kube-proxy daemonset 权限问题

我使用 kubeadm 安装了一个全新的 1.16.0 工作节点，我得到以下结果：

Kubernetes version: Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.6", GitCommit:"96fac5cd13a5dc064f7d9f4f23030a6aeface6cc", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:49Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:32:14Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
OS: 18.04.3 LTS (Bionic Beaver)
Kernel:  Linux kube-node-5 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Name:           kube-proxy
Selector:       k8s-app=kube-proxy
Node-Selector:  beta.kubernetes.io/os=linux
Labels:         k8s-app=kube-proxy
Annotations:    deprecated.daemonset.template.generation: 2
Desired Number of Nodes Scheduled: 8
Current Number of Nodes Scheduled: 8
Number of Nodes Scheduled with Up-to-date Pods: 8
Number of Nodes Scheduled with Available Pods: 8
Number of Nodes Misscheduled: 0
Pods Status:  8 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
Labels:           k8s-app=kube-proxy
Service Account:  kube-proxy
Containers:
kube-proxy:
Image:      k8s.gcr.io/kube-proxy:v1.15.0
Port:       <none>
Host Port:  <none>
Command:
/usr/local/bin/kube-proxy
--config=/var/lib/kube-proxy/config.conf
--hostname-override=$(NODE_NAME)
Environment:
NODE_NAME:   (v1:spec.nodeName)
Mounts:
/lib/modules from lib-modules (ro)
/run/xtables.lock from xtables-lock (rw)
/var/lib/kube-proxy from kube-proxy (rw)
Volumes:
kube-proxy:
Type:      ConfigMap (a volume populated by a ConfigMap)
Name:      kube-proxy
Optional:  false
xtables-lock:
Type:          HostPath (bare host directory volume)
Path:          /run/xtables.lock
HostPathType:  FileOrCreate
lib-modules:
Type:          HostPath (bare host directory volume)
Path:          /lib/modules
HostPathType:  
Events:
Type     Reason        Age                  From                  Message
----     ------        ----                 ----                  -------
Warning  FailedCreate  3h55m                daemonset-controller  Error creating: Pod "kube-proxy-nz5bk" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h38m                daemonset-controller  Error creating: Pod "kube-proxy-l26kw" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h21m                daemonset-controller  Error creating: Pod "kube-proxy-fjcpd" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-msqnx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-pssv5" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-59cx8" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-t9nh2" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-5hp6c" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-hbbl4" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-zph4z" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-prj9w" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-rhnjq" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  177m (x9 over 3h7m)  daemonset-controller  (combined from similar events): Error creating: Pod "kube-proxy-whdnm" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  166m                 daemonset-controller  Error creating: Pod "kube-proxy-2xhgt" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  149m                 daemonset-controller  Error creating: Pod "kube-proxy-zd429" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  132m                 daemonset-controller  Error creating: Pod "kube-proxy-wzn8x" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-l8csx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-6jxpl" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-jk29x" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-p7db2" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-kf8qz" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-l5wjh" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-d8brg" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-6w2ql" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-d4n47" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Warning  FailedCreate  122m (x7 over 124m)  daemonset-controller  (combined from similar events): Error creating: Pod "kube-proxy-2lnpb" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

不太有趣的事情是，所有其他节点在创建 kube-proxy pod 时绝对没有问题。只有这一个节点因上述错误而失败。

我已经尝试了各种方法来解决此问题，但尚未找到解决方案。以前使用 kubeadm 的安装是完美无缺的。

我有一种感觉，我缺少一个 PodSecurityPolicy 和一个绑定到 kube-proxy 角色。我肯定错过了一些东西，但我不知道。

尝试从不同的 relese 向现有集群添加新节点非常奇怪。以 1.1.15 为例，已弃用的 kubelet 安全控制 AllowPrivileged 请参考发布 CHANGELOG-1.15.md

已弃用的 kubelet 安全控制 AllowPrivileged、HostNetworkSources、HostPIDSources 和 HostIPCSources 已被移除。这些限制的执行应改为通过准入控制(如 PodSecurityPolicy(来完成
。

在我看来，您应该删除此节点(请参阅这些文档之前(：

安全地排空节点，同时遵守 PodDisruptionBudget
节点
集群管理
升级 kubeadm 集群

之后，您应该根据最佳实践升级集群。

请注意，在开始将集群升级到 v1.16.0 版本之前，请执行以下操作：关于上一版本中的其他值得注意的更改。

紧急升级说明

相关内容

最新更新

热门标签：