local-path-provisioner icon indicating copy to clipboard operation
local-path-provisioner copied to clipboard

Published 20 hours ago verified publisher icon rancher

insufficient permission for helper pod

Open sgblv opened this issue 4 years ago • 1 comments

Hi! k8s 1.19 local-path-provisioner 0.0.19 installed with helm chart. Do I need tune clusterrole somehow? I see error bellow in the log:

kubectl -n local-path-storage logs rancher-local-path-provisioner-9ff59fb7-gmngk

I0713 11:53:17.280711 1 event.go:281] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"local-path-pvc", UID:"57e2b024-7929-41ed-9dba-cc964fbaf994", APIVersion:"v1", ResourceVersion:"525728120", FieldPath:""}): type: 'Warning' reason: 'ProvisioningFailed' failed to provision volume with StorageClass "local-path": failed to create volume pvc-57e2b024-7929-41ed-9dba-cc964fbaf994: pods "helper-pod-create-pvc-57e2b024-7929-41ed-9dba-cc964fbaf994" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]

All works fine on neighbor 1.18 cluster

sgblv avatar Jul 13 '21 12:07 sgblv

I was able to fix this with, issue does not related to k8s version. Added to ClusterRole:

- apiGroups: ["policy"]
  resources: ["podsecuritypolicies"]
  verbs: ["use"]
  resourceNames: 
  - someprivilegedpsp

Probably psp also should be in chart?

sgblv avatar Jul 13 '21 12:07 sgblv