记录一次nginx-controller创建ssl失败问题
环境信息如下:docker和k8s版本[root@controllersw rootfs]# docker -vDocker version 19.03.11.ce, build 42e35e61f3[root@controllersw rootfs]# kubectl versionClient Version: version.Info{Major:"1", Minor:"16", GitVe
环境信息如下:
docker和k8s版本
[root@controllersw rootfs]# docker -v
Docker version 19.03.11.ce, build 42e35e61f3
[root@controllersw rootfs]# kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"archive", BuildDate:"2021-11-02T05:51:31Z", GoVersion:"go1.14.1", Compiler:"gc", Platform:"linux/sw64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"archive", BuildDate:"2021-08-11T06:03:37Z", GoVersion:"go1.14.6", Compiler:"gc", Platform:"linux/sw64"}
[root@controllersw rootfs]#
os:
[root@controllersw rootfs]# cat /etc/.productinfo
KYLIN Linux Advanced Server
V10(SP1)/(Tercel)-sw64-Build20.1-20210518-JUN
报错如下:
[root@controllersw rootfs]# kubectl logs -f ingress-nginx-controller-567449cc84-vlfcw -n ingress-nginx
3-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v0.42.0
Build: 0abfad70ce3b089b99218bdbe9174817b62e2907
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.16.1
-------------------------------------------------------------------------------
I1121 09:24:51.186171 6 flags.go:205] "Watching for Ingress" class="nginx"
W1121 09:24:51.186329 6 flags.go:210] Ingresses with an empty class will also be processed by this Ingress controller
W1121 09:24:51.190167 6 client_config.go:614] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I1121 09:24:51.192806 6 main.go:241] "Creating API client" host="https://10.96.0.1:443"
I1121 09:24:51.285117 6 main.go:285] "Running in Kubernetes cluster" major="1" minor="16" git="v1.16.3" state="archive" commit="b3cbbae08ec52a7fc73d334838e18d17e8512749" platform="linux/sw64"
F1121 09:24:55.774823 6 ssl.go:389] unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied
goroutine 1 [running]:
k8s.io/klog/v2.stacks(0xc00234001, 0xc00024200, 0x103, 0x1e2)
k8s.io/klog/v2@v2.4.0/klog.go:1026 +0xfc
由于申威平台的nginx-ingress-controller镜像是自己移植的,不是官方的,所以出现问题在所难免吧,在我移植的那些组件,百分之九十的原生dockerfile都得大大小小的“缝缝补补”,这种跨平台跨OS的,就得一步一步的调,对了这个nginx-ingress-controller用的是0.42.0版本。
解决办法:
1.首先是对比x86平台下/etc/ingress-controller这个目录的权限,像这种权限问题,我在移植过程中大多数的时候就是目录的权限不对,因为源码是从github上拿的,下载到本地很多目录的权限都变了。
2. 第一步对比完成之后,发现问题依旧存在,查了半天也没啥进展,后来发现是镜像做的不对,用户的UUID其实在yaml文件里面定义好了,下面这个是我镜像中的用户ID
[www-data@f8b005ec8aaf nginx]$ id
uid=1000(www-data) gid=1000(www-data) groups=1000(www-data)
下面是yaml文件中的定义,改成1000就好了,这个就是自己移植步下的坑,没办法,原生的nginx-ingress-controller的dockerfile直接用不了,有些地方得改,这个就很无奈.......
关于securityContext的说明,详细看官方文件
Configure a Security Context for a Pod or Container | Kubernetes
Kubernetes(k8s)中文文档 名词解释:Security Context和PSP_Kubernetes中文社区
更多推荐
所有评论(0)