kubernetes - 无法在提供的 EKS 光泽中创建部署或任何内容
问题描述
我不Kubernetes熟悉并使用第三方提供的 EKS 集群端点。我尝试使用以下命令创建一个简单的 ngnix 部署:
kubectl create deployment nginx-depl --image=nginx
它给了我以下错误:
error: failed to create deployment: admission webhook "validate.kyverno.svc" denied the request:
resource Deployment/comp-dev/nginx-depl was blocked due to the following policies
edison-platform-policy-disallow-pod-without-resources:
validate-resources: 'validation error: Error : Unable to install - container spec does not specify resource request. Rule validate-resources[0] failed at path /spec/template/spec/containers/0/resources/requests/. Rule validate-resources[1] failed at path /metadata/labels/AllowContainerWithoutResourcesRequests/.'
edison-platform-policy-disallow-privileged-container:
autogen-validate-allowPrivilegeEscalation: 'validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation to false. Rule autogen-validate-allowPrivilegeEscalation[0] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-allowPrivilegeEscalation[1] failed at path /spec/template/metadata/labels/AllowPrivilegedEscalation/.'
edison-platform-policy-disallow-root-user:
autogen-validate-runAsNonRoot: 'validation error: Running as root user is not allowed. Set runAsNonRoot to true. Rule autogen-validate-runAsNonRoot[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/. Rule autogen-validate-runAsNonRoot[1] failed at path /spec/template/spec/securityContext/runAsUser/. Rule autogen-validate-runAsNonRoot[2] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[3] failed at path /spec/template/spec/containers/0/securityContext/. Rule autogen-validate-runAsNonRoot[4] failed at path /spec/template/metadata/labels/AllowRootUserAccess/.'
edison-platform-policy-disallow-unknown-registries:
autogen-validate-registries: 'validation error: Unknown image registry. Rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/'
公有镜像注册是否在 ECS 中被阻止?还是第三方 EKS 提供商没有启用公共 docker 存储库?
解决方案
该集群与Kyverno一起安装。create此策略引擎根据提供商设置的策略拒绝了您的请求。尝试以下规格:
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
spec:
replicas: 1
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
securityContext:
runAsUser: 1000
containers:
- name: busybox
image: docker.io/busybox:latest
command: ["sh","-c"]
args: ["sleep 3600"]
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
注意如何以非 root 身份运行 Nginx 不在此处介绍。
推荐阅读
- javascript - 为什么编辑对象后手表无法工作?
- angular - 是否可以在 Angular component.html 中解析尾随键为数字的对象?
- mercurial - 更改默认的“hg log”模板?
- java - 如何阅读书本本地 swf 文件夹?
- ajax - 带数据库的 AJAX
- python - 如何使用 Python 编辑 XML 文件?
- jbpm - jBPM 计时器事件 - “无法创建响应:没有与触发器匹配的起始节点”
- vba - Outlook 宏保存附件不起作用 - 卡巴斯基可能
- html - Svg 喷雾图表
- ios - Katalon Studio - SwitchToWebView 在 iOS 真实设备中不起作用