Skip to content

Bug: failed to create collaset with privileged container #327

New issue
New issue
Closed
#328
Closed
Bug: failed to create collaset with privileged container#327
#328
Assignees
wu8685ColdsteelRail
Labels
kind/bugSomething isn't working
@dbug-dk

Description

@dbug-dk
dbug-dk
opened on Apr 24, 2025

Minimal reproduce step

run this command:

cat <<EOF | kubectl apply -v8 -f -
apiVersion: apps.kusionstack.io/v1alpha1
kind: CollaSet
metadata:
  labels:
    app: test
  name: test
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: test
    spec:
      containers:
      - image: nginx:latest
        imagePullPolicy: Always
        name: test
        resources:
          requests:
            cpu: 250m
            memory: 512Mi
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
EOF

What did you expect to see?

create collaset success

What did you see instead

I0424 21:44:02.875859   50800 round_trippers.go:463] PATCH https://121.43.255.134:6443/apis/apps.kusionstack.io/v1alpha1/namespaces/default/collasets/test?fieldManager=kubectl-client-side-apply&fieldValidation=Strict
I0424 21:44:02.875863   50800 round_trippers.go:469] Request Headers:
I0424 21:44:02.875868   50800 round_trippers.go:473]     Accept: application/json
I0424 21:44:02.875872   50800 round_trippers.go:473]     Content-Type: application/merge-patch+json
I0424 21:44:02.875876   50800 round_trippers.go:473]     User-Agent: kubectl/v1.24.2 (darwin/arm64) kubernetes/f66044f
I0424 21:44:02.957003   50800 round_trippers.go:574] Response Status: 422 Unprocessable Entity in 81 milliseconds
I0424 21:44:02.957020   50800 round_trippers.go:577] Response Headers:
I0424 21:44:02.957025   50800 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 27a33bf6-049e-4b5b-8739-fba65c03419d
I0424 21:44:02.957029   50800 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: b41c6c80-e893-48ef-9bbc-28dd2c8e02ee
I0424 21:44:02.957035   50800 round_trippers.go:580]     Content-Length: 265
I0424 21:44:02.957039   50800 round_trippers.go:580]     Date: Thu, 24 Apr 2025 13:44:03 GMT
I0424 21:44:02.957042   50800 round_trippers.go:580]     Audit-Id: 0a5796a2-33d5-4a1b-91d0-dbfd38477ae7
I0424 21:44:02.957045   50800 round_trippers.go:580]     Cache-Control: no-cache, private
I0424 21:44:02.957049   50800 round_trippers.go:580]     Content-Type: application/json
I0424 21:44:02.957066   50800 request.go:1073] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"admission webhook \"validating-generic.apps.kusionstack.io\" denied the request: spec.spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy","code":422}
The request is invalid

What is your KusionStack components and its version?

kuperator version: v0.6.0
k8s version: v1.28.15-aliyun.1

Metadata

Metadata

Assignees

Labels

kind/bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions