Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
s
strong-sunset-30
05/21/2023, 4:22 PMHey, is it possible to set the following Values inside the Helm chart to get this error away?
W0521 18:17:15.302970 19551 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-longhorn-admission-webhook", "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.341817 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.341935 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.342215 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-recovery-backend" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-recovery-backend" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-recovery-backend" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-recovery-backend" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.342039 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-conversion-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-conversion-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-conversion-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-conversion-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0521 18:17:15.351320 19551 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-longhorn-conversion-webhook", "longhorn-admission-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")helm show values longhorn/longhorn > values.yamla
aloof-branch-69545
05/22/2023, 10:32 AMYou can refer to this doc
https://longhorn.io/docs/1.4.2/deploy/important-notes/#pod-security-policies-disabled--pod-security-admission-introduction
hope this solve your issue
s
strong-sunset-30
05/22/2023, 3:54 PMPSP is Deprecated in Kubernetes 1.25
f
faint-sunset-36608
05/22/2023, 9:50 PMHello @strong-sunset-30. Could you clarify what version of Kubernetes you are using and how you have the longhorn-system namespace labeled? It sounds like you are already on Kubernetes v1.25+ with the Pod Security Admission Controller enabled. If so, it may be configured by default to warn against the restricted standard in any namespace that is not otherwise labeled (e.g. https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller). If this is the case, consider labeling the longhorn-system namespace with the
<http://pod-security.kubernetes.io/warn|pod-security.kubernetes.io/warn>: privilegedExample with namespace set to warn on restricted:
eweber@laptop:~/longhorn> k get ns --show-labels longhorn-system
NAME STATUS AGE LABELS
longhorn-system Active 49s <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=restricted>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart
W0523 08:47:48.530223 4438 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "longhorn-manager" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "longhorn-manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "dev", "proc", "longhorn" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "longhorn-manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.631284 4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "longhorn-ui" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "longhorn-ui" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "longhorn-ui" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "longhorn-ui" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0523 08:47:48.648475 4438 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or containers "wait-longhorn-manager", "longhorn-driver-deployer" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:47:42 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!
Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.
Visit our documentation at <https://longhorn.io/docs/>eweber@laptop:~/longhorn> k get namespace --show-labels longhorn-system
NAME STATUS AGE LABELS
longhorn-system Active 43s <http://kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged|kubernetes.io/metadata.name=longhorn-system,pod-security.kubernetes.io/warn-version=latest,pod-security.kubernetes.io/warn=privileged>
eweber@laptop:~/longhorn> helm install -n longhorn-system longhorn ./chart/
NAME: longhorn
LAST DEPLOYED: Tue May 23 08:58:49 2023
NAMESPACE: longhorn-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!
Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.
Visit our documentation at <https://longhorn.io/docs/>❤️ 1
s
strong-sunset-30
05/23/2023, 2:03 PMThanks i try it out