jenkins - Kubernetes 上的 Jenkins - 权限被拒绝
问题描述
我正在尝试使用 Helm 3 并按照官方说明在 Kubernetes 上安装 Jenkins,但遇到了权限问题。
---
apiVersion: v1
kind: Namespace
metadata:
name: jenkins
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-pv
namespace: jenkins
spec:
storageClassName: jenkins-pv
accessModes:
- ReadWriteOnce
capacity:
storage: 5Gi
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /data/jenkins-volume/
然后拉下values.yaml
文件:wget https://raw.githubusercontent.com/jenkinsci/helm-charts/main/charts/jenkins/values.yaml
我调整adminPassword
(这是一个演示系统):adminPassword: "mySecret"
最后我变成storageClass:
了storageClass: jenkins-pv
输出/调试日志
$ kubectl logs -n jenkins jenkins-0 init
disable Setup Wizard
/var/jenkins_config/apply_config.sh: 4: /var/jenkins_config/apply_config.sh: cannot create /var/jenkins_home/jenkins.install.UpgradeWizard.state: Permission denied
$ kubectl describe pod -n jenkins jenkins-0
Name: jenkins-0
Namespace: jenkins
Priority: 0
Node: ip-172-31-40-127/172.31.40.127
Start Time: Mon, 30 Nov 2020 10:37:19 +0000
Labels: app.kubernetes.io/component=jenkins-controller
app.kubernetes.io/instance=jenkins
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=jenkins
controller-revision-hash=jenkins-57958b7d49
statefulset.kubernetes.io/pod-name=jenkins-0
Annotations: checksum/config: 2a4c2b3ea5dea271cb7c0b8e8582b682814d39f8e933e0348725b0b9a7dbf258
Status: Pending
IP: 10.42.0.44
IPs:
IP: 10.42.0.44
Controlled By: StatefulSet/jenkins
Init Containers:
init:
Container ID: containerd://64862ebd6791966db07981196d5dbd4c3b583d9e3e6543a31b252d19c2f9405b
Image: jenkins/jenkins:lts
Image ID: docker.io/jenkins/jenkins@sha256:980d55fd29a287d2d085c08c2bb6c629395ab2e3dd7547641035b4f126acc322
Port: <none>
Host Port: <none>
Command:
sh
/var/jenkins_config/apply_config.sh
State: Terminated
Reason: Error
Exit Code: 2
Started: Mon, 30 Nov 2020 10:53:41 +0000
Finished: Mon, 30 Nov 2020 10:53:41 +0000
Last State: Terminated
Reason: Error
Exit Code: 2
Started: Mon, 30 Nov 2020 10:48:29 +0000
Finished: Mon, 30 Nov 2020 10:48:29 +0000
Ready: False
Restart Count: 8
Limits:
cpu: 2
memory: 4Gi
Requests:
cpu: 50m
memory: 256Mi
Environment: <none>
Mounts:
/usr/share/jenkins/ref/plugins from plugins (rw)
/var/jenkins_config from jenkins-config (rw)
/var/jenkins_home from jenkins-home (rw)
/var/jenkins_plugins from plugin-dir (rw)
/var/run/secrets/kubernetes.io/serviceaccount from jenkins-token-zjzdt (ro)
Containers:
jenkins:
Container ID:
Image: jenkins/jenkins:lts
Image ID:
Ports: 8080/TCP, 50000/TCP
Host Ports: 0/TCP, 0/TCP
Args:
--httpPort=8080
State: Waiting
Reason: PodInitializing
Ready: False
Restart Count: 0
Limits:
cpu: 2
memory: 4Gi
Requests:
cpu: 50m
memory: 256Mi
Liveness: http-get http://:http/login delay=0s timeout=5s period=10s #success=1 #failure=5
Readiness: http-get http://:http/login delay=0s timeout=5s period=10s #success=1 #failure=3
Startup: http-get http://:http/login delay=0s timeout=5s period=10s #success=1 #failure=12
Environment:
POD_NAME: jenkins-0 (v1:metadata.name)
JAVA_OPTS: -Dcasc.reload.token=$(POD_NAME)
JENKINS_OPTS:
JENKINS_SLAVE_AGENT_PORT: 50000
CASC_JENKINS_CONFIG: /var/jenkins_home/casc_configs
