From a59eb661280a9443ef7192cc3d0a0658af034bef Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 24 Oct 2023 14:30:05 -0700 Subject: [PATCH 01/21] PAC-828 Document addition of namespace labels for pods needing elevated privileges --- .../troubleshooting/cluster-deployment.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 6ac9a30ce6..7af3402788 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -17,7 +17,8 @@ tags: ["troubleshooting", "cluster-deployment"] The following steps will help you troubleshoot errors in the event issues arise while deploying a cluster. -## Scenario - Instances Continuously Delete Every 30 Minutes +## Instances Continuously Delete Every 30 Minutes + An instance is launched and terminated every 30 minutes prior to completion of its deployment, and the **Events Tab** lists errors with the following message: @@ -94,6 +95,30 @@ Common reasons for why a service may fail are: 6. Check stdout for errors. You can also open a support ticket. Visit our [support page](http://support.spectrocloud.io/). +## Deployment Violates Pod Security +In profiles running Kubernetes 1.25 or later, some packs contain pods that need elevated privileges during Pod creation. +When you try to deploy a cluster with such packs, you get an error message that looks like the following: + +``` +Error creating: pods is forbidden: violates PodSecurity "baseline:v": non-default capabilities … +``` + +### Debug Steps + +You can change the Pod Security Standards of the namepace where the Pod is being created to address this issue. + +1. Log in to *Palette* and navigate to the *Profiles* tab. +2. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. +3. In the YAML file for your pack, under the `pack` field, add a subfield `namespaceLabels`. 4. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as the value. Replace `` with the version of Kubernetes that runs on your cluster. + - For example, if you the pack creates a namespace called "monitoring", add the labels to the monitoring namespace: + ```yaml + pack: + namespace: "monitoring" + + namespaceLabels: + "monitoring": "org=spectro,team=dev,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28" + ``` + ## Gateway Installer Registration Failures From d43a9e868610130a466576da964c4c55de2601c8 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 24 Oct 2023 14:37:04 -0700 Subject: [PATCH 02/21] fix formatting --- docs/docs-content/troubleshooting/cluster-deployment.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 7af3402788..b378aeaf43 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -107,10 +107,11 @@ Error creating: pods is forbidden: violates PodSecurity "baseline: You can change the Pod Security Standards of the namepace where the Pod is being created to address this issue. -1. Log in to *Palette* and navigate to the *Profiles* tab. +1. Log in to **Palette** and navigate to the **Profiles** tab. 2. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. -3. In the YAML file for your pack, under the `pack` field, add a subfield `namespaceLabels`. 4. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as the value. Replace `` with the version of Kubernetes that runs on your cluster. - - For example, if you the pack creates a namespace called "monitoring", add the labels to the monitoring namespace: +3. In the YAML file for your pack, under the `pack` field, add a subfield `namespaceLabels`. +4. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as the value. Replace `` with the version of Kubernetes that runs on your cluster. + - For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace: ```yaml pack: namespace: "monitoring" From bc70920a5bf804faf44ecc545c4030025e092cbe Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 24 Oct 2023 14:41:34 -0700 Subject: [PATCH 03/21] clarify cluster profile --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index b378aeaf43..f597e42fe5 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -96,7 +96,7 @@ Common reasons for why a service may fail are: 6. Check stdout for errors. You can also open a support ticket. Visit our [support page](http://support.spectrocloud.io/). ## Deployment Violates Pod Security -In profiles running Kubernetes 1.25 or later, some packs contain pods that need elevated privileges during Pod creation. +In cluster profiles running Kubernetes 1.25 or later, some packs contain Pods that need elevated privileges during Pod creation. When you try to deploy a cluster with such packs, you get an error message that looks like the following: ``` From 2e473eae1252226cdf596e44c9eb5dc73691c0eb Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Tue, 24 Oct 2023 16:43:06 -0700 Subject: [PATCH 04/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index f597e42fe5..cc685647a0 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -96,7 +96,7 @@ Common reasons for why a service may fail are: 6. Check stdout for errors. You can also open a support ticket. Visit our [support page](http://support.spectrocloud.io/). ## Deployment Violates Pod Security -In cluster profiles running Kubernetes 1.25 or later, some packs contain Pods that need elevated privileges during Pod creation. +Cluster deployment fails with the following message. When you try to deploy a cluster with such packs, you get an error message that looks like the following: ``` From ab2ed5b20b955fd52156cc2a59105dd4c5e07524 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Tue, 24 Oct 2023 16:43:55 -0700 Subject: [PATCH 05/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index cc685647a0..c6e81d4380 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -97,7 +97,7 @@ Common reasons for why a service may fail are: ## Deployment Violates Pod Security Cluster deployment fails with the following message. -When you try to deploy a cluster with such packs, you get an error message that looks like the following: +This can happen when the cluster profile uses Kubernetes 1.25 or later and indicates the pod needs elevated privileges to be created. ``` Error creating: pods is forbidden: violates PodSecurity "baseline:v": non-default capabilities … From 4fa7bc711f99dc35120b8db799b8d5a7839711a5 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 24 Oct 2023 16:52:23 -0700 Subject: [PATCH 06/21] Style guide edits --- .../troubleshooting/cluster-deployment.