为 EKS 使用 AWS Secrets & Configuration Provider:来自服务器的错误 (BadRequest)
use AWS Secrets & Configuration Provider for EKS: Error from server (BadRequest)
我正在关注 this AWS documentation,它解释了如何正确配置 AWS Secrets Manager 以让它通过 Kubernetes Secrets 与 EKS 一起工作。
我成功地按照文档中的说明逐步执行了所有不同的命令。
我得到的唯一区别与 this step 有关,我必须 运行:
kubectl get po --namespace=kube-system
预期的输出应该是:
csi-secrets-store-qp9r8 3/3 Running 0 4m
csi-secrets-store-zrjt2 3/3 Running 0 4m
但我得到:
csi-secrets-store-provider-aws-lxxcz 1/1 Running 0 5d17h
csi-secrets-store-provider-aws-rhnc6 1/1 Running 0 5d17h
csi-secrets-store-secrets-store-csi-driver-ml6jf 3/3 Running 0 5d18h
csi-secrets-store-secrets-store-csi-driver-r5cbk 3/3 Running 0 5d18h
如您所见,名称不同,但我很确定没关系:-)
真正的问题开始了 here in step 4:我创建了以下 YAML 文件(如您所见,我添加了一些参数):
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: aws-secrets
spec:
provider: aws
parameters:
objects: |
- objectName: "mysecret"
objectType: "secretsmanager"
最后我使用以下 yaml 文件创建了一个部署(如解释 here in step 5):
# test-deployment.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx-secrets-store-inline
spec:
serviceAccountName: iamserviceaccountforkeyvaultsecretmanagerresearch
containers:
- image: nginx
name: nginx
volumeMounts:
- name: mysecret-volume
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: mysecret-volume
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "aws-secrets"
通过命令部署后:
kubectl apply -f test-deployment.yaml -n mynamespace
pod 无法正常启动,因为生成了以下错误:
Error from server (BadRequest): container "nginx" in pod "nginx-secrets-store-inline" is waiting to start: ContainerCreating
但是,例如,如果我 运行 使用以下 yaml 进行部署 POD 将成功创建
# test-deployment.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx-secrets-store-inline
spec:
serviceAccountName: iamserviceaccountforkeyvaultsecretmanagerresearch
containers:
- image: nginx
name: nginx
volumeMounts:
- name: keyvault-credential-volume
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: keyvault-credential-volume
emptyDir: {} # <<== !! LOOK HERE !!
如你所见,我使用了
emptyDir: {}
据我所知,这里的问题与以下 YAML 行有关:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "aws-secrets"
老实说,我什至不清楚这里发生了什么。
可能是我没有正确启用 EKS 中的卷权限?
抱歉,我是 AWS 和 Kubernetes 配置方面的新手。
谢谢你的时间
--- 新信息 ---
如果我运行
kubectl describe pod nginx-secrets-store-inline -n mynamespace
其中 nginx-secrets-store-inline 是 pod 的名称,我得到以下输出:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 30s default-scheduler Successfully assigned mynamespace/nginx-secrets-store-inline to ip-10-0-24-252.eu-central-1.compute.internal
Warning FailedMount 14s (x6 over 29s) kubelet MountVolume.SetUp failed for volume "keyvault-credential-volume" : rpc error: code = Unknown desc = failed to get secretproviderclass mynamespace/aws-secrets, error: SecretProviderClass.secrets-store.csi.x-k8s.io "aws-secrets" not found
有什么提示吗?
我终于明白为什么它不起作用了。如解释here,错误:
Warning FailedMount 3s (x4 over 6s) kubelet, kind-control-plane MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to get secretproviderclass default/azure, error: secretproviderclasses.secrets-store.csi.x-k8s.io "azure" not found
与命名空间相关:
The SecretProviderClass being referenced in the volumeMount needs to exist in the same namespace as the application pod.
