Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Adding "allow-privileged true" flag kills the kubelet

See original GitHub issue

I need to run some pods as privileged and I found (https://github.com/ubuntu/microk8s/issues/216) that I have to use --allow-privileged true which I did and as suggested I restarted the required daemons but that killed my kubelet and microk8s. I even deleted everything and reinstalled microk8s but the same happened. Please run microk8s.inspect and attach the generated tarball to this issue.

microk8s.inspect 
Inspecting services
  Service snap.microk8s.daemon-containerd is running
  Service snap.microk8s.daemon-apiserver is running
  Service snap.microk8s.daemon-proxy is running
 FAIL:  Service snap.microk8s.daemon-kubelet is not running
For more details look at: sudo journalctl -u snap.microk8s.daemon-kubelet
  Service snap.microk8s.daemon-scheduler is running
  Service snap.microk8s.daemon-controller-manager is running
  Service snap.microk8s.daemon-etcd is running
  Copy service arguments to the final report tarball
Inspecting AppArmor configuration
Gathering system info
  Copy network configuration to the final report tarball
  Copy processes list to the final report tarball
  Copy snap list to the final report tarball
  Inspect kubernetes cluster

Building the report tarball
  Report tarball is at /var/snap/microk8s/743/inspection-report-20190806_181638.tar.gz

And

sudo journalctl -u snap.microk8s.daemon-kubelet | tail
Aug 06 18:14:51 ali-P51 microk8s.daemon-kubelet[5306]:       --vmodule moduleSpec                                                                                        comma-separated list of pattern=N settings for file-filtered logging
Aug 06 18:14:51 ali-P51 microk8s.daemon-kubelet[5306]:       --volume-plugin-dir string                                                                                  The full path of the directory in which to search for additional third party volume plugins (default "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/")
Aug 06 18:14:51 ali-P51 microk8s.daemon-kubelet[5306]:       --volume-stats-agg-period duration                                                                          Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes.  To disable volume calculations, set to 0. (default 1m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
Aug 06 18:14:51 ali-P51 microk8s.daemon-kubelet[5306]: F0806 18:14:51.854669    5306 server.go:156] unknown flag: --allow-privileged
Aug 06 18:14:52 ali-P51 systemd[1]: snap.microk8s.daemon-kubelet.service: Service hold-off time over, scheduling restart.
Aug 06 18:14:52 ali-P51 systemd[1]: snap.microk8s.daemon-kubelet.service: Scheduled restart job, restart counter is at 5.
Aug 06 18:14:52 ali-P51 systemd[1]: Stopped Service for snap application microk8s.daemon-kubelet.
Aug 06 18:14:52 ali-P51 systemd[1]: snap.microk8s.daemon-kubelet.service: Start request repeated too quickly.
Aug 06 18:14:52 ali-P51 systemd[1]: snap.microk8s.daemon-kubelet.service: Failed with result 'exit-code'.
Aug 06 18:14:52 ali-P51 systemd[1]: Failed to start Service for snap application microk8s.daemon-kubelet.

As we can see allow-priviliged is not defined for kubelet. I also tried the --allow-privileged=true instead of --allow-privileged true but it kills my kubelet.

Issue Analytics

State:
Created 4 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

5reactions

davecore82commented, Aug 11, 2020

If anyone else falls here while trying to enable privileged containers on microk8s, the way to do it is to add a PodSecurityPolicy to /var/snap/microk8s/current/args/kube-apiserver:

--enable-admission-plugins="NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodSecurityPolicy"

And restart the service:

sudo systemctl restart snap.microk8s.daemon-apiserver.service

EDIT: After more investigation, from what I understand to allow privileged containers you need to add the following line to /var/snap/microk8s/current/args/kube-apiserver:

--allow-privileged

And then restart the microk8s api server daemon:

sudo systemctl restart snap.microk8s.daemon-apiserver

But then it’s also possible to use PodSecurityPolicy in combination with --allow-privileged if you want to allow privileged containers and restrict who is allowed to create them.

To do that, you add a PodSecurityPolicy to /var/snap/microk8s/current/args/kube-apiserver:

--enable-admission-plugins="PodSecurityPolicy"

And restart the service:

sudo systemctl restart snap.microk8s.daemon-apiserver

0reactions

avarfcommented, Aug 8, 2019

Update: After some investigation, I found out that this is a problem with elasticsearch and pv. I will close this issue.