Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to install kubebench on GKE #1346

Open
ajinkya1986 opened this issue Dec 13, 2022 · 1 comment
Open

Unable to install kubebench on GKE #1346

ajinkya1986 opened this issue Dec 13, 2022 · 1 comment

Comments

@ajinkya1986
Copy link

ajinkya1986 commented Dec 13, 2022
edited

Overview

We are trying to install kube-bench on GKE. But we are getting read only file system error for /srv/kubernetes and /opt/cni volume mount directories. So instead of using the directory we are using emptyDir. How and what will be the effect if we use emptyDir

Following is the cronjob

apiVersion: batch/v1
{{- else }}
apiVersion: batch/v1beta1
{{- end }}
kind: CronJob
metadata:
  name: {{ .Values.misconfigCron.name }}
  namespace: ajinkya
  labels:
    {{- with .Values.misconfigCron.labels }}
    {{ toYaml . | indent 8 }}
    {{- end }}
spec:
  schedule: {{ .Values.misconfigCron.schedule | quote }}
  jobTemplate:
    spec:
      template:
        metadata:
          labels:
            app: kube-bench
        spec:
          hostPID: true
          restartPolicy: Never
          containers:
          - name: misconfig-cron
            image: {{ .Values.misconfigCron.image }}
            imagePullPolicy: IfNotPresent
            # terminationGracePeriodSeconds: 60
            command: ["kube-bench", "--httpoutput=true"]
            # command: ["kube-bench", "--include-test-output", "--noremediations", "--noresults", "--nototals", "--httpoutput=true"]
            env:
            - name: TOKEN
              valueFrom:
                secretKeyRef:
                  name: testing-secrets
                  key: auth-token
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            volumeMounts:
            - name: var-lib-etcd
              mountPath: /var/lib/etcd
              readOnly: true
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: var-lib-kube-scheduler
              mountPath: /var/lib/kube-scheduler
              readOnly: true
            - name: var-lib-kube-controller-manager
              mountPath: /var/lib/kube-controller-manager
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: lib-systemd
              mountPath: /lib/systemd/
              readOnly: true
            - name: srv-kubernetes
              mountPath: /srv/kubernetes/
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
              # You can omit this mount if you specify --version as part of the command.
            - name: usr-bin
              mountPath: /usr/local/mount-from-host/bin
              readOnly: true
            - name: etc-cni-netd
              mountPath: /etc/cni/net.d/
              readOnly: true
            - name: opt-cni-bin
              mountPath: /opt/cni/bin/
              readOnly: true
            - name: var-tmp-dump
              mountPath: /var/tmp/dump
            - name: misconfig-volume
              mountPath: /etc/config.yaml
              subPath: config.yaml
          volumes:
          - name: var-lib-etcd
            hostPath:
              path: "/var/lib/etcd"
          - name: var-lib-kubelet
            hostPath:
              path: "/var/lib/kubelet"
          - name: var-lib-kube-scheduler
            hostPath:
              path: "/var/lib/kube-scheduler"
          - name: var-lib-kube-controller-manager
            hostPath:
              path: "/var/lib/kube-controller-manager"
          - name: etc-systemd
            hostPath:
              path: "/etc/systemd"
          - name: lib-systemd
            hostPath:
              path: "/lib/systemd"
          - name: srv-kubernetes
            emptyDir: {}
          - name: etc-kubernetes
            hostPath:
              path: "/etc/kubernetes"
          - name: usr-bin
            hostPath:
              path: "/usr/bin"
          - name: etc-cni-netd
            hostPath:
              path: "/etc/cni/net.d/"
          - name: opt-cni-bin
            emptyDir: {}
          - name: var-tmp-dump
            hostPath:
              path: "/var/tmp/dump"
          - name: misconfig-volume
            configMap:
              name: {{ .Values.misconfigCron.configMapName }}
---

After installing the helm chart one of our misconfigcron job failed due to read only file system error. Following is the error.
(combined from similar events): Error: failed to generate container "25441f585d69c59f163d51ddf295dd257e27392e79b3f2729" spec: failed to generate spec: failed to mkdir "/srv/kubernetes": mkdir /srv/kubernetes: read-only file system
@vaboston
Copy link

vaboston commented Dec 8, 2023

Hello, you can add this to run on GKE :

             volumeMounts:
            - name: srv-kubernetes
              mountPath: /tmp/kubernetes/
              readOnly: true
 [...]
        volumes:
        - name: srv-kubernetes
          hostPath:
            path: "/tmp/kubernetes"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vaboston @ajinkya1986