This topic provides answers to some frequently asked questions about container security.
Why do containers fail to communicate with each other?
The following section describes the causes of network communication failures due to different security group settings and provides solutions to the failures.
The inbound rule in which Authorization Object is Pod CIDR Block and Protocol Type is All is deleted.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
On the Cluster Information page, click the Cluster Resources tab, and then click the link to the right of Security Group to go to the security group page in the Elastic Compute Service (ECS) console.
On the Inbound tab of the Security Group page, click Add Rule.
Configure Protocol Type, Port Range, and Authorization Object. Then, click Save.
NoteSet Protocol Type to All.
Set Authorization Object to the pod CIDR block of the cluster.
You can find the pod CIDR block in the Cluster Information section of the cluster details page in the Container Service for Kubernetes (ACK) console.
For more information about Authorization Object, see Security groups for different use cases.
A rule in which Authorization Object is set to the pod CIDR block of the cluster and Protocol Type is set to All is added.
The new ECS instance and the Kubernetes cluster belong to different security groups.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
On the Cluster Information page, click the Cluster Resources tab. Then, view and record the ID on the right side of Security Group.
Add the desired ECS instance to the security group that is found in the previous step. For more information about how to add an ECS instance to a security group, see Manage the security groups of one or more ECS instances on the Instances page.
How do I specify a security group for an ACK cluster?
You cannot specify a security group for an ACK cluster. A default security group is automatically specified for an ACK cluster when the cluster is created. You can modify the rules of the default security group.
Can I disable cluster auditing when I create a cluster or enable cluster auditing after the cluster is created?
Yes, you can migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode. For more information, see Work with the cluster auditing feature.
How do I renew the certificate of an ACK dedicated cluster and how do I renew the certificates of the components in the cluster?
Approximately two months before a certificate expires, an internal message and a text message are sent to remind you about the expiration of the certificate. You can go to the clusters page in the console and click Renew to renew the certificate. For more information, see Renew expiring Kubernetes cluster certificates.
For more information about how to renew an expired certificate, see Update expired certificates of a Kubernetes cluster.
How do I fix the "no providers available to validate pod request" error during pod creation?
If no custom pod security policy (PSP) is defined, the error appears because you deleted the default PSP. You can restore the default PSP to fix the error. For more information, see [Deprecated] Use pod security policies.
If you want to use a custom PSP, see Configure pod security policies.
Why am I unable to use existing Secrets in a new namespace?
Secrets are scoped to namespaces. You must create new Secrets in a new namespace.
How do I fix the mount error when I mount the default token?
The following error message is returned:
Normal Scheduled 13m default-scheduler Successfully assigned dev/alibaba-demo-67fcdbfb8-zklnp to cn-hangzhou.10.7.3.16 Warning FailedMount 13m (x2 over 13m) kubelet, cn-hangzhou.10.7.3.16 MountVolume.SetUp failed for volume 'default-token-8twx9' : mount failed: exit status 1 Mounting command: systemd-run Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/62d39b35-9a4d-11ea-9870-c24d56a0e904/volumes/kubernetes.io~secret/default-token-8twx9 --scope -- mount -t tmpfs tmpfs /var/lib/kubelet/pods/62d39b35-9a4d-11ea-9870-c24d56a0e904/volumes/kubernetes.io~secret/default-token-8twx9 Output: Failed to start transient scope unit: Argument list too long Warning FailedCreatePodContainer 3m40s (x49 over 13m) kubelet, cn-hangzhou.10.7.3.16 unable to ensure pod container exists: failed to create container for [kubepods burstable pod62d39b35-9a4d-11ea-9870-c24d56a0e904] : Argument list too long
The systemd version is outdated.
How do I query the auditing log?
Query the auditing log about Role-Based Access Control (RBAC) operations
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
On the Cluster Information page, click the Cluster Resources tab. Then, click the link to the right of Log Service Project.
On the
audit-<cluster_id>
Logstore that you want to query and click Search & Analysis. page, click theIn the upper-right corner, you cna specify the time period that you want to query. Example: 15 Minutes.
NoteSelect a time period that covers the time when errors occurred, for example, 3 days, 7 day, or 15 days.
In the Search & Analyze search bar, enter the following SQL statement and then click Search & Analyze.
requestURI: "rbac.authorization.k8s.io" not (verb: get or verb: watch)
Click the icon. In the Log Download dialog box, select Download All Logs with Cloud Shell and click OK.
Query the auditing log about ConfigMap operations
In the Search & Analyze search bar, enter the following SQL statement and then click Search & Analyze. For more information, see How do I query the auditing log?
requestURI: "configmaps" and <configmap_name> not (verb: get or verb: watch or verb: list)
Replace <configmap_name> with the name of the ConfigMap that you want to query.
Query the auditing log about Deployment scaling operations
In the Search & Analyze search bar, enter the following SQL statement and then click Search & Analyze. For more information, see How do I query the auditing log?
requestURI: deployments and (verb: update or verb: patch) and replicas and deployments and <deployment_name> not deployment-controller
Replace <configmap_name> with the name of the ConfigMap that you want to query.