Проблемы с правами доступа к демону kube-proxy

Question

Я установил новый рабочий узел 1.16.0, используя kubeadm, и получаю следующее:

Kubernetes version: Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.6", GitCommit:"96fac5cd13a5dc064f7d9f4f23030a6aeface6cc", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:49Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:32:14Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

OS: 18.04.3 LTS (Bionic Beaver)
Kernel:  Linux kube-node-5 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

---

Name:           kube-proxy
Selector:       k8s-app=kube-proxy
Node-Selector:  beta.kubernetes.io/os=linux
Labels:         k8s-app=kube-proxy
Annotations:    deprecated.daemonset.template.generation: 2
Desired Number of Nodes Scheduled: 8
Current Number of Nodes Scheduled: 8
Number of Nodes Scheduled with Up-to-date Pods: 8
Number of Nodes Scheduled with Available Pods: 8
Number of Nodes Misscheduled: 0
Pods Status:  8 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:           k8s-app=kube-proxy
  Service Account:  kube-proxy
  Containers:
   kube-proxy:
    Image:      k8s.gcr.io/kube-proxy:v1.15.0
    Port:       <none>
    Host Port:  <none>
    Command:
      /usr/local/bin/kube-proxy
      --config=/var/lib/kube-proxy/config.conf
      --hostname-override=$(NODE_NAME)
    Environment:
      NODE_NAME:   (v1:spec.nodeName)
    Mounts:
      /lib/modules from lib-modules (ro)
      /run/xtables.lock from xtables-lock (rw)
      /var/lib/kube-proxy from kube-proxy (rw)
  Volumes:
   kube-proxy:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      kube-proxy
    Optional:  false
   xtables-lock:
    Type:          HostPath (bare host directory volume)
    Path:          /run/xtables.lock
    HostPathType:  FileOrCreate
   lib-modules:
    Type:          HostPath (bare host directory volume)
    Path:          /lib/modules
    HostPathType:  
Events:
  Type     Reason        Age                  From                  Message
  ----     ------        ----                 ----                  -------
  Warning  FailedCreate  3h55m                daemonset-controller  Error creating: Pod "kube-proxy-nz5bk" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h38m                daemonset-controller  Error creating: Pod "kube-proxy-l26kw" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h21m                daemonset-controller  Error creating: Pod "kube-proxy-fjcpd" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-msqnx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-pssv5" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-59cx8" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-t9nh2" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-5hp6c" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-hbbl4" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-zph4z" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-prj9w" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  3h7m                 daemonset-controller  Error creating: Pod "kube-proxy-rhnjq" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  177m (x9 over 3h7m)  daemonset-controller  (combined from similar events): Error creating: Pod "kube-proxy-whdnm" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  166m                 daemonset-controller  Error creating: Pod "kube-proxy-2xhgt" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  149m                 daemonset-controller  Error creating: Pod "kube-proxy-zd429" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  132m                 daemonset-controller  Error creating: Pod "kube-proxy-wzn8x" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-l8csx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-6jxpl" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-jk29x" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-p7db2" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-kf8qz" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-l5wjh" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-d8brg" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-6w2ql" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  124m                 daemonset-controller  Error creating: Pod "kube-proxy-d4n47" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
  Warning  FailedCreate  122m (x7 over 124m)  daemonset-controller  (combined from similar events): Error creating: Pod "kube-proxy-2lnpb" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

Не очень забавно то, что все остальные узлы имеют абсолютноНЕТ проблем с созданием куб-прокси. Это только один узел, который выходит из строя с вышеуказанной ошибкой.

Я пытался решить эту проблему разными способами, но пока не нашел решения. Предыдущие установки, использующие kubeadm, были безупречны.

У меня такое ощущение, что мне не хватает PodSecurityPolicy и привязки к роли kube-proxy. Я определенно что-то упускаю, но понятия не имею.

Answer 1

Очень странно пытаться добавить новый узел в существующий кластер из разных версий. В качестве примера для 1.1.15 Устаревшие элементы управления безопасностью кублетов AllowPrivileged, пожалуйста, обратитесь к выпуску CHANGELOG-1.15.md

Устаревшие элементы управления безопасностью кублетов AllowPrivileged, HostNetworkSources, HostPIDSources и HostIPCSourcesбыл удален. Применение этих ограничений должно осуществляться через контроль доступа (например, PodSecurityPolicy) вместо

По моему мнению, вы должны удалить этот узел (пожалуйста, обратитесь к этим документам):

• Безопасное извлечение узла при соблюдении PodDisruptionBudget
• Узлы
• Управление кластерами
• Обновление кластеров kubeadm

После этого вам следует обновить кластер в соответствии с рекомендациями.

Обратите внимание, прежде чем приступать к обновлению кластера до версии v1. 16.0 выпуск : о других заметных изменениях в последнем выпуске.

• Срочные замечания по обновлению