kubernetes pod“xxxx”被禁止:违反PodSecurity“restricted:latest”:allowPrivileEscalation!= false(containers“prepare”,“place-scripts”,

ct3nt3jp  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(1)|浏览(189)

从tekton hub安装git clone任务

kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml

字符串

Git Secret

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-key-secret
  namespace: tekton-pipelines
  annotations:
    tekton.dev/git-0: bitbucket.org # Described below
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      ...
      -----END OPENSSH PRIVATE KEY-----
  known_hosts: |
          ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
          github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
          github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
          github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBLp1vN1/wsjk=
          bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
          bitbucket.org ecdsa-sha2-nistp256 AAAAWdxMWWOGtZ9UgbqgZE=
          bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeixHv4M=
          [source.developers.google.com]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=
          git.jetbrains.space ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCa5qcmbt2HCiQb54RrOXIsYLV+fbowckyuhZqe/IALABRjiCPz4SwkC3e9PHRZPJBsr9svjVRgUgbIUc8/xvD/b9F0i6dN78v48D0zQmMx

ServiceAccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: git-service-account
  namespace: tekton-pipelines
secrets:
  - name: git-ssh-key-secret

管道.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: ft-common
  namespace: tekton-pipelines
spec:
  description: >-
    Clone a git repository. This example pipeline demonstrates the following:
    How to use the git-clone catalog Task
  params:
    - name: repo-url
      type: string
      description: The git clone repository url
  workspaces:
    - name: shared-workspace
      description: The GCS location will be copied into this workspace.
  tasks:
    - name: clone-repository
      taskRef:
        name: git-clone
      workspaces:
        - name: output
          workspace: shared-workspace
      params:
        - name: url
          value: "$(params.repo-url)"
        - name: deleteExisting
          value: "true"

流水线运行.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: ft-common-run
  namespace: tekton-pipelines
spec:
  serviceAccountName: git-service-account
  pipelineRef:
    name: ft-common
  podTemplate:
    securityContext:
      fsGroup: 65532
  workspaces:
  - name: shared-workspace
    volumeClaimTemplate:
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 2Gi
  - name: gcp-secret
    secret:
      secretName: gcp-service-account-key
  - name: git-secret
    secret:
      secretName: git-ssh-key-secret
  params:
    - name: repo-url
      value: git@bitbucket.org:anandjaisy/common.git


保持获取异常为pods "ft-common-run-clone-repository-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prepare", "place-scripts", "step-clone" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "prepare", "place-scripts", "step-clone" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "prepare", "place-scripts" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "prepare", "place-scripts", "step-clone" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

mnemlml8

mnemlml81#

在最新版本发布中有一些变化,这里是详细信息https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#running-taskruns-and-pipelineruns-with-restricted-pod-security-standards

注意:不鼓励在“tekton-pipeline”命名空间中运行TaskRuns和PipelineRuns。

这意味着您不能在tekton-pipelines命名空间中运行TaskRuns和PipelineRuns。所以我们必须创建自己的命名空间
解决问题的步骤
1.从URL中插入所有Tekton-pipeline组件,这些组件将安装在Tekton-pipeline命名空间中
1.使用kubectl create namespace <your-namespace-name>创建自己的命名空间
1.使用kubectl config set-context --current --namespace=$tekton_namespace切换到命名空间
1.应用pileline.yamlpileline-run.yaml
这应该能解决安全问题

相关问题