ocp集群部署daemonset的node-exporter报错:Host network is not allowed to be used provider restricted
程序员文章站
2024-03-17 11:33:28
...
目录
环境
ocp3.11
现象
node-exporter使用daemonset部署,需要host network网络模式。
在ocp上始终部署不起来,通过nde-exporter ds的状态
oc describe ds node-exporterEvents:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 5s (x13 over 26s) daemonset-controller Error creating: pods "node-exporter-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[1].hostPort: Invalid value: 9100: Host ports are not allowed to be used spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[1].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[1].securityContext.containers[1].hostPort: Invalid value: 9100: Host ports are not allowed to be used spec.containers[1].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used]解决
https://adam.younglogic.com/2017/06/creating-a-privileged-container-in-openshift/
node-exporter这个daemonset有对应的service account 为node-exporter,为了解决这个问题,需要给node-exporter这个service account赋予对应的权限。
oc adm policy add-scc-to-user privileged -n openshift-monitoring -z node-exporter问题解决~
相关官方文档
https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html