To return expected results, you can:
Reduce the number of search terms.
Each term you use focuses the search further.
Check your spelling.
A single misspelled or incorrectly typed term can change your result.
Try substituting synonyms for your original terms.
For example, instead of searching for "java classes", try "java training"
Did you search for an IBM acquired or sold product ?
If so, follow the appropriate link below to find the content you need.
For some applications, for example, Weave Scope, it requires privileged permissions to run. As ICP does not allow the user to run application with privileged permissions, it will fail to run such application in ICP environment. This article will provide the steps to run such applications that require privileged permissions in ICP cluster environment.
For example, the Weave Scope application requires privileged permissions in the YAML file, see below.
...............
image: 'weaveworks/scope:1.9.0'
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
- name: scope-plugins
mountPath: /var/run/scope/plugins
- name: sys-kernel-debug
mountPath: /sys/kernel/debug
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
hostPID: true
...............
If you deploy and run Weave Scope with above YAML file in ICP environment, you will see that Weave Scope weave-scope-agent pod can not been created and run. You will see below error messages by the 'kubectl describe pod <weave-scope-agent pod name>' command.
...............
Warning FailedCreate 2m (x109 over 5h) daemonset-controller Error creating: pods "weave-scope-agent-" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used]
...............
This article will provide the detailed steps to resolve above issue, and then run applications (e.g.: Weave Scope) that require privileged permissions in ICP cluster environment.
By default, ICP defines the privileged PodSecurityPolicy resource already, you can use it directly. Or you can create a PodSecurityPolicy resource that has privileged permission.
...............
[
[email protected]
Downloads]# kubectl get PodSecurityPolicy
NAME DATA CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
default false [] RunAsAny RunAsAny RunAsAny RunAsAny false [*]
privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny false [*]
[
[email protected]
Downloads]# kubectl describe PodSecurityPolicy privileged
Name: privileged
Settings:
Allow Privileged: true
Default Add Capabilities: <none>
Required Drop Capabilities: <none>
Allowed Capabilities: *
Allowed Volume Types: *
Allow Host Network: true
Allow Host Ports: 1-65535
Allow Host PID: true
Allow Host IPC: true
Read Only Root Filesystem: false
SELinux Context Strategy: RunAsAny
User: <none>
Role: <none>
Type: <none>
Level: <none>
Run As User Strategy: RunAsAny
Ranges: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
[
[email protected]
Downloads]#
...............
Update application YAML file to add privileged PodSecurityPolicy resource to the ClusterRole definition.
...............
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: weave-scope
labels:
name: weave-scope
rules:
- apiGroups:
resources:
- pods
verbs:
- get
- list
- watch
- delete
......
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- privileged
verbs:
- use
...............
Run 'kubectl apply -f <NEW_YAML_FILE>' command to apply the changes.
Run 'kubectl get pods' command to check the application status.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.1.0.1;2.1.0.2;2.1.0.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
