Not able to create deployment or anything in the provided EKS luster

9/13/2021

I am new to Kubernetes and using EKS cluster end-point provided by third party. I trying to create a simple ngnix deployment using following command:

kubectl create deployment nginx-depl --image=nginx

It gives me following error:

error: failed to create deployment: admission webhook "validate.kyverno.svc" denied the request:

resource Deployment/comp-dev/nginx-depl was blocked due to the following policies

edison-platform-policy-disallow-pod-without-resources:
  validate-resources: 'validation error: Error : Unable to install - container spec does not specify resource request. Rule validate-resources[0] failed at path /spec/template/spec/containers/0/resources/requests/. Rule validate-resources[1] failed at path /metadata/labels/AllowContainerWithoutResourcesRequests/.'
edison-platform-policy-disallow-privileged-container:
  autogen-validate-allowPrivilegeEscalation: 'validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation to false. Rule autogen-validate-allowPrivilegeEscalation[0] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-allowPrivilegeEscalation[1] failed at path /spec/template/metadata/labels/AllowPrivilegedEscalation/.'
edison-platform-policy-disallow-root-user:
  autogen-validate-runAsNonRoot: 'validation error: Running as root user is not allowed. Set runAsNonRoot to true. Rule autogen-validate-runAsNonRoot[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/. Rule autogen-validate-runAsNonRoot[1] failed at path /spec/template/spec/securityContext/runAsUser/. Rule autogen-validate-runAsNonRoot[2] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[3] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[4] failed at path /spec/template/metadata/labels/AllowRootUserAccess/.'
edison-platform-policy-disallow-unknown-registries:
  autogen-validate-registries: 'validation error: Unknown image registry. Rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/'

Is public image registry is blocked in ECS? Or do the third party EKS provider has not enabled the public docker repository?

-- sandeep.ganage
amazon-eks
kubernetes
kubernetes-pod

1 Answer

9/14/2021

The cluster is installed with Kyverno. Your create request was rejected by this policy engine base on a policy setup by the provider. Try the following spec:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
    spec:
      securityContext:
        runAsUser: 1000
      containers:
      - name: busybox
        image: docker.io/busybox:latest
        command: ["sh","-c"]
        args: ["sleep 3600"]
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true

Note how to run Nginx as non-root is not cover here.

-- gohm'c
Source: StackOverflow