Onboarding Talos k8s cluster to Azure Arc failed #12373
Closed
minhtuan-nguyen
started this conversation in
General
Replies: 1 comment 1 reply
-
|
Please format logs with three backticks so they're readable ``` I can't tell for sure but it looks like the pod is trying to do things that are not allowed by the default pod security polity in Talos. You may need to label the namespace to allow privileged pods. Documentation is here https://docs.siderolabs.com/kubernetes-guides/security/pod-security#override-the-pod-security-admission-configuration |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks @rothgar . That is the issue. After using the command above, I can onboard the cluster to Azure |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi Everyone,
I'm trying to add Talos k8s cluster into Azure Arc and it ran into following error:
Step: 2025-12-09T19-45-11Z: Starting to install Azure arc agents on the Kubernetes cluster.
Please check if the azure-arc namespace was deployed and run 'kubectl get pods -n azure-arc' to check if all the pods are in running state. A possible cause for pods stuck in pending state could be insufficient resources on the kubernetes cluster to onboard to arc.
Unable to install helm release: W1209 20:45:15.607849 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "resource-sync-agent" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "resource-sync-agent", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.607849 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cluster-metadata-operator" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "cluster-metadata-operator", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.609234 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "kube-aad-proxy", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.613738 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "fluent-bit", "clusterconnectservice-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "clusterconnect-agent", "clusterconnectservice-operator" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "fluent-bit", "clusterconnectservice-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "clusterconnect-agent", "fluent-bit", "clusterconnectservice-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.614241 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "manager", "healthstatecontroller", "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "manager", "healthstatecontroller" must set securityContext.capabilities.drop=["ALL"]; container "healthstatecontroller" must not include "SYS_PTRACE" in securityContext.capabilities.add), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "manager", "healthstatecontroller", "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "manager", "healthstatecontroller", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.617301 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "extension-events-collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "extension-events-collector", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.617301 23188 warnings.go:70] would violate PodSecurity "restricted:latest": unrestricted capabilities (container "flux-logs-agent" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "flux-logs-agent" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.617301 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "manager", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.620170 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "config-agent", "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "config-agent" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "config-agent", "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "config-agent", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.620170 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.620170 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "manager", "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "manager", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1209 20:45:15.620170 23188 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "fluent-bit" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "metrics-agent" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "fluent-bit" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "metrics-agent", "fluent-bit" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Error: context deadline exceeded
Any advice is welcome
Talos Linux version 1.11.5
K8s version 1.33.6
Beta Was this translation helpful? Give feedback.
All reactions