Kubernetes postStart 似乎破坏了部署中的一切
Kubernetes postStart seems to wreck shop for everything in deployment
我们有以下部署yaml:
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
namespace: {{DEP_ENVIRONMENT}}
labels:
app: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
spec:
replicas: {{NUM_REPLICAS}}
selector:
matchLabels:
app: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
template:
metadata:
labels:
app: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
spec:
# [START volumes]
volumes:
- name: {{CLOUD_DB_INSTANCE_CREDENTIALS}}
secret:
secretName: {{CLOUD_DB_INSTANCE_CREDENTIALS}}
# [END volumes]
containers:
# [START proxy_container]
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy",
"-instances=<PROJECT_ID>:{{CLOUD_DB_CONN_INSTANCE}}=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
# [START cloudsql_security_context]
securityContext:
runAsUser: 2 # non-root user
allowPrivilegeEscalation: false
# [END cloudsql_security_context]
volumeMounts:
- name: {{CLOUD_DB_INSTANCE_CREDENTIALS}}
mountPath: /secrets/cloudsql
readOnly: true
# [END proxy_container]
- name: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
image: {{IMAGE_NAME}}
ports:
- containerPort: 80
env:
- name: CLOUD_DB_HOST
value: 127.0.0.1
- name: DEV_CLOUD_DB_USER
valueFrom:
secretKeyRef:
name: {{CLOUD_DB_DB_CREDENTIALS}}
key: username
- name: DEV_CLOUD_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{CLOUD_DB_DB_CREDENTIALS}}
key: password
# [END cloudsql_secrets]
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "supervisord"]
最后一个 lifecycle 块是新块,导致数据库连接被拒绝。此配置在没有 lifecycle 块的情况下工作正常。我确定这里有一些我想念的愚蠢的东西,但我终究无法弄清楚它是什么。
注意:我们只是尝试像这样启动 Supervisor,作为尝试正常启动时出现大问题的解决方法。
生命周期挂钩旨在成为简短的前台命令。您不能从它们启动后台守护进程,它必须是容器的主要 command。
我们有以下部署yaml:
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
namespace: {{DEP_ENVIRONMENT}}
labels:
app: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
spec:
replicas: {{NUM_REPLICAS}}
selector:
matchLabels:
app: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
template:
metadata:
labels:
app: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
spec:
# [START volumes]
volumes:
- name: {{CLOUD_DB_INSTANCE_CREDENTIALS}}
secret:
secretName: {{CLOUD_DB_INSTANCE_CREDENTIALS}}
# [END volumes]
containers:
# [START proxy_container]
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy",
"-instances=<PROJECT_ID>:{{CLOUD_DB_CONN_INSTANCE}}=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
# [START cloudsql_security_context]
securityContext:
runAsUser: 2 # non-root user
allowPrivilegeEscalation: false
# [END cloudsql_security_context]
volumeMounts:
- name: {{CLOUD_DB_INSTANCE_CREDENTIALS}}
mountPath: /secrets/cloudsql
readOnly: true
# [END proxy_container]
- name: {{DEP_ENVIRONMENT}}-{{SERVICE_NAME}}
image: {{IMAGE_NAME}}
ports:
- containerPort: 80
env:
- name: CLOUD_DB_HOST
value: 127.0.0.1
- name: DEV_CLOUD_DB_USER
valueFrom:
secretKeyRef:
name: {{CLOUD_DB_DB_CREDENTIALS}}
key: username
- name: DEV_CLOUD_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{CLOUD_DB_DB_CREDENTIALS}}
key: password
# [END cloudsql_secrets]
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "supervisord"]
最后一个 lifecycle 块是新块,导致数据库连接被拒绝。此配置在没有 lifecycle 块的情况下工作正常。我确定这里有一些我想念的愚蠢的东西,但我终究无法弄清楚它是什么。
注意:我们只是尝试像这样启动 Supervisor,作为尝试正常启动时出现大问题的解决方法。
生命周期挂钩旨在成为简短的前台命令。您不能从它们启动后台守护进程,它必须是容器的主要 command。