Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET_ADMIN capability issue with linkerd --pre check #2884

Closed
chzbrgr71 opened this issue Jun 3, 2019 · 3 comments · Fixed by #2958
Closed

NET_ADMIN capability issue with linkerd --pre check #2884

chzbrgr71 opened this issue Jun 3, 2019 · 3 comments · Fixed by #2958
Assignees
@siggy
Labels
area/cli bug priority/P0 Release Blocker

Comments

@chzbrgr71
Copy link

Bug Report

What is the issue?

On a freshly installed cluster in AKS. Ran linkerd check --pre. All checks pass except for "pre-kubernetes-capability" See output below.

FWIW, the linkerd install ends up working and seems to be functioning correctly.

How can it be reproduced?

Logs, error output, etc

linkerd check output

pre-kubernetes-capability
-------------------------
× has NET_ADMIN capability
    found 6 PodSecurityPolicies, but none provide NET_ADMIN
    see https://linkerd.io/checks/#pre-k8s-cluster-net-admin for hints

Environment

  • Kubernetes Version: 1.12.8
  • Cluster Environment: AKS
  • Host OS: Ubuntu
  • Linkerd version: stable-2.3.1

Possible solution

Additional context
@ihcsim
Copy link
Contributor

ihcsim commented Jun 3, 2019
edited
Loading

FWIW, the linkerd install ends up working and seems to be functioning correctly.

Might be related (or possibly the same) as #2849. tl;dr though there are some psp resources in the k8s cluster, they aren't enforced because the psp admission controller isn't enabled. linkerd check --pre would still fail because it checks among the existing psp resources, if any has the NET_ADMIN capability added.

@grampelberg
Copy link
Contributor

@chzbrgr71 mind sharing your PSP?

@chzbrgr71
Copy link
Author

I had not created any PSP's in my cluster. This is a vanilla AKS cluster. I did a quick check and found the below, but these were added after the error when I was doing some Prometheus testing.

kubectl  get psp --all-namespaces

NAME                                  PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
kube-prometheus                       false          RunAsAny   RunAsAny    MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
kube-prometheus-alertmanager          false          RunAsAny   RunAsAny    MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
kube-prometheus-exporter-kube-state   false          RunAsAny   RunAsAny    MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
kube-prometheus-exporter-node         false          RunAsAny   RunAsAny    MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath
kube-prometheus-grafana               false          RunAsAny   RunAsAny    MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath
prometheus-operator                   false          RunAsAny   RunAsAny    MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim

@siggy siggy self-assigned this Jun 18, 2019
siggy added a commit that referenced this issue Jun 18, 2019
@siggy
Remove NET_ADMIN check, introduce PSP check
536be20 
The change in #2920 introduced a PodSecurityPolicy, providing
`NET_ADMIN` capability to Linkerd. This eliminated the need for a
`NET_ADMIN` capability check in `linkerd check`, as the default
`linkerd install` now guarantees `NET_ADMIN` capability. At the same
time, this added a requirement on that `linkerd install` create a
PodSecurityPolicy.

Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce
a check to validate the user can create a PodSecurityPolicy.

Fixes #2884, #2849.

Signed-off-by: Andrew Seigner <[email protected]>
siggy added a commit that referenced this issue Jun 18, 2019
@siggy
Remove NET_ADMIN check, introduce PSP check
6818865 
The change in #2920 introduced a PodSecurityPolicy, providing
`NET_ADMIN` capability to Linkerd. This eliminated the need for a
`NET_ADMIN` capability check in `linkerd check`, as the default
`linkerd install` now guarantees `NET_ADMIN` capability. At the same
time, this added a requirement that `linkerd install` create a
PodSecurityPolicy.

Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce
a check to validate the user can create a PodSecurityPolicy.

Fixes #2884, #2849.

Signed-off-by: Andrew Seigner <[email protected]>
siggy added a commit that referenced this issue Jun 18, 2019
@siggy
Remove NET_ADMIN check, introduce PSP check
4065ab8 
The change in #2920 introduced a PodSecurityPolicy, providing
`NET_ADMIN` capability to Linkerd. This eliminated the need for a
`NET_ADMIN` capability check in `linkerd check`, as the default
`linkerd install` now guarantees `NET_ADMIN` capability. At the same
time, this added a requirement that `linkerd install` create a
PodSecurityPolicy.

Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce
a check to validate the user can create a PodSecurityPolicy.

Fixes #2884, #2849.

Signed-off-by: Andrew Seigner <[email protected]>
@siggy siggy mentioned this issue Jun 18, 2019
Merged
siggy added a commit that referenced this issue Jun 18, 2019
@siggy
Remove NET_ADMIN check, introduce PSP check
d30e90d 
The change in #2920 introduced a PodSecurityPolicy, providing
`NET_ADMIN` capability to Linkerd. This eliminated the need for a
`NET_ADMIN` capability check in `linkerd check`, as the default
`linkerd install` now guarantees `NET_ADMIN` capability. At the same
time, this added a requirement that `linkerd install` create a
PodSecurityPolicy.

Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce
a check to validate the user can create a PodSecurityPolicy.

Fixes #2884, #2849

Signed-off-by: Andrew Seigner <[email protected]>
siggy added a commit that referenced this issue Jun 19, 2019
@siggy
Make NET_ADMIN check a warning, add PSP check
19407e9 
`linkerd check` validates whether PSP's exist, and if the caller has the
`NET_ADMIN` capability. This check was previously failing if `NET_ADMIN`
was not found, even in the case where the PSP admission controller was
not running. Related, `linkerd install` now includes a PSP, so
`linkerd check` should also validate that the caller can create PSP's.

Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found
but the caller does not have `NET_ADMIN`. Update the warning message to
mention that this is only a problem if the PSP admission controller is
running (and will only be a problem during injection, since #2920
handles control plane installation by adding its own PSP).

Also introduce a check to validate the caller can create PSP's.

Fixes #2884, #2849

Signed-off-by: Andrew Seigner <[email protected]>
siggy added a commit that referenced this issue Jun 20, 2019
@siggy
Make NET_ADMIN check a warning, add PSP check (#2958)
2528e3d 
`linkerd check` validates whether PSP's exist, and if the caller has the
`NET_ADMIN` capability. This check was previously failing if `NET_ADMIN`
was not found, even in the case where the PSP admission controller was
not running. Related, `linkerd install` now includes a PSP, so
`linkerd check` should also validate that the caller can create PSP's.

Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found
but the caller does not have `NET_ADMIN`. Update the warning message to
mention that this is only a problem if the PSP admission controller is
running (and will only be a problem during injection, since #2920
handles control plane installation by adding its own PSP).

Also introduce a check to validate the caller can create PSP's.

Fixes #2884, #2849

Signed-off-by: Andrew Seigner <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@siggy siggy

Labels
area/cli bug priority/P0 Release Blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make NET_ADMIN check a warning, add PSP check linkerd/linkerd2
4 participants
@grampelberg @siggy @ihcsim @chzbrgr71