在1.21上有一个EKS星团
有一个nginx-ingress-controller-default-ingress-controller与Classic Load Balancer一起部署。
突然间,它的豆荚因以下错误而崩溃。
I0815 04:40:04.970835 8 flags.go:204] Watching for Ingress class: nginx
W0815 04:40:04.980149 8 flags.go:249] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W0815 04:40:04.980218 8 client_config.go:543] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
W0815 04:40:04.980255 8 client_config.go:548] error creating inClusterConfig, falling back to default config: open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
F0815 04:40:04.980417 8 main.go:272] Error while initiating a connection to the Kubernetes API server. This could mean the cluster is misconfigured (e.g. it has invalid API server certificates or Service Accounts configuration). Reason: open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied下面是pod的securityContext和VolumeMount。
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-k7n9n
readOnly: true我尝试更改runAsUser:0,但它返回消息pod“..”无效。
你能不能给予我一些关于这里可能出了什么问题的指示和任何可能的解决方案?
2条答案
按热度按时间vd2z7a6w1#
尝试添加
fsGroup。这将使serviceaccount目录可由非root用户读取:zu0ti5jz2#
转到您的nginx控制器DaemonSet并包含值为
65534的fsGroup,以帮助您为非root用户运行容器。当您与非root用户一起运行容器时(安全最佳实践),在写入卷挂载目录时可能会遇到权限问题,特别是当容器化应用程序希望写入具有特定权限的文件时。设置
fsGroup: 65534可以确保在卷中创建的文件不属于任何特权组,从而有助于防止权限问题。