无法在RKE2 Kubernetes集群上部署pgadmin

我想将pgadmin部署在RKE2 Kubernetes集群上以访问数据库。不幸的是,pgadmin舱由于PSP问题我觉得崩溃。我知道PSP已经过时了，我们计划很快切换到OPA，但同时使用pgadmin会更有效率。

部署文件如下所示:

apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
selector:
matchLabels:
app: pgadmin
replicas: 1
template:
metadata:
labels:
app: pgadmin
spec:
containers:
- name: pgadmin4
image: dpage/pgadmin4:latest
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@ind.nl"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test"
- name: PGADMIN_PORT
value: "80"
ports:
- containerPort: 80
name: pgadminport
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
---
apiVersion: v1
kind: Service
metadata:
name: pgadmin
labels:
app: pgadmin
spec:
selector:
app: pgadmin
type: NodePort
ports:
- port: 80
nodePort: 30200

返回带有权限问题的日志:

/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted

当我将runAsUser和runAsGroup变量编辑为5050时，它返回这些日志:

/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: unable to change to root gid: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted

当我将runAsGroup变量编辑回0时，它返回以下日志:

/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [5050, -1, -1]: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted

更新1:正在使用的PSP是这样的:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
psp.rke2.io/global-restricted: resolved
creationTimestamp: "2022-06-30T14:00:25Z"
name: global-restricted-psp
resourceVersion: "3493795"
uid: b7209f38-9609-4b81-b3ef-ab7a17b39bbd
spec:
allowPrivilegeEscalation: true
fsGroup:
ranges:
- max: 65535
min: 0
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 0
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim

有人想法吗?