所以两个 yaml 文件应该部署在同一个命名空间中(添加,例如,-n mynamespace 参数)。
我终于成功了!
我正在关注 this AWS documentation,它解释了如何正确配置 AWS Secrets Manager 以让它通过 Kubernetes Secrets 与 EKS 一起工作。
我成功地按照文档中的说明逐步执行了所有不同的命令。
我得到的唯一区别与 this step 有关,我必须 运行:
kubectl get po --namespace=kube-system
预期的输出应该是:
csi-secrets-store-qp9r8 3/3 Running 0 4m
csi-secrets-store-zrjt2 3/3 Running 0 4m
但我得到:
csi-secrets-store-provider-aws-lxxcz 1/1 Running 0 5d17h
csi-secrets-store-provider-aws-rhnc6 1/1 Running 0 5d17h
csi-secrets-store-secrets-store-csi-driver-ml6jf 3/3 Running 0 5d18h
csi-secrets-store-secrets-store-csi-driver-r5cbk 3/3 Running 0 5d18h
如您所见,名称不同,但我很确定没关系:-)
真正的问题开始了 here in step 4:我创建了以下 YAML 文件(如您所见,我添加了一些参数):
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: aws-secrets
spec:
provider: aws
parameters:
objects: |
- objectName: "mysecret"
objectType: "secretsmanager"
最后我使用以下 yaml 文件创建了一个部署(如解释 here in step 5):
# test-deployment.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx-secrets-store-inline
spec:
serviceAccountName: iamserviceaccountforkeyvaultsecretmanagerresearch
containers:
- image: nginx
name: nginx
volumeMounts:
- name: mysecret-volume
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: mysecret-volume
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "aws-secrets"
通过命令部署后:
kubectl apply -f test-deployment.yaml -n mynamespace
pod 无法正常启动,因为生成了以下错误:
Error from server (BadRequest): container "nginx" in pod "nginx-secrets-store-inline" is waiting to start: ContainerCreating
但是,例如,如果我 运行 使用以下 yaml 进行部署 POD 将成功创建
# test-deployment.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx-secrets-store-inline
spec:
serviceAccountName: iamserviceaccountforkeyvaultsecretmanagerresearch
containers:
- image: nginx
name: nginx
volumeMounts:
- name: keyvault-credential-volume
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: keyvault-credential-volume
emptyDir: {} # <<== !! LOOK HERE !!
如你所见,我使用了
emptyDir: {}
据我所知,这里的问题与以下 YAML 行有关:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "aws-secrets"
老实说,我什至不清楚这里发生了什么。 可能是我没有正确启用 EKS 中的卷权限?
抱歉,我是 AWS 和 Kubernetes 配置方面的新手。 谢谢你的时间
--- 新信息 ---
如果我运行
kubectl describe pod nginx-secrets-store-inline -n mynamespace
其中 nginx-secrets-store-inline 是 pod 的名称,我得到以下输出:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 30s default-scheduler Successfully assigned mynamespace/nginx-secrets-store-inline to ip-10-0-24-252.eu-central-1.compute.internal
Warning FailedMount 14s (x6 over 29s) kubelet MountVolume.SetUp failed for volume "keyvault-credential-volume" : rpc error: code = Unknown desc = failed to get secretproviderclass mynamespace/aws-secrets, error: SecretProviderClass.secrets-store.csi.x-k8s.io "aws-secrets" not found
有什么提示吗?
我终于明白为什么它不起作用了。如解释here,错误:
Warning FailedMount 3s (x4 over 6s) kubelet, kind-control-plane MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to get secretproviderclass default/azure, error: secretproviderclasses.secrets-store.csi.x-k8s.io "azure" not found
与命名空间相关:
The SecretProviderClass being referenced in the volumeMount needs to exist in the same namespace as the application pod.
所以两个 yaml 文件应该部署在同一个命名空间中(添加,例如,-n mynamespace 参数)。 我终于成功了!