DenyEscalatingExec when under GKE

Question

We\'re using GKE with our Kubernetes cluster. One of the apps we\'re running is Jenkins for CI. Unfortunately, Jenkins slaves need to use Docker to mount their host\'s

Answer 1

Looks like you want to run your Jenkins CI in a privileged mode. But if you just want to call Docker from inside a Jenkins, you don't need to use Privileged mode, you can just mount a Docker socket from the node to a Jenkins container.

spec:
      volumes:
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock
      containers:
      - name: name
        image: image-location
        volumeMounts:
        - name: docker-socket
          mountPath: /var/run/docker.sock

Regarding Admission Controllers, all of them are provided by kube-apiserver binary and enabled on GKE. From the documentation about GKE:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: my-psp
spec:
  privileged: false  # Prevents creation of privileged Pods
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

more examples you can find in documentation