I know the psp is deprecated,but it is still mandatory in our cluster. We are having a problem with the deployment of linkerd viz. I created a role,rolebinding,psp there is a problem when creating floors in namespace linkerd-viz
8m27s Warning FailedCreate replicaset/web-cb5fc858f Error creating: pods "web-cb5fc858f-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added spec.initContainers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/linkerd-init]: Forbidden: seccomp may not be set spec.initContainers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/linkerd-proxy]: Forbidden: seccomp may not be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/web]: Forbidden: seccomp may not be set]
11m Warning FailedCreate replicaset/web-cb5fc858f Error creating: pods "web-cb5fc858f-" is forbidden: PodSecurityPolicy: unable to admit pod: [pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/linkerd-init]: Forbidden: seccomp may not be set spec.initContainers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/linkerd-proxy]: Forbidden: seccomp may not be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/web]: Forbidden: seccomp may not be set spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added spec.initContainers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed]
psp
kind: PodSecurityPolicy
metadata:
labels:
linkerd.io/control-plane-ns: linkerd
name: linkerd-linkerd-control-plane
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
readOnlyRootFilesystem: true
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
role
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
linkerd.io/extension: viz
name: psp
namespace: linkerd-viz
rules:
- apiGroups:
- policy
- extensions
resourceNames:
- linkerd-linkerd-control-plane
resources:
- podsecuritypolicies
verbs:
- use
kind: List
metadata:
resourceVersion: ""
rolebinding
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
linkerd.io/extension: viz
namespace: linkerd-viz
name: viz-psp
namespace: linkerd-viz
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: psp
subjects:
- kind: ServiceAccount
name: tap
namespace: linkerd-viz
- kind: ServiceAccount
name: web
namespace: linkerd-viz
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
- kind: ServiceAccount
name: metrics-api
namespace: linkerd-viz
- kind: ServiceAccount
name: tap-injector
namespace: linkerd-viz
kind: List
metadata:
resourceVersion: ""
what could be the reason? it seems that all policies are issued correctly