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index c6e81d4380..dec754ac1c 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -97,20 +97,27 @@ Common reasons for why a service may fail are: ## Deployment Violates Pod Security Cluster deployment fails with the following message. -This can happen when the cluster profile uses Kubernetes 1.25 or later and indicates the pod needs elevated privileges to be created. ``` Error creating: pods is forbidden: violates PodSecurity "baseline:v": non-default capabilities … ``` +This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create Pods requiring elevated privileges . + ### Debug Steps You can change the Pod Security Standards of the namepace where the Pod is being created to address this issue. -1. Log in to **Palette** and navigate to the **Profiles** tab. -2. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. -3. In the YAML file for your pack, under the `pack` field, add a subfield `namespaceLabels`. -4. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as the value. Replace `` with the version of Kubernetes that runs on your cluster. +1. Log in to [Palette](https://console.spectrocloud.com). + +2. Navigate to the left **Main Menu** and click on **Profiles**. + +3. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. + +4. In the YAML file for that pack, under the `pack` field, add a subfield `namespaceLabels` if it doesn't already exist. + +5. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. + - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. - For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace: ```yaml pack: From 22fcfcdf2f3bd3b4466363780b0ebc18b814fded Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 10:48:07 -0700 Subject: [PATCH 07/21] Add clarification for multiple namespaces --- .../troubleshooting/cluster-deployment.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index dec754ac1c..2157395fbb 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -102,22 +102,22 @@ Cluster deployment fails with the following message. Error creating: pods is forbidden: violates PodSecurity "baseline:v": non-default capabilities … ``` -This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create Pods requiring elevated privileges . +This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create pods requiring elevated privileges . ### Debug Steps -You can change the Pod Security Standards of the namepace where the Pod is being created to address this issue. +You can change the Pod Security Standards of the namepace where the pod is being created to address this issue. 1. Log in to [Palette](https://console.spectrocloud.com). 2. Navigate to the left **Main Menu** and click on **Profiles**. -3. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. +3. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. The name of the Pod that failed to be created should give you a clue about which packs you need to modify. 4. In the YAML file for that pack, under the `pack` field, add a subfield `namespaceLabels` if it doesn't already exist. 5. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. - - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. + - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. - For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace: ```yaml pack: @@ -127,6 +127,11 @@ You can change the Pod Security Standards of the namepace where the Pod is being "monitoring": "org=spectro,team=dev,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28" ``` +:::tip + +If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the clusteter with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and run [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. It's recommended that you only apply the labels to namespaces where pods are failing to be created. + +::: ## Gateway Installer Registration Failures From a555af9d2574474fac6388f7379f10d2a3068fe1 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Wed, 25 Oct 2023 10:50:47 -0700 Subject: [PATCH 08/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 2157395fbb..1308191ab0 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -114,7 +114,7 @@ You can change the Pod Security Standards of the namepace where the pod is being 3. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. The name of the Pod that failed to be created should give you a clue about which packs you need to modify. -4. In the YAML file for that pack, under the `pack` field, add a subfield `namespaceLabels` if it doesn't already exist. +4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. 5. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. From b6da661d104ba5384e78760bf1170a9e191f86af Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Wed, 25 Oct 2023 10:51:20 -0700 Subject: [PATCH 09/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 1308191ab0..507ac20738 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -116,7 +116,9 @@ You can change the Pod Security Standards of the namepace where the pod is being 4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. -5. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. +5. