Coredns unable to depoy

7/5/2019

I have installed a cluster but can't seem to configure coredns to run. I get the following message when I do a kubectl describe replicaset -n kube-system:

Error creating: pods "coredns-7945fb857d-" is forbidden: unable to validate against any pod security policy: [pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden:  is not an allowed seccomp profile. Valid values are runtime/default pod.metadata.annotations[container.apparmor.security.beta.kubernetes.io/coredns]: Forbidden: AppArmor profile must be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/coredns]: Forbidden:  is not an allowed seccomp profile. Valid values are runtime/default spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added

can anybody point me in the right direction

-- driftavalii
coredns
kubernetes

1 Answer

7/5/2019

It might be that the coreDNS pod wasn't even created due to a Pod Security Policy:

PodSecurityPolicies are enforced (...) but doing so without authorizing any policies will prevent any pods from being created in the cluster.

In this specific case, is complaining that the profile in the Seccomp annotation is not valid:

[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: is not an allowed seccomp profile.

You can check here a list of valid profiles and an example of a custom one.

-- yyyyahir
Source: StackOverflow