spectrocloud · lennessyy · Oct 26, 2023 · Oct 24, 2023 · Oct 24, 2023 · Oct 24, 2023
@@ -17,7 +17,8 @@ tags: ["troubleshooting", "cluster-deployment"]
 The following steps will help you troubleshoot errors in the event issues arise while deploying a cluster.  
 
 
-## Scenario - Instances Continuously Delete Every 30 Minutes
+## Instances Continuously Delete Every 30 Minutes
+
 
 An instance is launched and terminated every 30 minutes prior to completion of its deployment, and the **Events Tab** lists errors with the following message:
 
@@ -94,6 +95,49 @@ Common reasons for why a service may fail are:
 
 6. Check stdout for errors. You can also open a support ticket. Visit our [support page](http://support.spectrocloud.io/).
 
+## Deployment Violates Pod Security
+Cluster deployment fails with the following message. 
+
+```
+Error creating: pods <name of pod> is forbidden: violates PodSecurity "baseline:v<k8s version>": non-default capabilities …
+```
+
+This can happen when the cluster profile uses Kubernetes 1.25 or later and also includes packs that create pods requiring elevated privileges. 
+
+### Debug Steps
+
+To address this issue, you can change the Pod Security Standards of the namespace where the pod is being created. 
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+1. Navigate to the left **Main Menu** and click on **Profiles**. 
+
+1. Select the profile you are using to deploy the cluster. Palette displays the profile stack and details.
+Click on the layer in the profile stack that contains the pack configuration.
+
+1. In the pack's YAML file, add a subfield in the `pack` section called `namespaceLabels` if it does not already exist.
+
+1. In the `namespaceLabels` section, add a subsection with the name of your namespace as the key and add `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v<k8s_version>` as its value. Replace `<k8s_version>` with the version of Kubernetes that runs on your cluster. 
+   - If a key matching your namespace already exists here, add the labels to the value corresponding to that key. 
+
+:::tip
+
+If your pack creates multiple namespaces, and you are not sure which namespaces need the elevated privileges, you can [access the cluster with the kubectl CLI](https://docs.spectrocloud.com/clusters/cluster-management/palette-webctl/#access-cluster-with-cli) and use [`kubectl get pods`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) to find out which pods are failing at creation in which namespaces. We recommend that you only apply the labels to namespaces where pods are failing to be created. 
+
+:::
+
+The example below shows `"monitoring"` as the namespace key with the key value. In this case, the `monitoring` key already exists under `namespaceLabels`, with its original value being `"org=spectro,team=dev"`. Therefore, we add the labels to the existing value:
+
+
+```yaml
+pack:
+  namespace: "monitoring"
+
+  namespaceLabels:
+    "monitoring": "org=spectro,team=dev,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28"
+```
+
+
 
 ## Gateway Installer Registration Failures