我想添加一个wireguard sidecar容器到通过helm chart安装的prometheus堆栈中,这样我就可以获取通过vpn连接的客户端。我使用prometheus-community/kube-prometheus-stack的helm chart,修改了values.yml。为了集成wireguard,我在values.yml中添加了一个wireguard容器,如下所示:
...
containers:
- name: "wireguard"
image: "lscr.io/linuxserver/wireguard:latest"
volumeMounts:
- name: wireguard-config
mountPath: /config
readOnly: true
- name: wireguard-run
mountPath: /run
securityContext:
runAsGroup: 0
runAsUser: 0
privileged: true
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
但是当我启动容器时,我得到以下错误:
Normal Pulled 4s kubelet Successfully pulled image "lscr.io/linuxserver/wireguard:latest" in 500.578587ms
Warning Failed 3s (x3 over 4s) kubelet Error: container's runAsUser breaks non-root policy (pod: "XX", container: wireguard)
Normal Pulled 3s kubelet Successfully pulled image "lscr.io/linuxserver/wireguard:latest" in 456.879479ms
由于wireguard需要能够更改网络接口,因此它需要root权限。如果我不使用root权限运行容器,我会得到以下内容:
...
SOME OTHER PERMISSION ERROS
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise coredns: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise wireguard: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise coredns: warning: unable to spawn ./run - waiting 10 seconds
我尝试的是修改 podSecurityPolicy,允许在prometheus values.yml中以root身份运行容器。我希望我可以简单地以root身份运行容器(至少为了测试):
podSecurityPolicy:
allowedCapabilities:
- runAsUser: RunAsAny
- NET_ADMIN
- SYS_MODULE
allowedHostPaths: []
volumes: []
这并没有改变任何事情(我做得对吗?)
我如何允许以root身份运行sidecar容器?或者有没有一种方法可以在没有root权限的情况下运行wireguard?
2条答案
按热度按时间z18hc3ub1#
1.在较新的kube-prometheus-stack中没有psp. see https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/README.md - search for PodSecurityPolicies -“From 27.x to 28.x This version disabled PodSecurityPolicies by default because they are deprecated in Kubernetes 1.21 and will be removed in Kubernetes 1.25.”
1.我们需要使用securityContext。看起来你不能让一个pod以非root身份运行,而容器(或init容器)以root身份运行。这是错误“kubelet Error:容器的runAsUser破坏了非根策略“。
所以我们需要为整个pod指定securityContext作为root运行。为此,您可以使用values.yaml for helm chart,如下所示。效果是pod prometheus-prometheus-stack-kube-prom-prometheus-0将以root运行其所有容器。不理想,但它可以工作。
hivapdat2#
您访问的页面不存在:它是在pod级别的pod中指定的 securityContext:
spec.securityContext
。关于这方面的更多信息,请参阅官方文档在 prometheus pod上,我们可以看到
spec.securityContext.runAsNonRoot: true
,这个pod的每个容器的 securityContext 都继承自它,意味着sidecar容器spec.containers[n].securityContext.runAsUser: 0
(即root)打破了非root策略。为了覆盖pod级别的securityContext,您必须将以下内容添加到容器中: