我无法使用"az-aks命令调用";因为https://store.policy.core.windows.net/kubernetes/container-no-privilege-escalation/v3/template.yaml正在阻止权限升级。当我尝试时,我得到了以下错误
(KubernetesOperationError) Failed to run command in managed cluster due to kubernetes failure. details: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: init-command
[azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: user-command
Code: KubernetesOperationError
Message: Failed to run command in managed cluster due to kubernetes failure. details: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: init-command
[azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: user-command
这是应用AKS内置政策的预期分支吗?
如果应用了防止权限提升容器的策略,则az aks command invoke不起作用。
如果你有特定的Azure策略,这可能会导致az aks command invoke失败,因为这可能不允许command-<ID>pod的特定配置。
建议为不允许创建pod的关联Azure策略免除aks-command命名空间。
您可以通过访问Azure门户网站来做到这一点->策略->工作分配->识别分配并访问它们->编辑工作分配->参数->取消选中"仅显示需要输入或查看的参数"框->在"命名空间排除"下添加"aks命令"。
或者,您可以检查"command-"pod的配置,并相应地调整策略(如果它不是内置的(。