I am new to Kubernetes
and using EKS cluster end-point provided by third party. I trying to create a simple ngnix deployment using following command:
kubectl create deployment nginx-depl --image=nginx
It gives me following error:
error: failed to create deployment: admission webhook "validate.kyverno.svc" denied the request:
resource Deployment/comp-dev/nginx-depl was blocked due to the following policies
edison-platform-policy-disallow-pod-without-resources:
validate-resources: 'validation error: Error : Unable to install - container spec does not specify resource request. Rule validate-resources[0] failed at path /spec/template/spec/containers/0/resources/requests/. Rule validate-resources[1] failed at path /metadata/labels/AllowContainerWithoutResourcesRequests/.'
edison-platform-policy-disallow-privileged-container:
autogen-validate-allowPrivilegeEscalation: 'validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation to false. Rule autogen-validate-allowPrivilegeEscalation[0] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-allowPrivilegeEscalation[1] failed at path /spec/template/metadata/labels/AllowPrivilegedEscalation/.'
edison-platform-policy-disallow-root-user:
autogen-validate-runAsNonRoot: 'validation error: Running as root user is not allowed. Set runAsNonRoot to true. Rule autogen-validate-runAsNonRoot[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/. Rule autogen-validate-runAsNonRoot[1] failed at path /spec/template/spec/securityContext/runAsUser/. Rule autogen-validate-runAsNonRoot[2] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[3] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[4] failed at path /spec/template/metadata/labels/AllowRootUserAccess/.'
edison-platform-policy-disallow-unknown-registries:
autogen-validate-registries: 'validation error: Unknown image registry. Rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/'
Is public image registry is blocked in ECS? Or do the third party EKS provider has not enabled the public docker repository?
The cluster is installed with Kyverno. Your create
request was rejected by this policy engine base on a policy setup by the provider. Try the following spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
spec:
replicas: 1
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
securityContext:
runAsUser: 1000
containers:
- name: busybox
image: docker.io/busybox:latest
command: ["sh","-c"]
args: ["sleep 3600"]
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
Note how to run Nginx as non-root is not cover here.