[k8s] Error with bootstrap in k8s cluster with pod security
Bug #1996221 reported by
Bartłomiej Poniecki-Klotz
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
High
|
Unassigned |
Bug Description
I'm bootstrapping the vanila k8s provided by client.
The bootstraping process hangs on the Pod creation for controller-0. Pod is in the CrashLoopBackOff.
The Pod security mode is set to enforce on the cluster
Bootstrap log:
$ juju --debug bootstrap datalake-
https:/
Bootstrap results:
controller-0 pod describe - https:/
controller-0 pod logs (both containers) - https:/
K8s version: 1.24.6.
Juju version: 2.9.35-ubuntu-amd64
Changed in juju: | |
milestone: | 3.1-beta1 → 3.1-rc1 |
tags: | added: k8s |
Changed in juju: | |
milestone: | 3.1-rc1 → 3.1-rc2 |
Changed in juju: | |
milestone: | 3.1-rc2 → 3.1-rc3 |
Changed in juju: | |
milestone: | 3.4-beta1 → 3.4-rc1 |
Changed in juju: | |
milestone: | 3.4-rc1 → 3.4-rc2 |
Changed in juju: | |
milestone: | 3.4-rc2 → 3.4-rc3 |
Changed in juju: | |
milestone: | 3.4.0 → 3.4.1 |
Changed in juju: | |
milestone: | 3.4.1 → 3.4.2 |
Changed in juju: | |
milestone: | 3.4.2 → 3.4.3 |
To post a comment you must log in.
The security policies being enforced are not allowing the juju agent to operate. What policy are you enforcing? "baseline"? "restricted"?
The jujud agent expects to operate as root in order to do it's job. So at this stage, only a policy of "privileged" would be possible I suspect.
You can see that the jujud agent is not being allowed to do its job:
/bin/sh: 1: cannot create /root/mongo.sh: Permission denied juju/tools' : Permission denied
mkdir: cannot create directory '/var/lib/
etc
You could set up the cluster to warn/audit on policy violations instead of erroring and run juju and then set up your admission rules to allow the access that juju needs to operate.