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. + +The example below shows `"monitoring"` as the namespace key with the key value. - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. - For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace: ```yaml From e472452ccc361901329b92c642a1e1018e4f49e4 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Wed, 25 Oct 2023 10:51:34 -0700 Subject: [PATCH 10/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 507ac20738..2e932c153f 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -121,6 +121,7 @@ You can change the Pod Security Standards of the namepace where the pod is being The example below shows `"monitoring"` as the namespace key with the key value. - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. - For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace: + ```yaml pack: namespace: "monitoring" From 7930c977740d9e4e52e57c857961cb0258a06336 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 11:00:19 -0700 Subject: [PATCH 11/21] Incorporate feedback --- .../troubleshooting/cluster-deployment.md | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 2e932c153f..c55d34ec3a 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -102,33 +102,24 @@ Cluster deployment fails with the following message. Error creating: pods is forbidden: violates PodSecurity "baseline:v": non-default capabilities … ``` -This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create pods requiring elevated privileges . +This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create pods requiring elevated privileges. ### Debug Steps -You can change the Pod Security Standards of the namepace where the pod is being created to address this issue. +To address this issue, you can change the Pod Security Standards of the namespace where the pod is being created. 1. Log in to [Palette](https://console.spectrocloud.com). 2. Navigate to the left **Main Menu** and click on **Profiles**. -3. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack. The name of the Pod that failed to be created should give you a clue about which packs you need to modify. +3. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. +Click on the layer in the profile stack that contains the pack configuration. +The name of the pod that failed to be created should give you a clue about which packs you need to modify. 4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. 5. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. - -The example below shows `"monitoring"` as the namespace key with the key value. - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. - - For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace: - - ```yaml - pack: - namespace: "monitoring" - - namespaceLabels: - "monitoring": "org=spectro,team=dev,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28" - ``` :::tip @@ -136,6 +127,19 @@ If your pack creates multiple namespaces, and you are not sure which namespaces ::: +The example below shows `"monitoring"` as the namespace key with the key value. + + +```yaml +pack: + namespace: "monitoring" + + namespaceLabels: + "monitoring": "org=spectro,team=dev,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28" +``` + + + ## Gateway Installer Registration Failures There are a couple reasons the Gateway Installer might fail: From e70dbe9abc6eaecc2ccc62fcc2c1bb3abd85d5c1 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 11:04:38 -0700 Subject: [PATCH 12/21] Incorporate feedback --- .../troubleshooting/cluster-deployment.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index c55d34ec3a..5582af14a3 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -110,24 +110,23 @@ To address this issue, you can change the Pod Security Standards of the namespac 1. Log in to [Palette](https://console.spectrocloud.com). -2. Navigate to the left **Main Menu** and click on **Profiles**. +1. Navigate to the left **Main Menu** and click on **Profiles**. -3. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. +1. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. Click on the layer in the profile stack that contains the pack configuration. -The name of the pod that failed to be created should give you a clue about which packs you need to modify. -4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. +1. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. -5. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. +1. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. :::tip -If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the clusteter with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and run [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. It's recommended that you only apply the labels to namespaces where pods are failing to be created. +If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the clusteter with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and run [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. We recommend that you only apply the labels to namespaces where pods are failing to be created. ::: -The example below shows `"monitoring"` as the namespace key with the key value. +The example below shows `"monitoring"` as the namespace key with the key value. In this case, the `monitoring` key already exists under `namespaceLabels`, with its original value being `"org=spectro,team=dev"`. Therefore, we add the labels to the existing value: ```yaml From 8a6ab9b571b69d9daf07017dea1f1d8ba853c880 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 11:20:41 -0700 Subject: [PATCH 13/21] vale comments --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 5582af14a3..09e5e6bae2 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -122,7 +122,7 @@ Click on the layer in the profile stack that contains the pack configuration. :::tip -If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the clusteter with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and run [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. We recommend that you only apply the labels to namespaces where pods are failing to be created. +If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the cluster with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and use [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. We recommend that you only apply the labels to namespaces where pods are failing to be created. ::: From 29fb5ece85ee3935d2e2281b70fc9d8462185fa8 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 14:17:11 -0700 Subject: [PATCH 14/21] change step numbers --- docs/docs-content/troubleshooting/cluster-deployment.