kubernetes - Pod 未启动(不可用且 ReplicaFailure)
问题描述
Pod 没有启动。命令不显示 Pod oc(kubectl) get pods
。
错误总结:
类型:状态:原因
进展:真:NewReplicaSetAvailable
可用:假:MinimumReplicasUnavailable
ReplicaFailure : True : FailedCreate
部署 YAML 文件:
kind: Deployment
apiVersion: apps/v1
metadata:
annotations:
deployment.kubernetes.io/revision: '2'
selfLink: >-
/apis/apps/v1/namespaces/awag-project/deployments/integrated-repository-webapp
resourceVersion: '3460356'
name: integrated-repository-webapp
...
status:
observedGeneration: 10
unavailableReplicas: 1
conditions:
- type: Progressing
status: 'True'
...
reason: NewReplicaSetAvailable
message: >-
ReplicaSet "integrated-repository-webapp-d69879c5f" has successfully
progressed.
- type: Available
status: 'False'
...
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
- type: ReplicaFailure
status: 'True'
...
reason: FailedCreate
message: >-
pods "integrated-repository-webapp-d69879c5f-" is forbidden: unable to
validate against any security context constraint:
[spec.containers[0].securityContext.containers[0].hostPort: Invalid
value: 80: Host ports are not allowed to be used
spec.containers[0].securityContext.containers[0].hostPort: Invalid
value: 443: Host ports are not allowed to be used]
描述部署命令消息:
Name: integrated-repository-webapp
Namespace: awag-project
CreationTimestamp: Tue, 13 Jul 2021 00:31:31 +0900
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 2
Selector: app=integrated-repository-webapp
Replicas: 1 desired | 0 updated | 0 total | 0 available | 1 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app=integrated-repository-webapp
Containers:
integrated-repository-webapp:
Image: jp.icr.io/etp-namespace/integrated-repository
Ports: 9080/TCP, 9443/TCP
Host Ports: 80/TCP, 443/TCP
Environment Variables from:
integrated-repository-webapp-config ConfigMap Optional: false
Environment:
...
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Progressing True NewReplicaSetAvailable
Available False MinimumReplicasUnavailable
ReplicaFailure True FailedCreate
OldReplicaSets: <none>
NewReplicaSet: integrated-repository-webapp-d69879c5f (0/1 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 63m deployment-controller Scaled up replica set integrated-repository-webapp-f9cd69684 to 2
Normal ScalingReplicaSet 63m deployment-controller Scaled down replica set integrated-repository-webapp-f9cd69684 to 1
Normal ScalingReplicaSet 51m (x3 over 66m) deployment-controller Scaled up replica set integrated-repository-webapp-f9cd69684 to 1
Normal ScalingReplicaSet 17m (x3 over 53m) deployment-controller Scaled down replica set integrated-repository-webapp-f9cd69684 to 0
Normal ScalingReplicaSet 17m deployment-controller Scaled down replica set integrated-repository-webapp-d69879c5f to 0
Normal ScalingReplicaSet 17m (x2 over 18m) deployment-controller Scaled up replica set integrated-repository-webapp-d69879c5f to 1
已编辑 1
要由 root 用户启动 pod,我创建了一个 ServiceAccount 并附加到部署。Pod 更改为挂起状态但未运行。端口错误似乎已解决,但由于 MinimumReplicasUnavailable,它不可用。
1.错误重现:
创建服务帐户“ir-sa”
oc 创建 sa ir-sa
oc adm policy add-scc-to-user privileged-z ir-sa
部署补丁
spec:
template:
spec:
serviceAccountName: ir-sa
2.部署YAML文件:
conditions:
- type: Progressing
status: 'True'
...
reason: NewReplicaSetAvailable
message: >-
ReplicaSet "integrated-repository-webapp-76c767549" has successfully
progressed.
- type: Available
status: 'False'
...
