Google容器上的Kubernetes允许特权容器(GKE) [英] Allow Privileged Containers in Kubernetes on Google Container (GKE)
问题描述
我使用的是Google云端开发者控制台(群集版本0.19.3)中通过Google容器引擎(GKE)部署的Kubernetes群集。我想运行一个特权容器,就像在 Kubernetes NFS Server 例子:
pre $ a $ $ b $ a $
$ :nfs-server
标签:
角色:nfs-server
spec:
containers:
- name:nfs-server
image:jsafrane / nfs -data
ports:
- name:nfs
containerPort:2049
securityContext:
特权:true
由于默认的Google Container Engine配置不允许特权容器,因此Kubernetes API会立即返回以下错误:
< blockquote>
服务器错误:Podnfs-server无效:spec.containers [0] .securityContext.privileged:forbidden'< *>(0xc20a027396)true'
我如何允许特权包含ers在我的Google容器引擎集群?
更新:默认情况下启用特权模式,从1.1版本的Kubernetes开始现在在Google Container Engine中可用。
运行特权容器(包括该示例中的NFS服务器)当前不是可能在Google容器引擎中使用。我们正在寻找解决方法(在创建群集时添加一个标志以允许特权容器;使特权容器成为准入控制的一部分;等等)。目前,如果您需要运行特权容器,则需要使用GCE提供程序启动您自己的集群。
I am using a Kubernetes cluster deployed through Google Container Engine (GKE) from the Google Cloud Developer's Console, cluster version 0.19.3. I would like to run a privileged container, like in the Kubernetes NFS Server example:
apiVersion: v1
kind: Pod
metadata:
name: nfs-server
labels:
role: nfs-server
spec:
containers:
- name: nfs-server
image: jsafrane/nfs-data
ports:
- name: nfs
containerPort: 2049
securityContext:
privileged: true
Since the default Google Container Engine configuration does not allow privileged containers, the Kubernetes API imediately returns the following error:
Error from server: Pod "nfs-server" is invalid: spec.containers[0].securityContext.privileged: forbidden '<*>(0xc20a027396)true'
How can I allow privileged containers in my Google Container Engine cluster?
Update: Privileged mode is now enabled by default starting with the 1.1 release of Kubernetes which is now available in Google Container Engine.
Running privileged containers (including the NFS server in that example) isn't currently possible in Google Container Engine. We are looking at ways to solve this (adding a flag when creating your cluster to allow privileged containers; making privileged containers part of admission control; etc). For now, if you need to run privileged containers you'll need to launch your own cluster using the GCE provider.
这篇关于Google容器上的Kubernetes允许特权容器(GKE)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
