K
Q

Kubernetes: Privileged container in Linux docker-multinode cluster

1/13/2016

(I have looked at some other threads, but apparently the privilege mode is now supported in the latest code, so am wondering if I have hit a bug.)

I have two physical servers: both running Linux (ubuntu), with the latest kubernetes code from github yesterday.

I am running docs/getting-started-guides/docker-multinode/master.sh (& worker.sh).

On Master node:

$ kubectl create -f examples/nfs/nfs-server-rc.yaml
The ReplicationController "nfs-server" is invalid. 
spec.template.spec.containers[0].securityContext.privileged: forbidden '<*>(0xc208389770)true'

Question: Is this supported? Or am I doing something wrong. Or is this a bug, please?

master.sh code already has the option --allow-privileged=true provided.

These following options were set, but not with a great conviction, and just because I saw some discussion elsewhere setting them.

/etc/default/kubelet: 
    `KUBELET_OPTS="--allow_privileged=true"`

/etc/default/kube-apiserver: 
    `KUBE_APISERVER_OPTS="--allow_privileged=true"`

Master configuration:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"2+", GitVersion:"v1.2.0-alpha.5.833+2e5da8b881e2f5", GitCommit:"2e5da8b881e2f5b6dfb66653acf4aaa1ca1f398e", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"1", GitVersion:"v1.1.3", GitCommit:"6a81b50c7e97bbe0ade075de55ab4fa34f049dc2", GitTreeState:"clean"}

$ docker version
Client:
Version:      1.9.1
API version:  1.21
Go version:   go1.4.2
Git commit:   a34a1d5
Built:        Fri Nov 20 13:12:04 UTC 2015
OS/Arch:      linux/amd64
Server:
Version:      1.9.1
API version:  1.21
Go version:   go1.4.2
Git commit:   a34a1d5
Built:        Fri Nov 20 13:12:04 UTC 2015
OS/Arch:      linux/amd64
-- lakhindr
containers
kubernetes
ubuntu

Similar Questions

separate applications on kubernetes cluster
Kubernetes Deployments
Expected Google Compute health check interval
Mounting a gcePersistentDisk kubernetes volume is very slow

2 Answers

1/13/2016

You need to set --allow-privileged=true for both kubelet and kube-apiserver. It looks like master.sh only sets that in kubelet. You may modify the file ./cluster/images/hyperkube/master-multi.json to set --allow-privileged=true for apiserver (should be around line 21 to 30) and rebuild hyperkube images.

-- janetkuo
Source: StackOverflow
4/9/2016

From kubernetes v1.1, any container in a pod can enable privileged mode, using the privileged flag on the SecurityContext of the container spec.

To enable privileged mode nest privileged:true inside securityContext decleration of the container spec:

"securityContext": {
    "privileged": true

And as Janet said set --allow-privileged=true for both kubelet and kube-apiserver and restart them:

sudo /etc/init.d/kubelet restart
sudo /etc/init.d/kube-apiserver restart

and validate that the flags are changed by using ps -ef | grep kube command.

-- Kamran
Source: StackOverflow