Mounts:
/run/secrets/chart-admin-password from admin-secret (ro,path="jenkins-admin-password")
/run/secrets/chart-admin-username from admin-secret (ro,path="jenkins-admin-user")
/usr/share/jenkins/ref/plugins/ from plugin-dir (rw)
/var/jenkins_config from jenkins-config (ro)
/var/jenkins_home from jenkins-home (rw)
/var/jenkins_home/casc_configs from sc-config-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from jenkins-token-zjzdt (ro)
config-reload:
Container ID:
Image: kiwigrid/k8s-sidecar:0.1.275
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: PodInitializing
Ready: False
Restart Count: 0
Environment:
POD_NAME: jenkins-0 (v1:metadata.name)
LABEL: jenkins-jenkins-config
FOLDER: /var/jenkins_home/casc_configs
NAMESPACE: jenkins
REQ_URL: http://localhost:8080/reload-configuration-as-code/?casc-reload-token=$(POD_NAME)
REQ_METHOD: POST
REQ_RETRY_CONNECT: 10
Mounts:
/var/jenkins_home from jenkins-home (rw)
/var/jenkins_home/casc_configs from sc-config-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from jenkins-token-zjzdt (ro)
Conditions:
Type Status
Initialized False
Ready False
ContainersReady False
PodScheduled True
Volumes:
plugins:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
jenkins-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: jenkins
Optional: false
plugin-dir:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
jenkins-home:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: jenkins
ReadOnly: false
sc-config-volume:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
admin-secret:
Type: Secret (a volume populated by a Secret)
SecretName: jenkins
Optional: false
jenkins-token-zjzdt:
Type: Secret (a volume populated by a Secret)
SecretName: jenkins-token-zjzdt
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned jenkins/jenkins-0 to ip-172-31-40-127
Normal Pulled 15m (x4 over 16m) kubelet, ip-172-31-40-127 Successfully pulled image "jenkins/jenkins:lts"
Normal Created 15m (x4 over 16m) kubelet, ip-172-31-40-127 Created container init
Normal Started 15m (x4 over 16m) kubelet, ip-172-31-40-127 Started container init
Normal Pulling 14m (x5 over 16m) kubelet, ip-172-31-40-127 Pulling image "jenkins/jenkins:lts"
Warning BackOff 74s (x71 over 16m) kubelet, ip-172-31-40-127 Back-off restarting failed container
解决方案
我看到在使用hostPath
Minikube 单节点集群时会发生这种情况,就像在文档中一样。问题是因为/data/jenkins-volume
Minikube 节点中的文件夹是使用root
所有权创建的。
因此,如果您不想以 root 身份运行,runAsUser: 0
您只需更改/data/jenkins-volume
进入节点的权限:
$ minikube ssh
$ sudo chown -R 1000:1000 /data/jenkins-volume
完成此操作后,您可以pv
使用 Helm 创建和部署 Jenkins,其中包含以下值:
runAsUser: 1000
fsGroup: 1000
它对我有用。
推荐阅读
- api - 从 Googlesheet 发送带有 Twilio api 的 whatsapp
- javascript - React-Redux - 如何处理有效载荷和减速器的嵌套属性实现
- docker - 命令 /bin/bash 不覆盖默认入口点
- django - NoReverseMatch at /job Reverse for 'job_detail' with arguments '('',)' 未找到。尝试了 1 种模式:['jobs/(?P
[0-9]+)$'] - gradle - spring web-flux 日志
- javascript - 找到等于输入的两个数组元素的总和
- ios - 向上滑动(将应用程序置于后台)并且视频正在自定义 AVPLayer 中播放时,如何停止画中画?
- python - 单击按钮时如何只创建一个新窗口?tkinter
- reactjs - 呈现非 React 组件的组件上的命令式逻辑(大部分)
- git - 子树存储库和主存储库都包含相同的文件。这是正常的 git 行为吗?