This message was deleted Rancher Users #longhorn-storage

Join Slack

This message was deleted.

# longhorn-storage

adamant-kite-43734

05/21/2023, 4:22 PM

This message was deleted.

aloof-branch-69545

05/22/2023, 10:32 AM

You can refer to this doc https://longhorn.io/docs/1.4.2/deploy/important-notes/#pod-security-policies-disabled--pod-security-admission-introduction hope this solve your issue

strong-sunset-30

05/22/2023, 3:54 PM

PSP is Deprecated in Kubernetes 1.25

faint-sunset-36608

05/22/2023, 9:50 PM

Hello @strong-sunset-30. Could you clarify what version of Kubernetes you are using and how you have the longhorn-system namespace labeled? It sounds like you are already on Kubernetes v1.25+ with the Pod Security Admission Controller enabled. If so, it may be configured by default to warn against the restricted standard in any namespace that is not otherwise labeled (e.g. https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller). If this is the case, consider labeling the longhorn-system namespace with the

<http://pod-security.kubernetes.io/warn|pod-security.kubernetes.io/warn>: privileged

label as discussed in @aloof-branch-69545's link. This may eliminate the warnings you are seeing. If it does, please let us know!

faint-sunset-36608

05/23/2023, 1:59 PM

Example with namespace set to warn on restricted:

Copy code

eweber@laptop:~/longhorn> k get ns --show-labels longhorn-system
NAME              STATUS   AGE   LABELS
longhorn-system   Active   49s   <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart
W0523 08:47:48.530223    4438 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.631284    4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.648475    4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:47:42 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!

Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.

Visit our documentation at <https://longhorn.io/docs/>

Example with namespace set to warn on privileged (the default in my cluster, but I labelled the namespace anyway):

Copy code

eweber@laptop:~/longhorn> k get namespace --show-labels longhorn-system
NAME              STATUS   AGE   LABELS
longhorn-system   Active   43s   <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart/
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:58:49 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!

Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.

Visit our documentation at <https://longhorn.io/docs/>

❤️ 1

strong-sunset-30

05/23/2023, 2:03 PM

Thanks i try it out

309 Views

Open in Slack

Previous Next