search

rguske / my-gitalk

Repository for Gitalk comments on my blog https://rguske.github.io
0 stars 0 forks source link

post/using-windows-smb-shares-in-kubernetes/ #31

Open utterances-bot opened 1 year ago

utterances-bot commented 1 year ago

Using Windows SMB Shares in Kubernetes - Robert Guske

https://rguske.github.io/post/using-windows-smb-shares-in-kubernetes/

hfuhuang commented 1 year ago

Hi Robert, In your example, is the SMB Share a kerberized share? In my project, I need to access an external kerberized smb share from a k8s cluster.

Regards, Hongfu

rguske commented 1 year ago

Hi Hongfu, apologize for my late reply. I am not using a kerberized share. Have you solved your challenge?

rteglgaa commented 9 months ago

Hi Robert,

I am trying to set things up on vSphere 8.0 update 2 using latest Tanzu updates but it fails. Have you had any trouble upgrading your vSphere environment while using this driver? We ran this earlier on 8.0 with no issues.

The error is related to the controller deployment and says (describing the created replicaset):

Error creating: pods "csi-smb-controller-b76b89fdb-hhwzc" is forbidden: violates PodSecurity "restricted:latest": privileged (container "smb" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "csi-provisioner", "liveness-probe", "smb" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "csi-provisioner", "liveness-probe", "smb" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "csi-provisioner", "liveness-probe", "smb" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "csi-provisioner", "liveness-probe", "smb" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/Rasmus

rguske commented 9 months ago

Hi @rteglgaa, the behaviour is expected I assume. Are you using TKG(M) or TKG(S) aka vSphere with Tanzu? For TKGM applies: Pod Security. In vSphere with Tanzu, you can enforce a specific Pod Security per Namespace level or for all namespaces: Configure Pod Security for TKR 1.25 and Later.

rteglgaa commented 9 months ago

Hi @rteglgaa, the behaviour is expected I assume. Are you using TKG(M) or TKG(S) aka vSphere with Tanzu? For TKGM applies: Pod Security. In vSphere with Tanzu, you can enforce a specific Pod Security per Namespace level or for all namespaces: Configure Pod Security for TKR 1.25 and Later.

Thanks - that pointed me in the right direction. It is fixed now.

/Rasmus