时间戳

首页 > 解决方案 > Kubernetes - statefulSet 和卷权限

docker - Kubernetes - statefulSet 和卷权限

问题描述

我正在尝试创建如下所示的 statefulSet,在其中运行 init 容器之前在主容器中使用卷数据之前应用权限,但出现权限错误,如下所示

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgresql
spec:
  serviceName: postgresql-headless
  replicas: 1
  selector:
    matchLabels:
      app: awx
  template:
    metadata:
      name: postgresql
      labels:
        app: awx
    spec:
      securityContext:
        fsGroup: 1001
      serviceAccountName: awx
      initContainers:
      - name: init-chmod-data
        image: docker.local/data/awx/bitnami/minideb/minideb:1.0
        command: 
          - /bin/sh
          - -cx
          - |
            echo "current user id: `id`"
            mkdir -p /bitnami/postgresql/data
            chmod 700 /bitnami/postgresql/data
            find /bitnami/postgresql/data -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
                xargs chown -R 1001:1001
        securityContext:
          runAsUser: 1001
        volumeMounts:
          - name: data
            mountPath: /bitnami/postgresql/data
            subPath: ""
      containers: 
        - name: postgresql
          image: docker.local/bitnami/postgresql:11.6.0-debian-10-r5 
          securityContext:
            runAsUser: 1001
          env:
            - name: POSTGRESQL_PASSWORD
              value: "p@ssw0rd"
          volumeMounts:
            - name: data
              mountPath: /bitnami/postgresql/data
              subPath: ""        

  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: 
          - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: cinder

当我运行此规范时,它在 init 容器上失败:

 kubectl -n mynamespace logs postgresql-0 -c init-chmod-data
+ id
current user id: uid=1001(postgresql) gid=1001(postgresql) groups=1001(postgresql)
+ echo current user id: uid=1001(postgresql) gid=1001(postgresql) groups=1001(postgresql)
+ mkdir -p /bitnami/postgresql/data
+ chmod 700 /bitnami/postgresql/data
chmod: changing permissions of '/bitnami/postgresql/data': Operation not permitted

但是,当我在 docker 本地运行 init 容器中使用的映像时,我可以更改这些权限:

sudo docker image ls | grep 1.0 | grep minideb
docker.local/data/awx/bitnami/minideb/minideb        1.0                        698636b178a6        2 hours ago         53.7MB
sudo docker run -it  --name minideb 698636b178a6
postgresql@248dcad0e738:/$ mkdir -p /bitnami/postgresql/data
postgresql@248dcad0e738:/$ chmod 700 /bitnami/postgresql/data
postgresql@248dcad0e738:/$

minideb 映像已修改如下,因为我无法以 root 身份运行容器:

FROM docker.local/bitnami/minideb:stretch
USER 0
RUN groupadd --gid 1001 postgresql && useradd --uid 1001 --gid 1001 postgresql
RUN mkdir -p /bitnami/postgresql ; chown -R 1001:1001 /bitnami/postgresql
USER 1001

知道我做错了什么吗?谢谢!

标签: dockerkuberneteskubectlkubernetes-statefulset

解决方案

移除陈旧的 pvc 后修复

推荐阅读