k8s 权限被拒绝问题

k8s Permission Denied issue

我在部署 k8s 部署时遇到了这个错误,我试图通过安全上下文模拟成为 root 用户,但它没有帮助,猜猜如何解决它?不幸的是,我没有任何其他想法或解决方法来避免此权限问题。

我得到的错误是:

30: line 1: /scripts/wrapper.sh: Permission denied
stream closed

部署如下:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: cluster-autoscaler-grok-exporter
  labels:
    app: cluster-autoscaler-grok-exporter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cluster-autoscaler-grok-exporter
      sidecar: cluster-autoscaler-grok-exporter-sidecar
  template:
    metadata:
      labels:
        app: cluster-autoscaler-grok-exporter
        sidecar: cluster-autoscaler-grok-exporter-sidecar
    spec:
      securityContext:
       runAsUser: 1001
       fsGroup: 2000 
      serviceAccountName: flux
      imagePullSecrets:
        - name: id-docker
      containers:
        - name: get-data
          # 3.5.0 - helm v3.5.0, kubectl v1.20.2, alpine 3.12
          image: dtzar/helm-kubectl:3.5.0
          command: ["sh", "-c", "/scripts/wrapper.sh"]
          args:
            - cluster-autoscaler
            - "90"
                  # - cluster-autoscaler
            - "30"
            - /scripts/get_data.sh
            - /logs/data.log
          volumeMounts:
            - name: logs
              mountPath: /logs/
            - name: scripts-volume-get-data
              mountPath: /scripts/get_data.sh
              subPath: get_data.sh
            - name: scripts-wrapper
              mountPath: /scripts/wrapper.sh
              subPath: wrapper.sh
        - name: export-data
          image: ippendigital/grok-exporter:1.0.0.RC3
          imagePullPolicy: Always
          ports:
            - containerPort: 9148
              protocol: TCP
          volumeMounts:
            - name: grok-config-volume
              mountPath: /grok/config.yml
              subPath: config.yml
            - name: logs
              mountPath: /logs
      volumes:
        - name: grok-config-volume
          configMap:
            name: grok-exporter-config
        - name: scripts-volume-get-data
          configMap:
            name: get-data-script
            defaultMode: 0777
            defaultMode: 0700
        - name: scripts-wrapper
          configMap:
            name: wrapper-config
            defaultMode: 0777
            defaultMode: 0700
        - name: logs
          emptyDir: {}
        
---
apiVersion: v1
kind: Service
metadata:
  name: cluster-autoscaler-grok-exporter-sidecar
  labels:
    sidecar: cluster-autoscaler-grok-exporter-sidecar
spec:
  type: ClusterIP
  ports:
    - name: metrics
      protocol: TCP
      targetPort: 9144
      port: 9148
  selector:
    sidecar: cluster-autoscaler-grok-exporter-sidecar
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app.kubernetes.io/name: cluster-autoscaler-grok-exporter
    app.kubernetes.io/part-of: grok-exporter
  name: cluster-autoscaler-grok-exporter
spec:
  endpoints:
    - port: metrics
  selector:
    matchLabels:
      sidecar: cluster-autoscaler-grok-exporter-sidecar

据我所知,您的脚本没有执行权限。

从您的配置图中删除此行。

defaultMode: 0700

只保留:

defaultMode: 0777

此外,我发现您的脚本路径中缺少前导 /

- /bin/sh scripts/get_data.sh

所以,将其更改为

- /bin/sh /scripts/get_data.sh