时间戳

首页 > 解决方案 > K8S cert-manager 创建 acme 挑战 pod 时出错

kubernetes - K8S cert-manager 创建 acme 挑战 pod 时出错

问题描述

在过去的 3 天里,我一直在尝试在具有 1 个主节点和 2 个节点的 OpenStack 环境中的 K8S 集群(v1.19.8)上设置 cert-manager。它以前工作过(比如 1 个月前),但是由于我重新创建了集群,因此由于此错误而无法创建 pod ACME 挑战:

Status:
  Presented:   false
  Processing:  true
  Reason:      pods "cm-acme-http-solver-" is forbidden: PodSecurityPolicy: unable to admit pod: []
  State:       pending
Events:
  Type     Reason        Age                    From          Message
  ----     ------        ----                   ----          -------
  Normal   Started       8m25s                  cert-manager  Challenge scheduled for processing
  Warning  PresentError  3m18s (x7 over 8m23s)  cert-manager  Error presenting challenge: pods "cm-acme-http-solver-" is forbidden: PodSecurityPolicy: unable to admit pod: []

我尝试了不同版本的 ingress-nginx、不同版本的 cert-manager、不同版本的 k8s,但无济于事。我快疯了……请帮忙。非常感谢 :)

集群设置

kubectl create namespace ingress-nginx && \
helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx && \
kubectl create namespace cert-manager && \
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.1.0 \
  --set installCRDs=true

发行人

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: email@example.com
    preferredChain: "ISRG Root X1"
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

入口

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
    cert-manager.io/issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
      - host.com
    secretName: the-secret-name
  rules:
  - host: host.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: api-nginx
            port: 
              number: 80

标签: kubernetesopenstacknginx-ingresscert-manager

解决方案

经过一些调试和托管服务提供商的大力帮助,我们找到了问题和解决方案。

我们使用的是最新(来自主)版本的 Magnum/OpenStack,它获得了默认安装 PodSecurityPolicy 控制器的更新。这阻止了 cert-manager 创建 ACME pod。

在没有策略控制器的情况下重新创建集群解决了这个问题:

openstack coe cluster create \
  --cluster-template v1.kube1.20.4 \
  --labels \
admission_control_list="NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass" \
  --merge-labels
  ...

推荐阅读