If I activate PodSecurityPolicy on Kube-api in cluster.yaml of RKE, I cannot deploy anymore.
enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel,PodNodeSelector,AlwaysPullImages,DenyEscalatingExec,PodSecurityPolicy"I receive the following error during deployment with rke v0.2.8:
INFO[0055] [healthcheck] Start Healthcheck on service [kubelet] on host [172.18.13.41]
FATA[0112] [workerPlane] Failed to bring up Worker Plane: [Failed to verify healthcheck: Failed to check http://localhost:10248/healthz for service [kubelet] on host [172.18.13.41]: Get http://localhost:10248/healthz: Unable to access the service on localhost:10248. The service might be still starting up. Error: ssh: rejected: connect failed (Connection refused), log: ] My kubelet docker logs are the following:
Started kubelet
I1217 20:04:40.749400 26761 server.go:137] Starting to listen on 0.0.0.0:10250
F1217 20:04:40.749469 26761 server.go:174] Failed to create listener for podResources endpoint: listen unix /var/lib/kubelet/pod-resources/kubelet.sock: bind: no such file or directory
E1217 20:04:40.749402 26761 kubelet.go:1308] Image garbage collection failed once. Stats initialization may not have completed yet: failed to get imageFs info: unable to find data in memory cacheIf I remove PodSecurityPolicy from the enable-admission-plugins, it works.
My policy is
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: 000-privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'Any idea why?