容器的runAsUser破坏prometheus图表中的非根策略(wireguard )

Question

我想添加一个wireguard侧加容器到prometheus堆栈，通过舵图安装，这样我就可以获取通过vpn连接的客户端。我正在使用来自普罗米修斯-社区/库贝-普罗米修斯-堆栈的舵图和修改后的values.yml。为了集成wireguard，我在values.yml中添加了一个wireguard容器，如下所示：

...
containers:
    - name: "wireguard"
      image: "lscr.io/linuxserver/wireguard:latest"
      volumeMounts:
        - name: wireguard-config
          mountPath: /config
          readOnly: true
        - name: wireguard-run
          mountPath: /run
      securityContext:
        runAsGroup: 0
        runAsUser: 0
        privileged: true
        capabilities:
          add:
            - NET_ADMIN
            - SYS_MODULE

但是，当启动容器时，会出现以下错误：

Normal   Pulled     4s               kubelet            Successfully pulled image "lscr.io/linuxserver/wireguard:latest" in 500.578587ms
Warning  Failed     3s (x3 over 4s)  kubelet            Error: container's runAsUser breaks non-root policy (pod: "XX", container: wireguard)
Normal   Pulled     3s               kubelet            Successfully pulled image "lscr.io/linuxserver/wireguard:latest" in 456.879479ms

由于wireguard需要能够更改网络接口，所以它需要根权限。如果不以root权限运行容器，则会得到以下信息：

...
SOME OTHER PERMISSION ERROS
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise coredns: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise wireguard: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise coredns: warning: unable to spawn ./run - waiting 10 seconds

我尝试过的是修改podSecurityPolicy，以允许在prometheus values.yml中以根用户身份运行容器。我希望我可以简单地将容器作为root运行(至少用于测试)：

podSecurityPolicy:
    allowedCapabilities: 
       - runAsUser: RunAsAny
       - NET_ADMIN
       - SYS_MODULE
    allowedHostPaths: []
    volumes: []

这并没有改变什么(我做得对吗？)

如何允许以根用户的身份运行侧缓存容器？还是有一种没有根优先级的运行wireguard的方法？

Answer 1

1. 在新的库贝-普罗米修斯堆栈中没有psp。请参阅https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/README.md -搜索PodSecurityPolicies -“从27.x到28.x，此版本默认禁用PodSecurityPolicies，因为在Kubernetes 1.21中被废弃，在Kubernetes 1.25中将被删除。”
2. 我们需要和securityContext一起玩。似乎不能让一个容器(或init容器)以非根的形式运行。这是"kubelet错误:容器的runAsUser破坏非根策略“的错误。

因此，我们需要为整个吊舱指定securityContext作为root运行。为此，您可以使用values.yaml进行舵图，如下所示。其效果是pod prometheus-prometheus-stack-kube-prom-prometheus-0将其所有容器作为根运行。不太理想，但有效。

prometheus:
  prometheusSpec:

    securityContext:
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      fsGroup: 0

#    initContainers:
#      - name: "chmod"
#        image: alpine:3.16.0
#        command:
#        - "/bin/sh"
#        - "-c"
#        - "chmod 777 /prometheus"
#        volumeMounts:
#        - name: prometheus-prometheus-stack-kube-prom-prometheus-db
#          mountPath: /prometheus

[...]