This page answers common questions about container security in Container Service for Kubernetes (ACK), including network communication failures, security group configuration, cluster auditing, certificate renewal, and audit log queries.
Can I disable cluster auditing when I create a cluster, or enable it after creation?
How do I fix the "no providers available to validate pod request" error?
How do I fix the "Argument list too long" mount error for the default token?
Why do containers fail to communicate with each other?
Two common causes are a missing inbound security group rule and an ECS instance assigned to the wrong security group.
Cause 1: The inbound rule for the pod CIDR block was deleted
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Find the cluster and click its name. In the left-side pane, click Cluster Information.
On the Basic Information tab, click the link next to Control Plane Security Group to open the security group page in the Elastic Compute Service (ECS) console.
On the Inbound tab, click Add Rule.
Set Protocol Type to All and Authorization Object to the pod CIDR block of the cluster, then click Save.
Find the pod CIDR block in the Cluster Information section of the cluster details page in the ACK console. For more information about Authorization Object, see Security groups for different use cases.
Cause 2: The ECS instance and the cluster are in different security groups
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Find the cluster and click its name. On the Basic Information tab of Cluster Information, note the security group ID shown next to Security Group.
Add the ECS instance to that security group. For more information, see Manage the security groups of one or more ECS instances on the Instances page.
How do I specify a security group for an ACK cluster?
ACK automatically assigns a default security group when you create a cluster. You cannot select a custom security group during cluster creation, but you can modify the rules of the default security group afterward.
Can I disable cluster auditing when I create a cluster, or enable it after creation?
Yes. Both options are supported. For instructions on enabling or disabling cluster auditing, see Work with the cluster auditing feature.
How do I renew the certificate of an ACK dedicated cluster?
ACK sends an internal message and a text message approximately two months before a certificate expires. To renew a certificate before it expires, go to the Clusters page in the ACK console and click Renew. For step-by-step instructions, see Renew expiring Kubernetes cluster certificates.
If a certificate has already expired, see Update expired certificates of a Kubernetes cluster.
How do I fix the "no providers available to validate pod request" error?
This error occurs when no pod security policy (PSP) is available to validate pod creation requests. If you have not configured a custom PSP, the default PSP was likely deleted. Restore it by following the steps in \[Deprecated\] Use pod security policies.
To use a custom PSP instead, see Configure pod security policies.
Why am I unable to use existing Secrets in a new namespace?
Secrets are scoped to namespaces. A Secret created in one namespace is not accessible to pods in another namespace. Create new Secrets in the new namespace.
How do I fix the "Argument list too long" mount error for the default token?
The following error indicates that the systemd version on the node is outdated:
MountVolume.SetUp failed for volume 'default-token-8twx9' : mount failed: exit status 1
...
Failed to start transient scope unit: Argument list too longUse either of the following fixes:
Upgrade systemd. See the Kubernetes issue comment for details.
Reload systemd units without upgrading by running:
sudo systemctl daemon-reloadSee the Kubernetes issue comment for context.
How do I query the audit log?
The steps below show how to access the audit Logstore and run queries.
Access the audit Logstore
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Find the cluster and click its name. On the Basic Information tab of Cluster Information, click the link next to Log Service Project.
On the Log Storage > Logstores page, click the
audit-<cluster_id>Logstore, then click Search & Analysis.In the upper-right corner, set the time range to cover when the events occurred — for example, 3 days, 7 days, or 15 days.
Enter the SQL query for your scenario (see the table below) in the Search & Analyze bar, then click Search & Analyze.
To download results, click the download icon, select Download All Logs with Cloud Shell, and click OK.
Audit log query reference
| Scenario | SQL query |
|---|---|
| Role-Based Access Control (RBAC) operations | requestURI: "rbac.authorization.k8s.io" not (verb: get or verb: watch) |
| ConfigMap operations | requestURI: "configmaps" and <configmap_name> not (verb: get or verb: watch or verb: list) |
| Deployment scaling operations | requestURI: deployments and (verb: update or verb: patch) and replicas and deployments and <deployment_name> not deployment-controller |
Replace <configmap_name> with the name of the ConfigMap you want to query, and <deployment_name> with the name of the Deployment.