Container security FAQ - Container Service for Kubernetes

This topic answers frequently asked questions (FAQs) about application container security.

Why is there no network connectivity between containers?
How do I specify a security group for a Kubernetes cluster?
Can the cluster audit feature be disabled or enabled after a cluster is created?
How do I change the certificate validity period and replace component certificates for an ACK Dedicated cluster?
Why can't I create a pod, and why does the error "no providers available to validate pod request" appear?
Why can't I use a Secret in a new namespace?
Why can't I mount the default-token?
How do I query audit logs?
How do I collect diagnostic information for ACK Edge cluster nodes?
Why do the kubelet logs of a Kubernetes cluster on CentOS 7.6 contain the message "Reason:KubeletNotReady Message:PLEG is not healthy:"?

Why is there no network connectivity between containers?

You can follow these steps to resolve network connectivity issues in an ACK cluster that are caused by security groups.

The inbound rule in which the Source is set to the Pod Network CIDR and the Protocol is set to All Traffic was deleted.
1. Log on to the ACK console. In the left navigation pane, click Clusters.
2. On the Clusters page, find the target cluster and click its name. In the navigation pane on the left, click Cluster Information.
3. On the Cluster Information page, click the Basic Information tab. Click the link next to Control Plane Security Group to go to the security group page in the ECS console.
4. On the Security Groups page, on the Inbound tab, click Add Rule. In the dialog box that appears, configure the rule and click Submit.
  - Action: Allow.
  - Priority: Default.
  - Protocol: Select All Traffic.
  - Source: Enter the pod CIDR block. You can obtain the pod CIDR block (Pod Network CIDR) from the Network section on the cluster details page in the ACK console.

An inbound rule has been added where the Source is the Pod network CIDR and the Protocol is All Traffic.

The security group of the new ECS instance is different from the security group of the cluster.
1. Log on to the ACK console. In the left navigation pane, click Clusters.
2. On the Clusters page, find the target cluster and click its name. In the navigation pane on the left, click Cluster Information.
3. On the Cluster Information page, click the Basic Information tab and record the security group ID from the Security Group field.
4. Add the target ECS instance to the security group of the cluster that you recorded in the previous step. For more information about how to add an ECS instance to a security group, see Add an instance to, remove an instance from, or switch the security group for an instance.

How do I specify a security group for a Kubernetes cluster?

Specify a security group when creating a cluster

When you create a Kubernetes cluster, ACK automatically creates a default security group. You can modify the rules of this security group as needed. For more information, see Configure a cluster security group.

Modify the associated security group in an existing cluster

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the target cluster and click its name. In the navigation pane on the left, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Network section, click Edit next to Control Plane Security Group.
In the dialog box that appears, select the security group that you want to use and click OK.

Can the cluster audit feature be disabled or deployed after a cluster is created?

Yes. For more information, see Use the cluster API server audit feature.

How do I change the certificate validity period and replace component certificates for an ACK Dedicated cluster?

About two months before your cluster certificate expires, you will receive internal messages and notifications. After you receive a notification, go to the Clusters page in the console and click the button to update the certificate. For more information, see Update an expiring certificate for an ACK dedicated cluster.
If your Kubernetes cluster certificate has expired, see Update an expired certificate for an ACK dedicated cluster.

Why can't I create a pod, and why does the error "no providers available to validate pod request" appear?

If you have not configured a custom Pod Security Policy (PSP), this error occurs because you deleted the default PSP. To resolve this issue, restore the default PSP rules. For more information, see [Deprecated] Use Pod Security Policies.
To configure a custom PSP, see Enable security policy management.

Why can't I use a Secret in a new namespace?

Secrets are namespace-scoped. You must create the Secret in the new namespace.

Why can't I mount the default-token?

The default-token cannot be mounted. The error message is as follows:

Normal Scheduled 13m default-scheduler Successfully assigned dev/alibaba-demo-67fcdbfb8-zklnp to cn-hangzhou.10.7.3.16  Warning FailedMount 13m (x2 over 13m) kubelet, cn-hangzhou.10.7.3.16 MountVolume.SetUp failed for volume 'default-token-8twx9' : mount failed: exit status 1 Mounting command: systemd-run Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/62d39b35-9a4d-11ea-9870-c24d56a0e904/volumes/kubernetes.io~secret/default-token-8twx9 --scope -- mount -t tmpfs tmpfs /var/lib/kubelet/pods/62d39b35-9a4d-11ea-9870-c24d56a0e904/volumes/kubernetes.io~secret/default-token-8twx9 Output: Failed to start transient scope unit: Argument list too long  Warning FailedCreatePodContainer 3m40s (x49 over 13m) kubelet, cn-hangzhou.10.7.3.16 unable to ensure pod container exists: failed to create container for [kubepods burstable pod62d39b35-9a4d-11ea-9870-c24d56a0e904] : Argument list too long

This issue occurs because the systemd version is too old.

Upgrade systemd. For more information, see systemd.
Run the sudo systemctl daemon-reload command to restart and reset the daemon. For more information, see systemd.

How do I query audit logs?

Query audit logs for RBAC-related changes

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the target cluster and click its name. In the navigation pane on the left, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. Click the link next to Log Service Project to go to the Simple Log Service (SLS) console.
On the Log Storage > Logstores page, select the audit-<cluster_id> Logstore and click Search & Analyze in the upper-right corner.
From the drop-down list at the top of the page, select a time range, such as the last 15 minutes.
Note
The time range must cover the period from when the system was working as expected to when the issue occurred. For example, you can select 3 days, 7 days, or 15 days.
In the Search & Analyze text box, enter the following SQL query and click Search & Analyze in the upper-right corner.
```
requestURI: "rbac.authorization.k8s.io" not (verb: get or verb: watch) 
```
Click the icon and select Download Log. In the Download Log dialog box, configure the download settings and click OK.

Query audit logs for ConfigMap-related changes

In the Search & Analyze text box, enter the following SQL query and click Search & Analyze. For more information about other operations, see How do I query audit logs?.

requestURI: "configmaps" and <configmap_name> not (verb: get or verb: watch or verb: list)

Note

When you run the query, replace <configmap_name> with the actual ConfigMap name.

Query audit logs for pod scaling in a deployment

In the Search & Analyze text box, enter the following SQL query and click Search & Analyze. For more information about other operations, see How do I query audit logs?.

requestURI: deployments and (verb: update or verb: patch) and replicas and deployments and <deployment_name> not deployment-controller

Note

When you run the query, replace <deployment_name> with the actual deployment name.