无法将GCEPD NFS作为nfs挂载到GKE

Question

我最近使用gke和gce持久性磁盘构建了k8s集群。 但是当我的Pod装入音量时，我收到错误消息。

Warning  FailedMount            8s    kubelet, gke-kiesnet-dev-cluster-cas-04df0282-3kcs  MountVolume.SetUp failed for volume "shared-pv" : mount failed: exit status 1
Mounting command: systemd-run
Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/49a4860d-d1e2-11e8-ac83-42010a9200fa/volumes/kubernetes.io~nfs/shared-pv --scope -- /home/kubernetes/containerized_mounter/mounter mount -t nfs 000.000.000.000:/exports/oraganization /var/lib/kubelet/pods/49a4860d-d1e2-11e8-ac83-42010a9200fa/volumes/kubernetes.io~nfs/shared-pv
Output: Running scope as unit: run-r41659f36aca946d1a1c49dbaacefe19e.scope
Mount failed: mount failed: exit status 32
Mounting command: chroot
Mounting arguments: [/home/kubernetes/containerized_mounter/rootfs mount -t nfs 000.000.000.000:/exports/oraganization /var/lib/kubelet/pods/49a4860d-d1e2-11e8-ac83-42010a9200fa/volumes/kubernetes.io~nfs/shared-pv]
Output: mount.nfs: access denied by server while mounting 000.000.000.000:/exports/oraganization

我认为目录许可是主要问题，但是我不知道如何找到密钥。

1. NFS吊舱和服务

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: nfs-server
     namespace: custom
   spec:
     replicas: 1
     selector:
       matchLabels:
         role: nfs-server
     template:
        metadata:
        labels:
          role: nfs-server
      spec:
        containers:
         - name: nfs-server
           image: gcr.io/google_containers/volume-nfs:0.8
           ports:
             - name: nfs
               containerPort: 2049
             - name: mountd
               containerPort: 20048
             - name: rpcbind
               containerPort: 111
           securityContext:
             privileged: true
           volumeMounts:
             - mountPath: /exports/oraganization
               name: nfs-server
         volumes:
           - name: nfs-server
             gcePersistentDisk:
               pdName: gcepd-nfs
               fsType: ext4  
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: nfs-server
     namespace: custom
   spec:
     ports:
       - name: nfs
         port: 2049
       - name: mountd
         port: 20048
       - name: rpcbind
         port: 111
     selector:
       role: nfs-server
   

2. PV和PVC

   apiVersion: v1
   kind: PersistentVolume
   metadata:
     name: shared-pv
     namespace: custom
     labels: 
       name: shared-pv
       capacity: 5Gi
   spec:
     capacity:
       storage: 5Gi
     accessModes:
       - ReadWriteMany
     storageClassName: "shared-pv"
     persistentVolumeReclaimPolicy: Retain
     nfs:
       server: xx.xx.xx.xx # k get svc kiesnet-dev-nfs-server -o jsonpath={.spec.clusterIP}
       path: /exports/oraganization
   ---
   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: shared-pvc
     namespace: custom
   spec:
     accessModes:
       - ReadWriteMany
     storageClassName: "shared-pv"
     resources:
       requests:
         storage: 5Gi
   

3. 部署

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: myapp
     namespace: custom
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: myapp
     template:
       metadata:
         app: myapp
       spec:
         volumes:
           - name: shared
             persistentVolumeClaim:
               claimName: shared-pvc     
         securityContext:
               privileged: true 
         containers: 
         - name: myapp
           image: "busybox"
           volumeMounts:
             - name: shared
               mountPath: /var/data
               subPath: myapp
   

但是当我在PV YAML中将路径设置为“导出”时，我的pod可以挂载该卷。

如何在“ exports”目录下的子目录中挂载？