文档首页/ 企业主机安全 HSS/ 常见问题/ 容器安全/ 容器集群防护插件卸载失败怎么办?
更新时间:2024-11-15 GMT+08:00

容器集群防护插件卸载失败怎么办?

故障原因

当集群网络异常或插件正在工作时,通过HSS控制台卸载插件可能会失败。

解决措施

在任一集群节点执行如下操作,即可卸载容器集群防护插件。

  1. 登录任一集群节点。
  2. 在/tmp目录下新建plugin.yaml文件,并将如下脚本内容拷贝至plugin.yaml文件中。

    apiVersion: v1
    kind: Namespace
    metadata:
      labels:
        admission.gatekeeper.sh/ignore: no-self-managing
        control-plane: controller-manager
        gatekeeper.sh/system: "yes"
        pod-security.kubernetes.io/audit: restricted
        pod-security.kubernetes.io/audit-version: latest
        pod-security.kubernetes.io/enforce: restricted
        pod-security.kubernetes.io/enforce-version: v1.24
        pod-security.kubernetes.io/warn: restricted
        pod-security.kubernetes.io/warn-version: latest
      name: gatekeeper-system
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: assign.mutations.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: assignimage.mutations.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: assignmetadata.mutations.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: configs.config.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: constraintpodstatuses.status.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: constrainttemplatepodstatuses.status.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.11.3
      labels:
        gatekeeper.sh/system: "yes"
      name: constrainttemplates.templates.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: expansiontemplate.expansion.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: expansiontemplatepodstatuses.status.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: modifyset.mutations.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.10.0
      labels:
        gatekeeper.sh/system: "yes"
      name: mutatorpodstatuses.status.gatekeeper.sh
    ---
    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      annotations:
        controller-gen.kubebuilder.io/version: v0.11.3
      labels:
        gatekeeper.sh/system: "yes"
      name: providers.externaldata.gatekeeper.sh
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      creationTimestamp: null
      labels:
        gatekeeper.sh/system: "yes"
      name: gatekeeper-manager-role
      namespace: gatekeeper-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      creationTimestamp: null
      labels:
        gatekeeper.sh/system: "yes"
      name: gatekeeper-manager-role
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      labels:
        gatekeeper.sh/system: "yes"
      name: gatekeeper-manager-rolebinding
      namespace: gatekeeper-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: gatekeeper-manager-role
    subjects:
    - kind: ServiceAccount
      name: gatekeeper-admin
      namespace: gatekeeper-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      labels:
        gatekeeper.sh/system: "yes"
      name: gatekeeper-manager-rolebinding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: gatekeeper-manager-role
    subjects:
    - kind: ServiceAccount
      name: gatekeeper-admin
      namespace: gatekeeper-system
    ---
    apiVersion: admissionregistration.k8s.io/v1
    kind: MutatingWebhookConfiguration
    metadata:
      labels:
        gatekeeper.sh/system: "yes"
      name: gatekeeper-mutating-webhook-configuration
    ---
    apiVersion: admissionregistration.k8s.io/v1
    kind: ValidatingWebhookConfiguration
    metadata:
      labels:
        gatekeeper.sh/system: "yes"
      name: gatekeeper-validating-webhook-configuration

  1. 在/tmp目录下新建uninstall.sh文件,并将如下脚本内容拷贝至uninstall.sh文件中。

    #!/bin/bash
    kubectl delete -f /tmp/plugin.yaml
    kubectl delete ns cgs-provider

  2. 执行如下命令卸载容器集群防护插件。

    bash /tmp/uninstall.sh

    回显如下图类似信息,表示插件卸载完成。