Hello,
After enabling pod security policies and the default restricted policy for a cluster, I get the following event message when rebuilding the cluster:
ingress-nginx Warning FailedCreate nginx-ingress-controller Error creating: pods “nginx-ingress-controller-” is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.capabilities.add: Invalid value: “NET_BIND_SERVICE”: capability may not be added spec.containers[0].hostPort: Invalid value: 80: Host port 80 is not allowed to be used. Allowed ports: [] spec.containers[0].hostPort: Invalid value: 443: Host port 443 is not allowed to be used. Allowed ports: []] 17 minutes ago
I do have another policy enabled for a specific project workload that does get deployed. I was under the impression system workloads are not impacted by the default restricted policy or any other policy.
This and related github issues suggest the problem was fixed in 2019,
https://github.com/rancher/rancher/issues/16119
I am using Rancher v2.4.8, an Amazon EC2 provider RKE cluster with Kubernetes v1.18.12, and the nginx-ingress-controller image shows to be v0.35.0
Why is the ingress-nginx system workload being affected by the restricted pod security policy and/or what do I need to change so that it doesn’t get affected?
Thank you for your help.