Cluster information:
Kubernetes version: 1.18.3
Cloud being used: baremetal
Installation method: rancher
Host OS: OracleLinux 7.8
CNI and version: calico-cni:v3.13.4
CRI and version: docker 19.3.11
I am using rancher for cluster management and cluster creation (RKE). I have enabled restricted pod security policies in the cluster. If I try to create a deployment with restricted access the replicaset fails to create the pod due to a psp violation.
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: privileged-deploy
name: privileged-deploy
namespace: psp-test
spec:
replicas: 1
selector:
matchLabels:
app: privileged-deploy
template:
metadata:
labels:
app: privileged-deploy
spec:
containers:
- image: docker.io/alpine:3.9
name: shell
command: [ "nsenter" ]
args: ["-t", "1", "-m", "-u", "-i", "-n", "sleep", "14000"]
stdin: true
tty: true
securityContext:
privileged: true
hostPID: true
hostNetwork: true
hostIPC: true
This fails:
Events:
Type Reason Age From Message
Warning FailedCreate 7m35s (x20 over 46m) replicaset-controller Error creating: pods “privileged-deploy-7689c779c5-” is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
If I deploy a pod directly with certain specs, I can gain root access on nodes.
apiVersion: v1
kind: Pod
metadata:
name: root-access
spec:
hostPID: true
hostIPC: true
hostNetwork: true
containers:
- name: shell
image: docker.io/alpine:3.9
command: [ "nsenter" ]
args: ["-t", "1", "-m", "-u", "-i", "-n", "sleep", "14000"]
securityContext:
privileged: true
This creates a pod without any issue. It’s like the psp does not apply to pod spec directly. I can only assume that I am not doing something incorrectly, or this is a bug. It boggles my mind that the deployment fails, but creating a pod directly fails.