DenyEscalatingExec when under GKE

Question

We\'re using GKE with our Kubernetes cluster. One of the apps we\'re running is Jenkins for CI. Unfortunately, Jenkins slaves need to use Docker to mount their host\'s

Answer 1

Unfortunately you can't change the enabled admission controllers on GKE. Alpha clusters support external admission webhooks but that would involve an amount of custom work.

An alternative option would be to use PodSecurityPolicy to only allow privileged Pods to run in a few tightly controller namespaces. For example, you could create a jenkins namespace and only allow privileged Pods to be created in the jenkins and kube-system namespaces and then prevent all users but cluster admins from execing into Pods in those namespaces.

Answer 2

Looks like you want to run your Jenkins CI in a privileged mode. But if you just want to call Docker from inside a Jenkins, you don't need to use Privileged mode, you can just mount a Docker socket from the node to a Jenkins container.

spec:
      volumes:
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock
      containers:
      - name: name
        image: image-location
        volumeMounts:
        - name: docker-socket
          mountPath: /var/run/docker.sock

Regarding Admission Controllers, all of them are provided by kube-apiserver binary and enabled on GKE. From the documentation about GKE:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: my-psp
spec:
  privileged: false  # Prevents creation of privileged Pods
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

more examples you can find in documentation