Kubernetes rancher 配置程序安全上下文错误

tag-icon tag-icon nixos kubernetes
Kubernetes rancher 配置程序安全上下文错误

local-path我正在尝试在我的 Kubernetes 集群中实现Rancher.io 的配置程序。这是一个单节点k8s集群,安装在 NixOS 上,用于测试目的。

我遵循牧场主的程序:

kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.24/deploy/local-path-storage.yaml

此时我没有错误,我可以确认 Rancher 配置器正在按预期运行:

$ kubectl get pods -n local-path-storage
NAME                                      READY   STATUS    RESTARTS   AGE
local-path-provisioner-8559f79bcf-gg2rk   1/1     Running   0          5m55s

接下来我尝试运行一个有状态的应用程序项目,如中所述他们的文档, 如下:

kubectl create -f https://raw.githubusercontent.com/rancher/local-path-provisioner/master/examples/pvc/pvc.yaml
kubectl create -f https://raw.githubusercontent.com/rancher/local-path-provisioner/master/examples/pod/pod.yaml

不幸的是 PVC 被卡在待办的状态,出现以下错误:

$ kubectl events pvc --types=Warning
LAST SEEN               TYPE      REASON                OBJECT                                 MESSAGE
3m29s (x5 over 7m14s)   Warning   ProvisioningFailed    PersistentVolumeClaim/wp-pv-claim      failed to provision volume with StorageClass "local-path": failed to create volume pvc-966b701d-9a11-4fa5-bb16-e7c40cb8ca58: Pod "helper-pod-create-pvc-966b701d-9a11-4fa5-bb16-e7c40cb8ca58" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

我知道Pod 安全策略现已弃用。

由于我是 Kubernetes 的初学者,就像在 NixOS 上一样,我不知道在哪里更改安全上下文以及如何管理它。

有关更多信息,这是我的 NixOS Kubernetes 相关配置:

{ config, pkgs, ... }:
let
  kubeMasterIP = "192.168.100.212";
  kubeMasterHostname = "k8s-nix";
  kubeMasterAPIServerPort = 6443;
in
{
  # resolve master hostname
  networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";

  # Required packages for building cluster
  environment.systemPackages = with pkgs; [
    cri-o
    podman
    kubernetes
    kubernetes-helm
  ];

  # Kubernetes
  services.kubernetes = {
    roles = ["master" "node"];
    masterAddress = kubeMasterHostname;
    apiserverAddress = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}";
    easyCerts = true;
    apiserver = {
      securePort = kubeMasterAPIServerPort;
      advertiseAddress = kubeMasterIP;
    };

    # use coredns
    addons.dns.enable = true;

    # needed if you use swap
    kubelet.extraOpts = "--fail-swap-on=false";
  };

  environment.shellAliases = {
    k = "kubectl";
  };
}

相关内容