kubernetes: Azure cluster failing conformance tests due to DenyEscalatingExec Admission Controller

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

Sonobuoy results (run via scanner.heptio.com) show 5 failed tests:

[sig-network] Networking Granular Checks: Pods should function for intra-pod communication: udp [Conformance] [sig-network] Networking Granular Checks: Pods should function for node-pod communication: http [Conformance] [sig-network] Networking Granular Checks: Pods should function for node-pod communication: udp [Conformance] [sig-network] Networking Granular Checks: Pods should function for intra-pod communication: http [Conformance] [k8s.io] KubeletManagedEtcHosts should test kubelet managed /etc/hosts file [Conformance]

Each had the same error listed:

forbidden: cannot exec into or attach to a container using host network

This was due to the DenyEscalatingExec Admission Controller being enabled.

What you expected to happen:

Not sure, but this is expected behavior when that Admission Controller is enabled.

How to reproduce it (as minimally and precisely as possible):

  1. Create an Azure cluster (v1.10.4) via acs-engine
  2. Run a scan via scanner.heptio.com

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): v1.10.4
  • Cloud provider or hardware configuration: Azure
  • Install tools: acs-engine

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (14 by maintainers)

Most upvoted comments

I think this has to remain open, as this has a wider impact than Azure. Any provider/distribution that enables DenyEscalatingExec fails e2e conformance tests.

+2
yastij on Oct 11, 2018
Read more comments on GitHub
← kubernetes: AWS PV Storage Causing API Timeouts.
kubernetes: Azure disk fails to attach and mount, causing rescheduled pod to stall following node disruption  →