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
3.describe pod命令输出
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 5m46s default-scheduler Successfully assigned awag-project/integrated-repository-webapp-76c767549-rrbcx to 10.244.0.11
Normal AddedInterface 5m46s multus Add eth0 [172.17.20.41/32]
Warning FailedCreatePodSandBox 5m45s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to add hostport mapping for sandbox k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0(61bf202c0bd3423444ec64e8f50a9a1aa2cdf173fe9a638e31a3113ec8775eed): cannot open hostport 443 for pod k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0_: listen tcp4 :443: bind: address already in use
Normal AddedInterface 5m44s multus Add eth0 [172.17.20.56/32]
…
Warning FailedCreatePodSandBox 44s (x141 over 5m27s) kubelet (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to add hostport mapping for sandbox k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0(d47342c920507c8e9c65c3afd808caec4f73524d5c08b76ab2dc0db0b1004453): cannot open hostport 443 for pod k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0_: listen tcp4 :443: bind: address already in use
已编辑 2
我添加了 Ingress 并将部署的端口更改为 444。Pod 仍然处于挂起状态,但原因更改为 ImagePullBackOff。
1.创建入口
kubectl get ingress 命令输出(实际的ingeress-subdomain 被编辑为INGRESS-SUBDOMAIN)
NAME CLASS HOSTS ADDRESS PORTS AGE
integrated-repository-webapp-ingress <none> INGRESS-SUBDOMAIN 80, 443 24h
2.将部署的443端口改为444
部署 YAML(spec.template.spec.ports)
ports:
- hostPort: 80
containerPort: 9080
protocol: TCP
- hostPort: 444←(it was 443 before)
containerPort: 9443
protocol: TCP
3.得到不同的错误信息
部署 YAML 文件
status:
observedGeneration: 28
replicas: 2
updatedReplicas: 1
unavailableReplicas: 2
conditions:
- type: Available
status: 'False'
…
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
- type: Progressing
status: 'False'
…
reason: ProgressDeadlineExceeded
message: >-
ReplicaSet "integrated-repository-webapp-5bcb99db9d" has timed out
progressing.
描述 pod 命令输出
Name: integrated-repository-webapp-5bcb99db9d-s76br
Namespace: awag-project
…
Status: Pending
…
Containers:
integrated-repository-webapp:
…
Ports: 9080/TCP, 9443/TCP
Host Ports: 80/TCP, 444/TCP
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment Variables from:
integrated-repository-webapp-config ConfigMap Optional: false
…
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
ir-sa-token-v848t:
Type: Secret (a volume populated by a Secret)
SecretName: ir-sa-token-v848t
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 41m default-scheduler Successfully assigned awag-project/integrated-repository-webapp-5bcb99db9d-s76br to 10.244.0.12
Normal AddedInterface 41m multus Add eth0 [172.17.54.125/32]
Normal Pulling 40m (x4 over 41m) kubelet Pulling image "jp.icr.io/etp-namespace/integrated-repository"
Warning Failed 40m (x4 over 41m) kubelet Failed to pull image "jp.icr.io/etp-namespace/integrated-repository": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: The login credentials are not valid, or your IBM Cloud account is not active.
Warning Failed 40m (x4 over 41m) kubelet Error: ErrImagePull
Warning Failed 6m49s (x153 over 41m) kubelet Error: ImagePullBackOff
Normal BackOff 105s (x175 over 41m) kubelet Back-off pulling image "jp.icr.io/etp-namespace/integrated-repository"
解决方案
message: >- pods "integrated-repository-webapp-d69879c5f-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 80: Host ports are not allowed to be used spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 443: Host ports are not allowed to be used]
您正在尝试将容器中的应用程序绑定到小于 1024 的端口 80 和 443,这对于非 root 用户是不允许的,在您的情况下到底发生了什么。如上一期https://stackoverflow.com/a/68328710/1025312用户SYN提到 Openshift 使用随机 UID。因此,您需要将容器中的端口更改为例如 8080、8443 或任何其他大于 1024 的端口。
推荐阅读
- python - 尝试使用 jupyter notebook 中下拉菜单中的值绘制图形
- python - 计算 pandas 数据框中包含 n 个值的行数
- python - Selenium 的 driver.get() 调用的最大递归错误
- angular - 如何在 Angular 7 中使用 chart.js
- jquery - 未捕获的 TypeError:Button.addEventlistener 不是函数
- c++ - 查询 UAC 值时 SHGetValue 返回 2
- php - 有没有使用 Cpanel API 创建重定向的方法?
- html - 如何修复双击:移动设备(ios)上的悬停问题?
- objective-c - React Native 构建错误
- kubernetes - 从 helm 图表访问 /docker-entrypoint-initdb.d