This message was deleted.
# longhorn-storage
a
This message was deleted.
a
s
PSP is Deprecated in Kubernetes 1.25
f
Hello @strong-sunset-30. Could you clarify what version of Kubernetes you are using and how you have the longhorn-system namespace labeled? It sounds like you are already on Kubernetes v1.25+ with the Pod Security Admission Controller enabled. If so, it may be configured by default to warn against the restricted standard in any namespace that is not otherwise labeled (e.g. https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller). If this is the case, consider labeling the longhorn-system namespace with the
<http://pod-security.kubernetes.io/warn|pod-security.kubernetes.io/warn>: privileged
label as discussed in @aloof-branch-69545's link. This may eliminate the warnings you are seeing. If it does, please let us know!
Example with namespace set to warn on restricted:
Copy code
eweber@laptop:~/longhorn> k get ns --show-labels longhorn-system
NAME              STATUS   AGE   LABELS
longhorn-system   Active   49s   <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart
W0523 08:47:48.530223    4438 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.631284    4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.648475    4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:47:42 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!

Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.

Visit our documentation at <https://longhorn.io/docs/>
Example with namespace set to warn on privileged (the default in my cluster, but I labelled the namespace anyway):
Copy code
eweber@laptop:~/longhorn> k get namespace --show-labels longhorn-system
NAME              STATUS   AGE   LABELS
longhorn-system   Active   43s   <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart/
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:58:49 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!

Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.

Visit our documentation at <https://longhorn.io/docs/>
❤️ 1
s
Thanks i try it out
142 Views