无法将密钥挂载到/ etc中的卷

时间:2017-06-14 16:57:51

标签: kubernetes google-kubernetes-engine kubernetes-helm

我有一个K8s部署,将一个秘密安装到/etc/google-cloud-account,其中包含要在应用程序中使用的Google身份验证JSON文件。当我尝试运行部署时,我从我的pod中收到以下错误:

1m  1m  1   kubelet, gke-development-cluster-default-pool-17f531d7-sj4x spec.containers{api}    Normal  Created     Created container with docker id 36b85ec8415a; Security:[seccomp=unconfined]
1m  1m  1   kubelet, gke-development-cluster-default-pool-17f531d7-sj4x spec.containers{api}    Warning Failed      Failed to start container with docker id 36b85ec8415a with error: Error response from daemon: rpc error: code = 2 desc = "oci runtime error: could not synchronise with container process: mkdir /var/lib/docker/overlay/b4aa81194f72ccb54d88680e766a921ea26f7a4df0f4b32d6030123896b2b203/merged/etc/google-cloud-account: read-only file system"
1m  1m  1   kubelet, gke-development-cluster-default-pool-17f531d7-sj4x             Warning FailedSync  Error syncing pod, skipping: failed to "StartContainer" for "api" with RunContainerError: "runContainer: Error response from daemon: rpc error: code = 2 desc = \"oci runtime error: could not synchronise with container process: mkdir /var/lib/docker/overlay/b4aa81194f72ccb54d88680e766a921ea26f7a4df0f4b32d6030123896b2b203/merged/etc/google-cloud-account: read-only file system\""

2m  13s 11  kubelet, gke-development-cluster-default-pool-17f531d7-sj4x spec.containers{api}    Warning BackOff     Back-off restarting failed docker container

有问题的部署如下:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  # ...
spec:
  replicas: {{ .Values.api.replicaCount }}
  template:
    # ...
    spec:
      containers:
        - name: {{ .Values.api.name }}
          # ...
          volumeMounts:
            - name: google-cloud-account
              mountPath: /etc/google-cloud-account
      volumes:
        - name: google-cloud-account
          secret:
            secretName: {{ template "fullname" . }}
            items:
              - key: google-cloud-credentials
                path: credentials.json

我不知道容器中的/etc如何成为只读文件系统,并且不知道如何更改它。

2 个答案:

答案 0 :(得分:1)

事实证明,错误是由另一个卷装入引起的。我把它留在了最终代码之外,但我的部署看起来更像是:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  # ...
spec:
  replicas: {{ .Values.api.replicaCount }}
  template:
    # ...
    spec:
      containers:
        - name: {{ .Values.api.name }}
          # ...
          volumeMounts:
            - name: google-cloud-account
              mountPath: /etc/google-cloud-account
            - name: odbc
              mountPath: /etc
      volumes:
        - name: google-cloud-account
          secret:
            secretName: {{ template "fullname" . }}
            items:
              - key: google-cloud-credentials
                path: credentials.json
        - name: odbc
          configMap:
            name: {{ template "fullname" . }}
            items:
              - key: odbc.ini
                path: odbc.ini

挂载{{​​1}}接管了整个odbc目录。为了解决这个问题,我将/etc odbc更改为:

volumeMount

这使- name: odbc mountPath: /etc/odbc.ini subPath: odbc.ini 中的所有其他内容保持不变。

答案 1 :(得分:1)

Dave Long's answer的替代projected volumes

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  # ...
spec:
  replicas: {{ .Values.api.replicaCount }}
  template:
    # ...
    spec:
      containers:
        - name: {{ .Values.api.name }}
          # ...
          volumeMounts:
            - name etc
              mountPath: /etc
            - name: google-cloud-account
              mountPath: /etc/google-cloud-account
            - name: odbc
              mountPath: /etc
      volumes:
        - name: config
          projected:
            sources:
            - secret:
                name: {{ template "fullname" . }}
                items:
                  - key: google-cloud-credentials
                    path: google-cloud-account/credentials.json
            - configMap:
                name: {{ template "fullname" . }}
                items:
                  - key: odbc.ini
                    path: odbc.ini
相关问题
最新问题