trident install fails when PodSecurityPolicy is enabled(v20.01.0)

Created on 3 Feb 2020  路  1Comment  路  Source: NetApp/trident

Describe the bug

When PodSecurityPolicy is enabled, trident install failed.

$ tridentctl install -n trident
INFO Starting Trident installation.                namespace=trident
INFO Created service account.
INFO Created cluster role.
INFO Created cluster role binding.
INFO Added finalizers to custom resource definitions.
INFO Created Trident pod security policy.
INFO Created Trident service.
INFO Created Trident secret.
INFO Created Trident deployment.
INFO Created Trident daemonset.
INFO Waiting for Trident pod to start.
ERRO Trident pod was not running after 180.00 seconds.
FATA Install failed; pod not running.  Resolve the issue; use 'tridentctl uninstall' to clean up; and try again.

I noticed that the trident-csi Pod didn't deploy by PodSecurityPolicy.

$ kubectl get deploy -n trident
NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
trident-csi                  0/1     0            0           87s
$ kubectl get replicaset -n trident
NAME                                    DESIRED   CURRENT   READY   AGE
trident-csi-6854d7744b                  1         0         0       101s
$ kubectl describe replicaset -n trident trident-csi-6854d7744b
...
Events:
  Type     Reason        Age                  From                   Message
  ----     ------        ----                 ----                   -------
  Warning  FailedCreate  71s (x4 over 112s)   replicaset-controller  Error creating: pods "trident-csi-6854d7744b-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].hostPort: Invalid value: 8443: Host port 8443 is not allowed to be used. Allowed ports: [] spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].hostPort: Invalid value: 8443: Host port 8443 is not allowed to be used. Allowed ports: []]
  Warning  FailedCreate  30s (x11 over 112s)  replicaset-controller  Error creating: pods "trident-csi-6854d7744b-" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].hostPort: Invalid value: 8443: Host port 8443 is not allowed to be used. Allowed ports: [] spec.containers[0].hostPort: Invalid value: 8443: Host port 8443 is not allowed to be used. Allowed ports: []]

Environment

  • Trident version: 20.01.0
  • Trident installation flags used: trident install -n trident
  • Container runtime:
  • Kubernetes version: 1.17.2
  • Kubernetes orchestrator: original
  • Kubernetes enabled feature gates: -
  • OS: ContainerLinux
  • NetApp backend types: none

To Reproduce

  • Enable PodSecurityPolicy and execute tridentctl install -n trident

Expected behavior

Pass trident install command.

Additional context

I found the event which indicates HostPort is not allowed.
So I apply the below PSP manifest during trident install -n trident, the installation was succeeded.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: tridentpods
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - SYS_ADMIN
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPorts: # <------Add this
  - min: 0
    max: 65535
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

I think https://github.com/NetApp/trident/commit/1e3871f4d072573ecd67c79e0ebe91d712c5c83a is the cause of this probrem.
Why don't you specified hostNetwork only when IPv6 mode.

bug tracked tridentctl kubernetes

Most helpful comment

This issue is on track to be included as a bug fix in the 20.01.1 release.

>All comments

This issue is on track to be included as a bug fix in the 20.01.1 release.

Was this page helpful?
0 / 5 - 0 ratings