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 09e5e6bae2..561e5ce82f 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -110,14 +110,14 @@ To address this issue, you can change the Pod Security Standards of the namespac 1. Log in to [Palette](https://console.spectrocloud.com). -1. Navigate to the left **Main Menu** and click on **Profiles**. +2. Navigate to the left **Main Menu** and click on **Profiles**. -1. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. +3. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. Click on the layer in the profile stack that contains the pack configuration. -1. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. +4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. -1. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. +5. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. :::tip From 3d0b9bbc81772e2003e2df2d4166ae4ec8553736 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:11:57 -0700 Subject: [PATCH 15/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 561e5ce82f..10158271de 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -102,7 +102,7 @@ Cluster deployment fails with the following message. Error creating: pods is forbidden: violates PodSecurity "baseline:v": non-default capabilities … ``` -This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create pods requiring elevated privileges. +This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create pods that require elevated privileges. ### Debug Steps From 1e2512da5c8fe9320c0c333a85ba218135649285 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:12:15 -0700 Subject: [PATCH 16/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 10158271de..b19e8c5d19 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -113,7 +113,7 @@ To address this issue, you can change the Pod Security Standards of the namespac 2. Navigate to the left **Main Menu** and click on **Profiles**. 3. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. -Click on the layer in the profile stack that contains the pack configuration. +3. Click on the pack layer in the profile stack that contains the pack configuration. 4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. From 36da78c89a80707cba57d50e80337599537220eb Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:15:14 -0700 Subject: [PATCH 17/21] Update docs/docs-content/troubleshooting/cluster-deployment.md Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index b19e8c5d19..3abdd00e2d 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -122,7 +122,7 @@ To address this issue, you can change the Pod Security Standards of the namespac :::tip -If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the cluster with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and use [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. We recommend that you only apply the labels to namespaces where pods are failing to be created. +If your pack creates multiple namespaces, and you are unsure which ones need the elevated privileges, you can access the cluster with the kubectl CLI and use the `kubectl get pods` command. This command lists pods and their namespaces so you can identify the pods that are failing at creation. We recommend only applying the labels to namespaces where pods fail to be created. For guidance in using the CLI, review [Access Cluster with CLI(./clusters/cluster-management/palette-webctl/#access-cluster-with-cli). To learn more about kubectl pod commands, refer to the [Kubernetes](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) documentation. ::: From e41b1ca99eb3ac94c58702bc5acbeb93006e0932 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 15:47:57 -0700 Subject: [PATCH 18/21] Add second example --- .../troubleshooting/cluster-deployment.md | 31 ++++++++++++++----- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 3abdd00e2d..b4c58d36fb 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -113,21 +113,38 @@ To address this issue, you can change the Pod Security Standards of the namespac 2. Navigate to the left **Main Menu** and click on **Profiles**. 3. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details. -3. Click on the pack layer in the profile stack that contains the pack configuration. +4. Click on the pack layer in the profile stack that contains the pack configuration. -4. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. +5. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. -5. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. - - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. +6. In the `namespaceLabels` section, add a line with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. +7. If a key matching your namespace already exists here, add the labels to the value corresponding to that key. -:::tip +:::caution -If your pack creates multiple namespaces, and you are unsure which ones need the elevated privileges, you can access the cluster with the kubectl CLI and use the `kubectl get pods` command. This command lists pods and their namespaces so you can identify the pods that are failing at creation. We recommend only applying the labels to namespaces where pods fail to be created. For guidance in using the CLI, review [Access Cluster with CLI(./clusters/cluster-management/palette-webctl/#access-cluster-with-cli). To learn more about kubectl pod commands, refer to the [Kubernetes](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) documentation. +We recommend