我的公司购买了我们正尝试使用kubernetes和给定的私有docker存储库在IBM云上部署的软件。部署后,始终会出现Kubernetes错误:“退后重新启动失败的容器”。因此,我阅读了日志以了解为什么容器要重新启动,而这是错误消息:
Caused by: java.io.FileNotFoundException: /var/yseop-log/yseop-manager.log (Permission denied)
因此,我推断我只需要更改Kubernetes文件中的权限。由于我正在使用部署,因此我尝试了以下initContainer:
initContainers:
- name: permission-fix
image: busybox
command: ['sh', '-c']
args: ['chmod -R 777 /var']
volumeMounts:
- mountPath: /var/yseop-engine
name: yseop-data
- mountPath: /var/yseop-data/yseop-manager
name: yseop-data
- mountPath: /var/yseop-log
name: yseop-data
这没有用,因为不允许我以非root用户身份在只读文件夹上执行chmod。
所以我尝试重新安装这些卷,但是由于我不是root用户,所以也失败了。
然后,我发现以用户和组身份运行。为了找出我必须在安全上下文中编写的用户和组,我读取了dockerfile,这是用户和组:
USER 1001:0
所以我可以将其写到我的部署文件中:
securityContext:
runAsUser: 1001
rusAsGroup: 0
很明显,这都不起作用,因为不允许我以第0组的身份运行
因此,我仍然不知道如何正确部署此映像。在m台计算机上执行docker pull和exec时,该映像正常工作,但在Kubernetes上不工作。
这是我完整的Volume文件:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
ibm.io/auto-create-bucket: "true"
ibm.io/auto-delete-bucket: "false"
ibm.io/bucket: ""
ibm.io/secret-name: "cos-write-access"
ibm.io/endpoint: https://s3.eu-de.cloud-object-storage.appdomain.cloud
name: yseop-pvc
namespace: ns
labels:
app: yseop-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: ibmc
volumeMode: Filesystem
这是我的完整部署文件:
apiVersion: apps/v1
kind: Deployment
metadata:
name: yseop-manager
namespace: ns
spec:
selector:
matchLabels:
app: yseop-manager
template:
metadata:
labels:
app: yseop-manager
spec:
securityContext:
runAsUser: 1001
rusAsGroup: 0
initContainers:
- name: permission-fix
image: busybox
command: ['sh', '-c']
args: ['chmod -R 777 /var']
volumeMounts:
- mountPath: /var/yseop-engine
name: yseop-data
- mountPath: /var/yseop-data/yseop-manager
name: yseop-data
- mountPath: /var/yseop-log
name: yseop-data
containers:
- name: yseop-manager
image:IMAGE
imagePullPolicy: IfNotPresent
env:
- name: SECURITY_USERS_DEFAULT_ENABLED
value: "true"
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /var/yseop-engine
name: yseop-data
- mountPath: /var/yseop-data/yseop-manager
name: yseop-data
- mountPath: /var/yseop-log
name: yseop-data
imagePullSecrets:
- name: regcred
volumes:
- name: yseop-data
persistentVolumeClaim:
claimName: yseop-pvc
感谢您的帮助
答案 0 :(得分:2)
您可以尝试在安全性上下文中添加补充组ID吗?
SecurityContext:
runAsUser: 1001
fsGroup: 2000
默认情况下, runAsGroup为0,即root 。下面的链接可能会对此提供更多的见解。 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
工作Yaml内容
apiVersion: apps/v1
kind: Deployment
metadata:
name: yseop-manager
namespace: ns
spec:
selector:
matchLabels:
app: yseop-manager
template:
metadata:
labels:
app: yseop-manager
spec:
securityContext:
fsGroup: 2000
initContainers:
- name: permission-fix
image: busybox
command: ['sh', '-c']
args: ['chown -R root:2000 /var']
volumeMounts:
- mountPath: /var/yseop-engine
name: yseop-data
- mountPath: /var/yseop-data/yseop-manager
name: yseop-data
- mountPath: /var/yseop-log
name: yseop-data
containers:
- name: yseop-manager
image:IMAGE
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 1001
runAsGroup: 2000
env:
- name: SECURITY_USERS_DEFAULT_ENABLED
value: "true"
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /var/yseop-engine
name: yseop-data
- mountPath: /var/yseop-data/yseop-manager
name: yseop-data
- mountPath: /var/yseop-log
name: yseop-data
imagePullSecrets:
- name: regcred
volumes:
- name: yseop-data
persistentVolumeClaim:
claimName: yseop-pvc
答案 1 :(得分:0)
我的公司没有告诉我我们确实有限制性Pod安全策略。因此,卷是只读的,我无法在所述卷中写任何东西。
解决方法如下:
volumes:
- name: yseop-data
emptyDir: {}
然后,我必须在volumeMounts中指定一个路径(已经完成)并创建一个PVC,这样我的数据才是持久的。