Kubernetes/Helm Ingress部署由于可能的权限问题而无法工作

nue99wik  于 2023-06-28  发布在  Kubernetes
关注(0)|答案(1)|浏览(188)

下面是我的NGINX Ingress的Helm图表:

{{- if or (eq .Values.environment "staging") (eq .Values.environment "production") -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: sparrow-{{ .Values.environment }}-ingress
  namespace: sparrow-{{ .Values.environment }}
  annotations:
{{/*    kubernetes.io/ingress.class: nginx*/}}
spec:
  ingressClassName: nginx
  rules:
{{- if eq .Values.environment "staging" }}
    - host: staging.sparrow.express
{{- end -}}
{{- if eq .Values.environment "production" }}
    - host: sparrow.express
{{- end }}
      http:
        paths:
          - path: /(.*)
            pathType: Prefix
            backend:
              service:
                name: {{ .Values.applicationName }}-ui-service
                port:
                  number: 80
          - path: /api/(.*)
            pathType: Prefix
            backend:
              service:
                name: {{ .Values.applicationName }}-api-service
                port:
                  number: 3000
{{- end -}}

部署和相关服务均已经过验证,工作正常。当我试图通过NGINX Ingress公开这些服务时,问题就出现了。这似乎是一个可能的权限问题,因为这是NGINX Ingress控制器Pod无法启动的日志输出:

I0626 00:58:55.103267       7 flags.go:205] Watching for Ingress class: nginx
W0626 00:58:55.103505       7 flags.go:250] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W0626 00:58:55.103555       7 client_config.go:552] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0626 00:58:55.103848       7 main.go:231] Creating API client for https://10.96.0.1:443
I0626 00:58:55.107562       7 main.go:275] Running in Kubernetes cluster version v1.26 (v1.26.3) - git (clean) commit 9e644106593f3f4aa98f8a84b23db5fa378900bd - platform linux/arm64
I0626 00:58:55.109148       7 main.go:87] Validated default/sparrow-staging-nginx-ingress-default-backend as the default backend.
I0626 00:58:55.202268       7 main.go:105] SSL fake certificate created /etc/ingress-controller/ssl/default-fake-certificate.pem
I0626 00:58:55.202908       7 main.go:113] Enabling new Ingress features available since Kubernetes v1.18
E0626 00:58:55.203546       7 main.go:122] Unexpected error searching IngressClass: ingressclasses.networking.k8s.io "nginx" is forbidden: User "system:serviceaccount:default:sparrow-staging-nginx-ingress" cannot get resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
W0626 00:58:55.203558       7 main.go:125] No IngressClass resource with name nginx found. Only annotation will be used.
W0626 00:58:55.211518       7 store.go:659] Unexpected error reading configuration configmap: configmaps "sparrow-staging-nginx-ingress-controller" not found
I0626 00:58:55.215679       7 nginx.go:263] Starting NGINX Ingress controller
E0626 00:58:56.320559       7 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: the server could not find the requested resource
E0626 00:58:57.775395       7 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: the server could not find the requested resource
E0626 00:58:59.873440       7 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: the server could not find the requested resource
E0626 00:59:05.758255       7 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: the server could not find the requested resource
E0626 00:59:17.059505       7 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.5/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: the server could not find the requested resource
I0626 00:59:30.946386       7 main.go:179] Received SIGTERM, shutting down
I0626 00:59:30.946406       7 nginx.go:380] Shutting down controller queues
I0626 00:59:30.946421       7 status.go:118] updating status of Ingress rules (remove)
E0626 00:59:30.946546       7 store.go:186] timed out waiting for caches to sync
I0626 00:59:30.946573       7 nginx.go:307] Starting NGINX process
I0626 00:59:30.946761       7 leaderelection.go:242] attempting to acquire leader lease  default/ingress-controller-leader-nginx...
E0626 00:59:30.946908       7 queue.go:78] queue has been shutdown, failed to enqueue: &ObjectMeta{Name:initial-sync,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ClusterName:,ManagedFields:[]ManagedFieldsEntry{},}
I0626 00:59:30.953230       7 leaderelection.go:252] successfully acquired lease default/ingress-controller-leader-nginx
E0626 00:59:30.953382       7 queue.go:78] queue has been shutdown, failed to enqueue: &ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ClusterName:,ManagedFields:[]ManagedFieldsEntry{},}
I0626 00:59:30.953435       7 status.go:86] new leader elected: sparrow-staging-nginx-ingress-controller-74555f4f44-d77f7
I0626 00:59:30.957187       7 status.go:137] removing address from ingress status ([192.168.49.2])
I0626 00:59:30.957328       7 nginx.go:396] Stopping NGINX process
2023/06/26 00:59:30 [notice] 26#26: signal process started
I0626 00:59:33.968556       7 nginx.go:409] NGINX process has stopped
I0626 00:59:33.968592       7 main.go:187] Handled quit, awaiting Pod deletion
I0626 00:59:43.969787       7 main.go:190] Exiting with 0

我错过了什么吗?可能是我的用户配置错误?

j2datikz

j2datikz1#

是的,它是关于入口的RBAC
E0626 00:58:55.203546 7 main.go:122] Unexpected error searching IngressClass: ingressclasses.networking.k8s.io "nginx" is forbidden: User "system:serviceaccount:default:sparrow-staging-nginx-ingress" cannot get resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
确保sparrow-staging-nginx-ingress和clusterrole之间有一个clusterrole绑定。并确保clusterrole内部的权限是否允许任何ingressclassAPI?
或者确保有一个名为nginx的入口类,使用以下命令kubectl get ingressclass
或者重新安装不同版本的nginx ingress控制器。Good luck:)

相关问题