only applying the labels to namespaces where pods fail to be created. +If your pack creates multiple namespaces, and you are unsure which ones contain pods that need the elevated privileges, you can access the cluster with the kubectl CLI and use the `kubectl get pods` command. +This command lists pods and their namespaces so you can identify the pods that are failing at creation. + +For guidance in using the CLI, review [Access Cluster with CLI](./clusters/cluster-management/palette-webctl/#access-cluster-with-cli). To learn more about kubectl pod commands, refer to the [Kubernetes](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) documentation. ::: -The example below shows `"monitoring"` as the namespace key with the key value. In this case, the `monitoring` key already exists under `namespaceLabels`, with its original value being `"org=spectro,team=dev"`. Therefore, we add the labels to the existing value: +### Examples + +The following example shows a pack that creates a namespace called `"monitoring"`. In this example, the `monitoring` namespace does not have any pre-existing labels. +We need to add the `namespaceLabels` line as well as the the corresponding key-value pair under it to apply the labels to the `monitoring` namespace. + +```yaml +pack: + namespace: "monitoring" + + namespaceLabels: + "monitoring": "pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28" + +``` +This second example is similar to the first one. However, in this example, the `monitoring` key already exists under `namespaceLabels`, with its original value being `"org=spectro,team=dev"`. Therefore, we add the labels to the existing value: ```yaml pack: From 6ad5e6154116d4060a53c87e2d5bcdfacd957cbf Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 15:54:32 -0700 Subject: [PATCH 19/21] vale comments --- docs/docs-content/troubleshooting/cluster-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index b4c58d36fb..1728a137cc 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -133,7 +133,7 @@ For guidance in using the CLI, review [Access Cluster with CLI](./clusters/clust ### Examples The following example shows a pack that creates a namespace called `"monitoring"`. In this example, the `monitoring` namespace does not have any pre-existing labels. -We need to add the `namespaceLabels` line as well as the the corresponding key-value pair under it to apply the labels to the `monitoring` namespace. +We need to add the `namespaceLabels` line as well as the corresponding key-value pair under it to apply the labels to the `monitoring` namespace. ```yaml pack: From 2fa324d86a080a950758c950cda1064a5e40510b Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 25 Oct 2023 16:29:36 -0700 Subject: [PATCH 20/21] second person voice --- docs/docs-content/troubleshooting/cluster-deployment.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 1728a137cc..3e0842394a 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -117,7 +117,7 @@ To address this issue, you can change the Pod Security Standards of the namespac 5. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. -6. In the `namespaceLabels` section, add a line with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes that runs on your cluster. +6. In the `namespaceLabels` section, add a line with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes on your cluster. 7. If a key matching your namespace already exists here, add the labels to the value corresponding to that key. :::caution @@ -133,7 +133,7 @@ For guidance in using the CLI, review [Access Cluster with CLI](./clusters/clust ### Examples The following example shows a pack that creates a namespace called `"monitoring"`. In this example, the `monitoring` namespace does not have any pre-existing labels. -We need to add the `namespaceLabels` line as well as the corresponding key-value pair under it to apply the labels to the `monitoring` namespace. +You need to add the `namespaceLabels` line as well as the corresponding key-value pair under it to apply the labels to the `monitoring` namespace. ```yaml pack: @@ -144,7 +144,7 @@ pack: ``` -This second example is similar to the first one. However, in this example, the `monitoring` key already exists under `namespaceLabels`, with its original value being `"org=spectro,team=dev"`. Therefore, we add the labels to the existing value: +This second example is similar to the first one. However, in this example, the `monitoring` key already exists under `namespaceLabels`, with its original value being `"org=spectro,team=dev"`. Therefore, you add the labels to the existing value: ```yaml pack: From c12dc4b7c3920199567d7699a5ab7b4b427e2ad7 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 26 Oct 2023 08:09:03 -0700 Subject: [PATCH 21/21] Explicitly call out how to provide versions --- docs/docs-content/troubleshooting/cluster-deployment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md index 3e0842394a..521dc137e5 100644 --- a/docs/docs-content/troubleshooting/cluster-deployment.md +++ b/docs/docs-content/troubleshooting/cluster-deployment.md @@ -117,8 +117,8 @@ To address this issue, you can change the Pod Security Standards of the namespac 5. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist. -6. In the `namespaceLabels` section, add a line with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes on your cluster. -7. If a key matching your namespace already exists here, add the labels to the value corresponding to that key. +6. In the `namespaceLabels` section, add a line with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v` as its value. Replace `` with the version of Kubernetes on your cluster and only include the major and minor version following the lowercase letter `v`. For example, `v1.25` and `v1.28`. +7. If a key matching your namespace already exists, add the labels to the value corresponding to that key. :::caution