You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hi,
when i installed kubectl-trace tool and used it to trace my pod's system call. but the trace job create fails for privilege. below is my trace command and job error log.
trace command:
[root@cec-cerulean-a tools]# kubectl-trace run pod/ecs-ui-s3-785b59dcc6-4p2wf -e "tracepoint:syscalls:sys_enter_* { @[probe] = count(); }"
trace 0f98e4c9-2726-4cb3-8b1c-8584290e0602 created
job describe:
[root@cec-cerulean-a tools]# kubectl describe job kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Name: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Namespace: objectscale-system
Selector: controller-uid=24da37ac-9b51-47c8-b32f-d52a3dc9f356
Labels: iovisor.org/kubectl-trace=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id=0f98e4c9-2726-4cb3-8b1c-8584290e0602
Annotations: iovisor.org/kubectl-trace: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id: 0f98e4c9-2726-4cb3-8b1c-8584290e0602
Parallelism: 1
Completions: 1
Active Deadline Seconds: 3630s
Pods Statuses: 0 Running / 0 Succeeded / 0 Failed
Pod Template:
Labels: controller-uid=24da37ac-9b51-47c8-b32f-d52a3dc9f356
iovisor.org/kubectl-trace=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id=0f98e4c9-2726-4cb3-8b1c-8584290e0602
job-name=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Annotations: iovisor.org/kubectl-trace: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id: 0f98e4c9-2726-4cb3-8b1c-8584290e0602
Service Account: default
Containers:
kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602:
Image: quay.io/iovisor/kubectl-trace-bpftrace:fd68b1c1bf614a7213c9834673eb8813c809b036
Port:
Host Port:
Command:
/bin/timeout
--preserve-status
--signal
INT
3600
/bin/trace-runner
--program=/programs/program.bt
--inpod
--container=s3
--poduid=2362eac2-ba47-4ad7-b162-ecad6a3a4b34
Limits:
cpu: 1
memory: 1G
Requests:
cpu: 100m
memory: 100Mi
Environment:
Mounts:
/lib/modules from modules-host (ro)
/programs from program (ro)
/sys from sys (ro)
/usr-host from usr-host (ro)
Volumes:
program:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Optional: false
usr-host:
Type: HostPath (bare host directory volume)
Path: /usr
HostPathType:
modules-host:
Type: HostPath (bare host directory volume)
Path: /lib/modules
HostPathType:
sys:
Type: HostPath (bare host directory volume)
Path: /sys
HostPathType:
Events:
Type Reason Age From Message
Warning FailedCreate 1s (x3 over 32s) job-controller Error creating: pods "kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602-" is forbidden: unable to validate against any security context constraint: [provider anyuid: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
The text was updated successfully, but these errors were encountered:
hi,
when i installed kubectl-trace tool and used it to trace my pod's system call. but the trace job create fails for privilege. below is my trace command and job error log.
trace command:
[root@cec-cerulean-a tools]# kubectl-trace run pod/ecs-ui-s3-785b59dcc6-4p2wf -e "tracepoint:syscalls:sys_enter_* { @[probe] = count(); }"
trace 0f98e4c9-2726-4cb3-8b1c-8584290e0602 created
job describe:
[root@cec-cerulean-a tools]# kubectl describe job kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Name: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Namespace: objectscale-system
Selector: controller-uid=24da37ac-9b51-47c8-b32f-d52a3dc9f356
Labels: iovisor.org/kubectl-trace=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id=0f98e4c9-2726-4cb3-8b1c-8584290e0602
Annotations: iovisor.org/kubectl-trace: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id: 0f98e4c9-2726-4cb3-8b1c-8584290e0602
Parallelism: 1
Completions: 1
Active Deadline Seconds: 3630s
Pods Statuses: 0 Running / 0 Succeeded / 0 Failed
Pod Template:
Labels: controller-uid=24da37ac-9b51-47c8-b32f-d52a3dc9f356
iovisor.org/kubectl-trace=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id=0f98e4c9-2726-4cb3-8b1c-8584290e0602
job-name=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Annotations: iovisor.org/kubectl-trace: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id: 0f98e4c9-2726-4cb3-8b1c-8584290e0602
Service Account: default
Containers:
kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602:
Image: quay.io/iovisor/kubectl-trace-bpftrace:fd68b1c1bf614a7213c9834673eb8813c809b036
Port:
Host Port:
Command:
/bin/timeout
--preserve-status
--signal
INT
3600
/bin/trace-runner
--program=/programs/program.bt
--inpod
--container=s3
--poduid=2362eac2-ba47-4ad7-b162-ecad6a3a4b34
Limits:
cpu: 1
memory: 1G
Requests:
cpu: 100m
memory: 100Mi
Environment:
Mounts:
/lib/modules from modules-host (ro)
/programs from program (ro)
/sys from sys (ro)
/usr-host from usr-host (ro)
Volumes:
program:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Optional: false
usr-host:
Type: HostPath (bare host directory volume)
Path: /usr
HostPathType:
modules-host:
Type: HostPath (bare host directory volume)
Path: /lib/modules
HostPathType:
sys:
Type: HostPath (bare host directory volume)
Path: /sys
HostPathType:
Events:
Type Reason Age From Message
Warning FailedCreate 1s (x3 over 32s) job-controller Error creating: pods "kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602-" is forbidden: unable to validate against any security context constraint: [provider anyuid: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
The text was updated successfully, but these errors were encountered: