需要有关 kubernetes 的卷安装问题的帮助
Need help on volume mount issue with kubernetes
我使用以下方法创建了启用了 RBAC 的 kubernetes 集群
kops 版本 1.8.0-beta.1,我正在尝试 运行 一个 nginx pod,它应该附加预先创建的 EBS 卷并且 pod 应该启动。但是即使我是 admin 用户,也会收到未授权的问题。任何帮助将不胜感激。
kubectl version Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-09T07:27:47Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-08T18:27:48Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
namespace:default
猫测试-ebs.yml
apiVersion: v1
kind: Pod
metadata:
name: test-ebs
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test-ebs
name: test-volume
volumes:
- name: test-volume
awsElasticBlockStore:
volumeID: <vol-IDhere>
fsType: ext4
我收到以下错误:
Warning FailedMount 8m attachdetach AttachVolume.Attach failed for volume "test-volume" : Error attaching EBS volume "<vol-ID>" to instance "<i-instanceID>": "UnauthorizedOperation: You are not authorized to perform this operation
问题是因为 kops1.8 版本。回滚到 kops 版本 v1.7.1。它现在工作。
在 kops 1.8.0-beta.1 中,主节点要求您标记 AWS 卷:
KubernetesCluster: <clustername-here>
如果你像这样使用 kops 创建了 k8s 集群:
kops create cluster --name=k8s.yourdomain.com [other-args-here]
您在 EBS 卷上的标签需要
KubernetesCluster: k8s.yourdomain.com
并且 master 上的策略将包含一个包含以下内容的块:
{
"Sid": "kopsK8sEC2MasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "k8s.yourdomain.com"
}
}
}
条件表明主策略有权限只附加包含正确标签的卷。
我使用以下方法创建了启用了 RBAC 的 kubernetes 集群 kops 版本 1.8.0-beta.1,我正在尝试 运行 一个 nginx pod,它应该附加预先创建的 EBS 卷并且 pod 应该启动。但是即使我是 admin 用户,也会收到未授权的问题。任何帮助将不胜感激。
kubectl version Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-09T07:27:47Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-08T18:27:48Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
namespace:default
猫测试-ebs.yml
apiVersion: v1
kind: Pod
metadata:
name: test-ebs
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test-ebs
name: test-volume
volumes:
- name: test-volume
awsElasticBlockStore:
volumeID: <vol-IDhere>
fsType: ext4
我收到以下错误:
Warning FailedMount 8m attachdetach AttachVolume.Attach failed for volume "test-volume" : Error attaching EBS volume "<vol-ID>" to instance "<i-instanceID>": "UnauthorizedOperation: You are not authorized to perform this operation
问题是因为 kops1.8 版本。回滚到 kops 版本 v1.7.1。它现在工作。
在 kops 1.8.0-beta.1 中,主节点要求您标记 AWS 卷:
KubernetesCluster: <clustername-here>
如果你像这样使用 kops 创建了 k8s 集群:
kops create cluster --name=k8s.yourdomain.com [other-args-here]
您在 EBS 卷上的标签需要
KubernetesCluster: k8s.yourdomain.com
并且 master 上的策略将包含一个包含以下内容的块:
{
"Sid": "kopsK8sEC2MasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "k8s.yourdomain.com"
}
}
}
条件表明主策略有权限只附加包含正确标签的卷。