container "proxmox-csi-plugin-node" must not set securityContext.privileged=true

dnviti commented 2 months ago

Bug Report

Description

Logs

Controller: [kubectl logs -c proxmox-csi-plugin-controller proxmox-csi-plugin-controller-...]

Node: [kubectl logs -c proxmox-csi-plugin-node proxmox-csi-plugin-node-...]

Events:
  Type     Reason        Age                  From                  Message
  ----     ------        ----                 ----                  -------
  Warning  FailedCreate  3m38s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-hxf84" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m38s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-zgh8s" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m38s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-dpfgt" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m38s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-pwpk7" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m38s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-lhgdr" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m38s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-dvv58" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m37s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-pqz88" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m37s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-bkpkg" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  3m36s                daemonset-controller  Error creating: pods "proxmox-csi-plugin-node-m6stb" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)
  Warning  FailedCreate  54s (x7 over 3m35s)  daemonset-controller  (combined from similar events): Error creating: pods "proxmox-csi-plugin-node-gg7wp" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "proxmox-csi-plugin-node" must not include "SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "socket", "registration", "kubelet", "dev", "sys"), privileged (container "proxmox-csi-plugin-node" must not set securityContext.privileged=true)

Environment

Plugin version: 0.2.8
Kubernetes version: [kubectl version --short]
CSI capasity: [kubectl get csistoragecapacities -ocustom-columns=CLASS:.storageClassName,AVAIL:.capacity,ZONE:.nodeTopology.matchLabels -A]
CSI resource on the node: [kubectl get CSINode <node> -oyaml]
Node describe: [kubectl describe node <node>]
OS version [cat /etc/os-release]

sergelogvinov commented 2 months ago

Hi, you need to create namespace with special permissions

https://github.com/sergelogvinov/proxmox-csi-plugin/blob/main/charts/proxmox-csi-plugin/templates/namespace.yaml

dnviti commented 2 months ago

Hi, you need to create namespace with special permissions

https://github.com/sergelogvinov/proxmox-csi-plugin/blob/main/charts/proxmox-csi-plugin/templates/namespace.yaml

i'm trying to create everything with helm and i noticed that adding --create-namespace flag creates a standard non privileged namespace, i need to set your createNamespace: true flag in values.yaml but doing so it will throw an error:

Error: create: failed to create: namespaces "csi-proxmox" not found

If i create namespace manually it works correctly.

sergelogvinov commented 2 months ago

helm has an issue to create namespace. you can google it. So my recommendation is create namespace before helm upgrade/install.

the createNamespace: true was introduced for creating yaml file as the result of helm template

sergelogvinov commented 1 month ago

https://github.com/sergelogvinov/proxmox-csi-plugin/pull/254 https://github.com/sergelogvinov/proxmox-csi-plugin/blob/main/docs/install.md#install-csi-driver

sergelogvinov / proxmox-csi-plugin