rancher: Ingress doesn't launch when using restricted PSP as cluster default

Rancher versions: rancher/rancher: v2.1.0

Steps to Reproduce:

  1. Deploy a custom cluster from UI
  2. Specify Pod Security Policy > restricted

Results: The nginx ingress controller pods are not created due to the restriction of the pod security policy. My concern is that the default restricted pod security policy should probably allow all of the rancher components to work by default.

FailedCreate | Error creating: pods "nginx-ingress-controller-" is forbidden: 
unable to validate against any pod security policy: [spec.securityContext.hostNetwork: 

Invalid value: true: Host network is not allowed to be used 
capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added

spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 80: 

Host port 80 is not allowed to be used. Allowed ports: []
spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 443: 

Host port 443 is not allowed to be used. Allowed ports: []]

Workaround add new pod security policy or modify the restricted one to allow the following:

Host Network: Yes: The use of host networking
Allowed Capabilities: NET_BIND_SERVICE
Host Ports Policy: range 80 - 80, 443 - 443

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (3 by maintainers)

Most upvoted comments

+1 for fix on this!

+1
cjreyn on Jul 22, 2019
Read more comments on GitHub
← rancher: info pointed by catalog URL makes rancher crash at ~2 minutes interval
rancher: Ingress failed to start →