无法在提供的 EKS 光泽中创建部署或任何内容
Not able to create deployment or anything in the provided EKS luster
我是 Kubernetes 的新手,正在使用第三方提供的 EKS 集群端点。我尝试使用以下命令创建一个简单的 ngnix 部署:
kubectl create deployment nginx-depl --image=nginx
它给我以下错误:
error: failed to create deployment: admission webhook "validate.kyverno.svc" denied the request:
resource Deployment/comp-dev/nginx-depl was blocked due to the following policies
edison-platform-policy-disallow-pod-without-resources:
validate-resources: 'validation error: Error : Unable to install - container spec does not specify resource request. Rule validate-resources[0] failed at path /spec/template/spec/containers/0/resources/requests/. Rule validate-resources[1] failed at path /metadata/labels/AllowContainerWithoutResourcesRequests/.'
edison-platform-policy-disallow-privileged-container:
autogen-validate-allowPrivilegeEscalation: 'validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation to false. Rule autogen-validate-allowPrivilegeEscalation[0] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-allowPrivilegeEscalation[1] failed at path /spec/template/metadata/labels/AllowPrivilegedEscalation/.'
edison-platform-policy-disallow-root-user:
autogen-validate-runAsNonRoot: 'validation error: Running as root user is not allowed. Set runAsNonRoot to true. Rule autogen-validate-runAsNonRoot[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/. Rule autogen-validate-runAsNonRoot[1] failed at path /spec/template/spec/securityContext/runAsUser/. Rule autogen-validate-runAsNonRoot[2] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[3] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[4] failed at path /spec/template/metadata/labels/AllowRootUserAccess/.'
edison-platform-policy-disallow-unknown-registries:
autogen-validate-registries: 'validation error: Unknown image registry. Rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/'
public image registry 是否在 ECS 中被阻止?还是第三方 EKS 提供商没有启用 public docker 存储库?
集群安装 Kyverno。根据提供商设置的策略,此策略引擎拒绝了您的 create 请求。尝试以下规格:
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
spec:
replicas: 1
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
securityContext:
runAsUser: 1000
containers:
- name: busybox
image: docker.io/busybox:latest
command: ["sh","-c"]
args: ["sleep 3600"]
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
请注意如何 运行 Nginx 作为非 root 用户不在此处介绍。
我是 Kubernetes 的新手,正在使用第三方提供的 EKS 集群端点。我尝试使用以下命令创建一个简单的 ngnix 部署:
kubectl create deployment nginx-depl --image=nginx
它给我以下错误:
error: failed to create deployment: admission webhook "validate.kyverno.svc" denied the request:
resource Deployment/comp-dev/nginx-depl was blocked due to the following policies
edison-platform-policy-disallow-pod-without-resources:
validate-resources: 'validation error: Error : Unable to install - container spec does not specify resource request. Rule validate-resources[0] failed at path /spec/template/spec/containers/0/resources/requests/. Rule validate-resources[1] failed at path /metadata/labels/AllowContainerWithoutResourcesRequests/.'
edison-platform-policy-disallow-privileged-container:
autogen-validate-allowPrivilegeEscalation: 'validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation to false. Rule autogen-validate-allowPrivilegeEscalation[0] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-allowPrivilegeEscalation[1] failed at path /spec/template/metadata/labels/AllowPrivilegedEscalation/.'
edison-platform-policy-disallow-root-user:
autogen-validate-runAsNonRoot: 'validation error: Running as root user is not allowed. Set runAsNonRoot to true. Rule autogen-validate-runAsNonRoot[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/. Rule autogen-validate-runAsNonRoot[1] failed at path /spec/template/spec/securityContext/runAsUser/. Rule autogen-validate-runAsNonRoot[2] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[3] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[4] failed at path /spec/template/metadata/labels/AllowRootUserAccess/.'
edison-platform-policy-disallow-unknown-registries:
autogen-validate-registries: 'validation error: Unknown image registry. Rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/'
public image registry 是否在 ECS 中被阻止?还是第三方 EKS 提供商没有启用 public docker 存储库?
集群安装 Kyverno。根据提供商设置的策略,此策略引擎拒绝了您的 create 请求。尝试以下规格:
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
spec:
replicas: 1
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
securityContext:
runAsUser: 1000
containers:
- name: busybox
image: docker.io/busybox:latest
command: ["sh","-c"]
args: ["sleep 3600"]
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
请注意如何 运行 Nginx 作为非 root 用户不在此处介绍。