Spawn failures owing to pod security policies

verdurin · June 6, 2022, 4:02pm

I’m seeing symptoms similar to Single User Container Not Creating due to Pod Policies i.e. spawn failures, with the error given as:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"jupyter-user1\" is forbidden: PodSecurityPolicy: unable to admit pod: []","reason":"Forbidden","details":{"name":"jupyter-user1","kind":"pods"},"code":403}

I’ve tried the suggestion there i.e.

singleuser:
  #...
  cloudMetadata:
      blockWithIptables: false

and that hasn’t helped.

These are the network policies:

 kubectl get networkPolicy -n jupyterhub
NAME         POD-SELECTOR                                                   AGE
autohttps    app=jupyterhub,component=autohttps,release=z2jh-0.14           31m
hub          app=jupyterhub,component=hub,release=z2jh-0.14                 3h28m
proxy        app=jupyterhub,component=proxy,release=z2jh-0.14               3h28m
singleuser   app=jupyterhub,component=singleuser-server,release=z2jh-0.14   3h28m

This is using Helm chart 1.2.0, the k8s cluster is running 1.23.4, on OpenStack via Magnum.

This is the pod security policy:

kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME                PRIV   CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
magnum.privileged   true   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

verdurin · June 7, 2022, 9:24am

I was able to work around this by applying a rolebinding which authorized service accounts.

sluna · January 24, 2023, 11:39am

Hi,

I am actually facing the same issue, could you please provide more details about your solution?

Thanks!

verdurin · January 24, 2023, 1:47pm

Sure, we apply this:

sluna · January 24, 2023, 3:38pm

Thanks! Is it me or there is a missing part of your answer?

verdurin · January 24, 2023, 4:17pm

Hmm, seems it stripped out the code from my e-mail.

The YAML code is:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jupyterhub-rolebinding
  namespace: jhub
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: magnum:podsecuritypolicy:privileged
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts

sluna · January 24, 2023, 4:21pm

Thank you! that worked for me as well!

Topic		Replies	Views
Single User Container Not Creating due to Pod Policies Zero to JupyterHub on Kubernetes community , jupyterhub , help-wanted	1	1163	March 24, 2022
Jupyter on Kubernetes doesnt spawn Jupyter Pods for Users beacuase of an Permission Error JupyterHub	5	517	May 25, 2023
Spawn failed: Could not create pod JupyterHub community , help-wanted	5	1836	May 24, 2022
JupyterHub not loading Recent Jupyter Docker-Stacks JupyterHub	2	714	August 18, 2020
Not able to start the server Zero to JupyterHub on Kubernetes	3	2142	April 26, 2020

Spawn failures owing to pod security policies

Related Topics