-
Notifications
You must be signed in to change notification settings - Fork 175
Description
hi,
when i installed kubectl-trace tool and used it to trace my pod's system call. but the trace job create fails for privilege. below is my trace command and job error log.
trace command:
[root@cec-cerulean-a tools]# kubectl-trace run pod/ecs-ui-s3-785b59dcc6-4p2wf -e "tracepoint:syscalls:sys_enter_* { @[probe] = count(); }"
trace 0f98e4c9-2726-4cb3-8b1c-8584290e0602 created
job describe:
[root@cec-cerulean-a tools]# kubectl describe job kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Name: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Namespace: objectscale-system
Selector: controller-uid=24da37ac-9b51-47c8-b32f-d52a3dc9f356
Labels: iovisor.org/kubectl-trace=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id=0f98e4c9-2726-4cb3-8b1c-8584290e0602
Annotations: iovisor.org/kubectl-trace: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id: 0f98e4c9-2726-4cb3-8b1c-8584290e0602
Parallelism: 1
Completions: 1
Active Deadline Seconds: 3630s
Pods Statuses: 0 Running / 0 Succeeded / 0 Failed
Pod Template:
Labels: controller-uid=24da37ac-9b51-47c8-b32f-d52a3dc9f356
iovisor.org/kubectl-trace=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id=0f98e4c9-2726-4cb3-8b1c-8584290e0602
job-name=kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Annotations: iovisor.org/kubectl-trace: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
iovisor.org/kubectl-trace-id: 0f98e4c9-2726-4cb3-8b1c-8584290e0602
Service Account: default
Containers:
kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602:
Image: quay.io/iovisor/kubectl-trace-bpftrace:fd68b1c1bf614a7213c9834673eb8813c809b036
Port:
Host Port:
Command:
/bin/timeout
--preserve-status
--signal
INT
3600
/bin/trace-runner
--program=/programs/program.bt
--inpod
--container=s3
--poduid=2362eac2-ba47-4ad7-b162-ecad6a3a4b34
Limits:
cpu: 1
memory: 1G
Requests:
cpu: 100m
memory: 100Mi
Environment:
Mounts:
/lib/modules from modules-host (ro)
/programs from program (ro)
/sys from sys (ro)
/usr-host from usr-host (ro)
Volumes:
program:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602
Optional: false
usr-host:
Type: HostPath (bare host directory volume)
Path: /usr
HostPathType:
modules-host:
Type: HostPath (bare host directory volume)
Path: /lib/modules
HostPathType:
sys:
Type: HostPath (bare host directory volume)
Path: /sys
HostPathType:
Events:
Type Reason Age From Message
Warning FailedCreate 1s (x3 over 32s) job-controller Error creating: pods "kubectl-trace-0f98e4c9-2726-4cb3-8b1c-8584290e0602-" is forbidden: unable to validate against any security context constraint: [provider anyuid: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]