daemonset-controller Error creating: pods "cpu-device-plugin-" is forbidden: unable to validate against any pod security policy: [spec.volumes[0].hostPath.pathPrefix: Invalid value: "/var/lib/kubelet/device-plugins/": is not allowed to be used]
I think the deployment templates should also create custom psp that meet cpupooler requirements or at least describe what PSP should be created and binded to cpupooler ServiceAccount.
The webhook-svc-depl.yaml does not specif any ServiceAccount and also has problems when using default ServiceAccount .
Error: container has runAsNonRoot and image will run as root
To Reproduce Install CPU-Pooler on Kubernetes with admission-plugins PodSecurityPolicy
Expected behavior Be able to run with PSP enabled.