相关文章推荐
博学的烤土司  ·  python - Passing ...·  1 年前    · 
玩手机的饭卡  ·  python - Networkx - ...·  1 年前    · 
耍酷的移动电源  ·  convert string to ...·  1 年前    · 

To return expected results, you can:

  • Reduce the number of search terms. Each term you use focuses the search further.
  • Check your spelling. A single misspelled or incorrectly typed term can change your result.
  • Try substituting synonyms for your original terms. For example, instead of searching for "java classes", try "java training"
  • Did you search for an IBM acquired or sold product ? If so, follow the appropriate link below to find the content you need.
  • Summary

    For some applications, for example, Weave Scope, it requires privileged permissions to run. As ICP does not allow the user to run application with privileged permissions, it will fail to run such application in ICP environment. This article will provide the steps to run such applications that require privileged permissions in ICP cluster environment.

    Objective

    For example, the Weave Scope application requires privileged permissions in the YAML file, see below.
    ...............
    image: 'weaveworks/scope:1.9.0'
    imagePullPolicy: IfNotPresent
    securityContext:
    privileged: true
    volumeMounts:
    - name: docker-socket
    mountPath: /var/run/docker.sock
    - name: scope-plugins
    mountPath: /var/run/scope/plugins
    - name: sys-kernel-debug
    mountPath: /sys/kernel/debug
    dnsPolicy: ClusterFirstWithHostNet
    hostNetwork: true
    hostPID: true
    ...............

    If you deploy and run Weave Scope with above YAML file in ICP environment,  you will see that Weave Scope weave-scope-agent pod can not been created and run. You will see below error messages by the 'kubectl describe pod <weave-scope-agent pod name>' command.

    ...............

    Warning  FailedCreate  2m (x109 over 5h)  daemonset-controller  Error creating: pods "weave-scope-agent-" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used]

    ...............

    This article will provide the detailed steps to resolve above issue, and then run applications (e.g.: Weave Scope) that require privileged permissions in ICP cluster environment.

    By default, ICP defines the privileged PodSecurityPolicy resource already, you can use it directly. Or you can create a PodSecurityPolicy resource that has privileged permission.

    ...............

    [ [email protected] Downloads]# kubectl get PodSecurityPolicy
    NAME                     DATA      CAPS      SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
    default                     false     []        RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            [*]
    privileged           true      [*]       RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            [*]
    [ [email protected] Downloads]# kubectl describe PodSecurityPolicy privileged
    Name:  privileged

    Settings:
    Allow Privileged:                       true
    Default Add Capabilities:               <none>
    Required Drop Capabilities:             <none>
    Allowed Capabilities:                   *
    Allowed Volume Types:                   *
    Allow Host Network:                     true
    Allow Host Ports:                       1-65535
    Allow Host PID:                         true

    Allow Host IPC:                         true
    Read Only Root Filesystem:              false
    SELinux Context Strategy: RunAsAny
    User:                                 <none>
    Role:                                 <none>
    Type:                                 <none>
    Level:                                <none>
    Run As User Strategy: RunAsAny
    Ranges:                               <none>
    FSGroup Strategy: RunAsAny
    Ranges:                               <none>
    Supplemental Groups Strategy: RunAsAny
    Ranges:                               <none>
    [ [email protected] Downloads]#

    ...............

  • Update application YAML file to add privileged PodSecurityPolicy resource to the ClusterRole definition.
  • ...............

    - apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
    name: weave-scope
    labels:
    name: weave-scope
    rules:
    - apiGroups:
    resources:
    - pods
    verbs:
    - get
    - list
    - watch
    - delete
    ......
    - apiGroups:
    - extensions
    resources:
    - podsecuritypolicies
    resourceNames:
    - privileged
    verbs:
    - use

    ...............

  • Run 'kubectl apply -f <NEW_YAML_FILE>' command to apply the changes.
  • Run 'kubectl get pods' command to check the application status.
  • [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.1.0.1;2.1.0.2;2.1.0.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]