Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document addition of namespace labels for pods needing elevated privileges #1706

Merged
merged 23 commits into from
Oct 26, 2023
Merged

Document addition of namespace labels for pods needing elevated privileges #1706

Changes from 3 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
a59eb66
PAC-828 Document addition of namespace labels for pods needing elevat…
Oct 24, 2023
d43a9e8
fix formatting
Oct 24, 2023
bc70920
clarify cluster profile
Oct 24, 2023
2e473ea
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 24, 2023
ab2ed5b
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 24, 2023
4fa7bc7
Style guide edits
lennessyy Oct 24, 2023
22fcfcd
Add clarification for multiple namespaces
lennessyy Oct 25, 2023
a555af9
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 25, 2023
b6da661
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 25, 2023
e472452
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 25, 2023
7930c97
Incorporate feedback
lennessyy Oct 25, 2023
e70dbe9
Incorporate feedback
lennessyy Oct 25, 2023
8a6ab9b
vale comments
lennessyy Oct 25, 2023
b467fd1
Merge branch 'master' into namespace-elevated-priviledges
lennessyy Oct 25, 2023
29fb5ec
change step numbers
lennessyy Oct 25, 2023
836cbd8
Merge branch 'namespace-elevated-priviledges' of https://github.com/s…
lennessyy Oct 25, 2023
3d0b9bb
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 25, 2023
1e2512d
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 25, 2023
36da78c
Update docs/docs-content/troubleshooting/cluster-deployment.md
lennessyy Oct 25, 2023
e41b1ca
Add second example
lennessyy Oct 25, 2023
6ad5e61
vale comments
lennessyy Oct 25, 2023
2fa324d
second person voice
lennessyy Oct 25, 2023
c12dc4b
Explicitly call out how to provide versions
lennessyy Oct 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion docs/docs-content/troubleshooting/cluster-deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ tags: ["troubleshooting", "cluster-deployment"]
The following steps will help you troubleshoot errors in the event issues arise while deploying a cluster.


## Scenario - Instances Continuously Delete Every 30 Minutes
## Instances Continuously Delete Every 30 Minutes


An instance is launched and terminated every 30 minutes prior to completion of its deployment, and the **Events Tab** lists errors with the following message:

Expand Down Expand Up @@ -94,6 +95,31 @@ Common reasons for why a service may fail are:

6. Check stdout for errors. You can also open a support ticket. Visit our [support page](http://support.spectrocloud.io/).

## Deployment Violates Pod Security
In cluster profiles running Kubernetes 1.25 or later, some packs contain Pods that need elevated privileges during Pod creation.
lennessyy marked this conversation as resolved.
Show resolved Hide resolved
lennessyy marked this conversation as resolved.
Show resolved Hide resolved
When you try to deploy a cluster with such packs, you get an error message that looks like the following:
lennessyy marked this conversation as resolved.
Show resolved Hide resolved

```
Error creating: pods <name of pod> is forbidden: violates PodSecurity "baseline:v<k8s version>": non-default capabilities …
```

### Debug Steps

You can change the Pod Security Standards of the namepace where the Pod is being created to address this issue.
lennessyy marked this conversation as resolved.
Show resolved Hide resolved

lennessyy marked this conversation as resolved.
Show resolved Hide resolved
1. Log in to **Palette** and navigate to the **Profiles** tab.
2. Select the profile you are trying to deploy the cluster with and choose the layer that represents your pack.
3. In the YAML file for your pack, under the `pack` field, add a subfield `namespaceLabels`.
lennessyy marked this conversation as resolved.
Show resolved Hide resolved
4. In the `namespaceLabels` field, add a subfield with the name of your namespace as the key and `pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v<k8s_version>` as the value. Replace `<k8s_version>` with the version of Kubernetes that runs on your cluster.
- For example, if you the pack creates a namespace called `monitoring`, add the labels to the `monitoring` namespace:
lennessyy marked this conversation as resolved.
Show resolved Hide resolved
```yaml
lennessyy marked this conversation as resolved.
Show resolved Hide resolved
pack:
namespace: "monitoring"

namespaceLabels:
"monitoring": "org=spectro,team=dev,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v1.28"
```

lennessyy marked this conversation as resolved.
Show resolved Hide resolved

## Gateway Installer Registration Failures

Expand Down