只有 1 of 2 pods deploy,其他 pod 无权拉取容器
Only 1 of 2 pods deploy, other pod is not authorised to pull container
我使用与暂存项目相同的结构设置生产项目减去 BuildConfigurations,然后将我的容器从暂存映像流标记为生产映像流。
oc tag my-staging/nginx:latest my-prod/nginx:prod
oc tag my-staging/gunicorn:latest my-prod/gunicorn:prod
oc tag my-staging/celery-worker:latest my-prod/celery-worker:prod
其中每个作为 2 个副本的 DeploymentConfig。前两个都提出了 pods,但是 celery-worker 容器只提出了一个 pod。另一个 pod 生成错误:
Failed to pull image
"172.x.x.x:5000/my-staging/celery-worker@sha256:xxx":
unauthorized: authentication required
我不明白为什么一个 kubelet 可以访问而另一个 kubelet 不能访问。特别是因为所有其他 pods 都已启动。
这是来自注册表的日志:
10.1.3.1 - - [22/Feb/2016:02:52:58 +0000] "GET /v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a HTTP/1.1" 401 176 "" "docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64"
time="2016-02-22T02:52:58.297372303Z" level=error msg="OpenShift access denied: User \"system:serviceaccount:cwl-production:default\" cannot get imagestreams/layers in project \"cwl-staging\"" go.version=go1.4.2 http.request.host="172.30.140.184:5000" http.request.id=71a32c41-9e91-40be-9774-166bfa7264f8 http.request.method=GET http.request.remoteaddr="10.1.3.1:48777" http.request.uri="/v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a" http.request.useragent="docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64" instance.id=180a3a82-b568-40ab-aaa0-538588e8e765 vars.name="cwl-staging/cwl-leadershift-20-celery-worker" vars.reference="sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a"
time="2016-02-22T02:52:58.297449598Z" level=error msg="error authorizing context: access denied" go.version=go1.4.2 http.request.host="172.30.140.184:5000" http.request.id=71a32c41-9e91-40be-9774-166bfa7264f8 http.request.method=GET http.request.remoteaddr="10.1.3.1:48777" http.request.uri="/v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a" http.request.useragent="docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64" instance.id=180a3a82-b568-40ab-aaa0-538588e8e765 vars.name="cwl-staging/cwl-leadershift-20-celery-worker" vars.reference="sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a"
问题是 system:image-puller 角色未授予 my-prod。
授予 my-staging 项目的角色:
oc policy add-role-to-user system:image-puller system:serviceaccount:my-prod:default -n my-staging
删除卡住的 pods 以便他们获得新凭据来拉取映像。
我使用与暂存项目相同的结构设置生产项目减去 BuildConfigurations,然后将我的容器从暂存映像流标记为生产映像流。
oc tag my-staging/nginx:latest my-prod/nginx:prod
oc tag my-staging/gunicorn:latest my-prod/gunicorn:prod
oc tag my-staging/celery-worker:latest my-prod/celery-worker:prod
其中每个作为 2 个副本的 DeploymentConfig。前两个都提出了 pods,但是 celery-worker 容器只提出了一个 pod。另一个 pod 生成错误:
Failed to pull image "172.x.x.x:5000/my-staging/celery-worker@sha256:xxx": unauthorized: authentication required
我不明白为什么一个 kubelet 可以访问而另一个 kubelet 不能访问。特别是因为所有其他 pods 都已启动。
这是来自注册表的日志:
10.1.3.1 - - [22/Feb/2016:02:52:58 +0000] "GET /v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a HTTP/1.1" 401 176 "" "docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64"
time="2016-02-22T02:52:58.297372303Z" level=error msg="OpenShift access denied: User \"system:serviceaccount:cwl-production:default\" cannot get imagestreams/layers in project \"cwl-staging\"" go.version=go1.4.2 http.request.host="172.30.140.184:5000" http.request.id=71a32c41-9e91-40be-9774-166bfa7264f8 http.request.method=GET http.request.remoteaddr="10.1.3.1:48777" http.request.uri="/v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a" http.request.useragent="docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64" instance.id=180a3a82-b568-40ab-aaa0-538588e8e765 vars.name="cwl-staging/cwl-leadershift-20-celery-worker" vars.reference="sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a"
time="2016-02-22T02:52:58.297449598Z" level=error msg="error authorizing context: access denied" go.version=go1.4.2 http.request.host="172.30.140.184:5000" http.request.id=71a32c41-9e91-40be-9774-166bfa7264f8 http.request.method=GET http.request.remoteaddr="10.1.3.1:48777" http.request.uri="/v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a" http.request.useragent="docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64" instance.id=180a3a82-b568-40ab-aaa0-538588e8e765 vars.name="cwl-staging/cwl-leadershift-20-celery-worker" vars.reference="sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a"
问题是 system:image-puller 角色未授予 my-prod。
授予 my-staging 项目的角色:
oc policy add-role-to-user system:image-puller system:serviceaccount:my-prod:default -n my-staging
删除卡住的 pods 以便他们获得新凭据来拉取映像。