Cronjob openshift 不是 运行 一个 pod
Cronjob openshift not running a pod
我正在尝试安排 CronJob 来启动 kubectl 命令。 cronjob 不会启动 pod。
这是我的定时任务
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mariadump
namespace: my-namespace
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
serviceAccountName: mariadbdumpsa
containers:
- name: kubectl
image: garland/kubectl:1.10.4
command:
- /bin/sh
- -c
- kubectl get pods;echo 'DDD'
restartPolicy: OnFailure
我通过以下方式在 openshift 上创建 cronjob:
oc create -f .\cron.yaml
得到如下结果
PS C:\Users\mymachine> oc create -f .\cron.yaml
cronjob.batch/mariadump created
PS C:\Users\mymachine> oc get cronjob -w
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
mariadump */1 * * * * False 0 <none> 22s
mariadump */1 * * * * False 1 10s 40s
mariadump */1 * * * * False 0 20s 50s
PS C:\Users\mymachine> oc get pods -w
NAME READY STATUS RESTARTS AGE
cronjob 不会启动 pod,但如果更改此 cronjob(删除 serviceaccount)
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mariadump
namespace: my-namespace
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: kubectl
image: garland/kubectl:1.10.4
command:
- /bin/sh
- -c
- kubectl get pod;echo 'DDD'
restartPolicy: OnFailure
它在没有权限的情况下按预期工作。
PS C:\Users\myuser> oc get cronjob -w
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
mariadump */1 * * * * False 0 <none> 8s
mariadump */1 * * * * False 1 3s 61s
PS C:\Users\myuser> oc get pods -w
NAME READY STATUS RESTARTS AGE
mariadump-1616089500-mnfxs 0/1 CrashLoopBackOff 1 8s
PS C:\Users\myuser> oc logs mariadump-1616089500-mnfxs
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "pods" in API group "" in the namespace "my-namespace"
为了给 cronjob 适当的权限,我使用这个模板来创建角色、角色绑定和 ServiceAccount。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my_namespace
name: mariadbdump
rules:
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- 'patch'
- 'get'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: mariadbdump
namespace: my_namespace
subjects:
- kind: ServiceAccount
name: mariadbdumpsa
namespace: my_namespace
roleRef:
kind: Role
name: mariadbdump
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mariadbdumpsa
namespace: my_namespace
任何人都可以帮助我知道为什么 ServiceAccount 的 cronjob 不起作用?
谢谢
这个 yaml 确实有效
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: mariadbdump
rules:
- apiGroups:
- ""
- ''
resources:
- deployments
- replicasets
- pods
- pods/exec
verbs:
- 'watch'
- 'get'
- 'create'
- 'list'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mariadbdump
namespace: my-namespace
subjects:
- kind: ServiceAccount
name: mariadbdumpsa
namespace: my-namespace
roleRef:
kind: Role
name: mariadbdump
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mariadbdumpsa
namespace: my-namespace
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mariadump
namespace: my-namespace
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
serviceAccountName: mariadbdumpsa
containers:
- name: kubectl
image: garland/kubectl:1.10.4
command:
- /bin/sh
- -c
- kubectl exec $(kubectl get pods | grep Running | grep 'mariadb' | awk '{print }') -- /opt/rh/rh-mariadb102/root/usr/bin/mysqldump --skip-lock-tables -h 127.0.0.1 -P 3306 -u userdb --password=userdbpass databasename >/tmp/backup.sql;kubectl cp my-namespace/$(kubectl get pods | grep Running | grep 'mariadbdump' | awk '{print }'):/tmp/backup.sql my-namespace/$(kubectl get pods | grep Running | grep 'mariadb' | awk '{print }'):/tmp/backup.sql;echo 'Backup done'
restartPolicy: OnFailure
我正在尝试安排 CronJob 来启动 kubectl 命令。 cronjob 不会启动 pod。 这是我的定时任务
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mariadump
namespace: my-namespace
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
serviceAccountName: mariadbdumpsa
containers:
- name: kubectl
image: garland/kubectl:1.10.4
command:
- /bin/sh
- -c
- kubectl get pods;echo 'DDD'
restartPolicy: OnFailure
我通过以下方式在 openshift 上创建 cronjob:
oc create -f .\cron.yaml
得到如下结果
PS C:\Users\mymachine> oc create -f .\cron.yaml
cronjob.batch/mariadump created
PS C:\Users\mymachine> oc get cronjob -w
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
mariadump */1 * * * * False 0 <none> 22s
mariadump */1 * * * * False 1 10s 40s
mariadump */1 * * * * False 0 20s 50s
PS C:\Users\mymachine> oc get pods -w
NAME READY STATUS RESTARTS AGE
cronjob 不会启动 pod,但如果更改此 cronjob(删除 serviceaccount)
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mariadump
namespace: my-namespace
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: kubectl
image: garland/kubectl:1.10.4
command:
- /bin/sh
- -c
- kubectl get pod;echo 'DDD'
restartPolicy: OnFailure
它在没有权限的情况下按预期工作。
PS C:\Users\myuser> oc get cronjob -w
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
mariadump */1 * * * * False 0 <none> 8s
mariadump */1 * * * * False 1 3s 61s
PS C:\Users\myuser> oc get pods -w
NAME READY STATUS RESTARTS AGE
mariadump-1616089500-mnfxs 0/1 CrashLoopBackOff 1 8s
PS C:\Users\myuser> oc logs mariadump-1616089500-mnfxs
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "pods" in API group "" in the namespace "my-namespace"
为了给 cronjob 适当的权限,我使用这个模板来创建角色、角色绑定和 ServiceAccount。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my_namespace
name: mariadbdump
rules:
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- 'patch'
- 'get'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: mariadbdump
namespace: my_namespace
subjects:
- kind: ServiceAccount
name: mariadbdumpsa
namespace: my_namespace
roleRef:
kind: Role
name: mariadbdump
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mariadbdumpsa
namespace: my_namespace
任何人都可以帮助我知道为什么 ServiceAccount 的 cronjob 不起作用?
谢谢
这个 yaml 确实有效
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: mariadbdump
rules:
- apiGroups:
- ""
- ''
resources:
- deployments
- replicasets
- pods
- pods/exec
verbs:
- 'watch'
- 'get'
- 'create'
- 'list'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mariadbdump
namespace: my-namespace
subjects:
- kind: ServiceAccount
name: mariadbdumpsa
namespace: my-namespace
roleRef:
kind: Role
name: mariadbdump
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mariadbdumpsa
namespace: my-namespace
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mariadump
namespace: my-namespace
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
serviceAccountName: mariadbdumpsa
containers:
- name: kubectl
image: garland/kubectl:1.10.4
command:
- /bin/sh
- -c
- kubectl exec $(kubectl get pods | grep Running | grep 'mariadb' | awk '{print }') -- /opt/rh/rh-mariadb102/root/usr/bin/mysqldump --skip-lock-tables -h 127.0.0.1 -P 3306 -u userdb --password=userdbpass databasename >/tmp/backup.sql;kubectl cp my-namespace/$(kubectl get pods | grep Running | grep 'mariadbdump' | awk '{print }'):/tmp/backup.sql my-namespace/$(kubectl get pods | grep Running | grep 'mariadb' | awk '{print }'):/tmp/backup.sql;echo 'Backup done'
restartPolicy: OnFailure