时间戳

首页 > 解决方案 > Pod 未启动(不可用且 ReplicaFailure)

kubernetes - Pod 未启动(不可用且 ReplicaFailure)

问题描述

Pod 没有启动。命令不显示 Pod oc(kubectl) get pods

错误总结:

类型:状态:原因

进展:真:NewReplicaSetAvailable

可用:假:MinimumReplicasUnavailable

ReplicaFailure : True : FailedCreate

部署 YAML 文件:

kind: Deployment
apiVersion: apps/v1
metadata:
  annotations:
    deployment.kubernetes.io/revision: '2'
  selfLink: >-
    /apis/apps/v1/namespaces/awag-project/deployments/integrated-repository-webapp
  resourceVersion: '3460356'
  name: integrated-repository-webapp
 
 ...

status:
  observedGeneration: 10
  unavailableReplicas: 1
  conditions:
    - type: Progressing
      status: 'True'
       ...
      reason: NewReplicaSetAvailable
      message: >-
        ReplicaSet "integrated-repository-webapp-d69879c5f" has successfully
        progressed.
    - type: Available
      status: 'False'
      ...
      reason: MinimumReplicasUnavailable
      message: Deployment does not have minimum availability.
    - type: ReplicaFailure
      status: 'True'
      ...
      reason: FailedCreate
      message: >-
        pods "integrated-repository-webapp-d69879c5f-" is forbidden: unable to
        validate against any security context constraint:
        [spec.containers[0].securityContext.containers[0].hostPort: Invalid
        value: 80: Host ports are not allowed to be used
        spec.containers[0].securityContext.containers[0].hostPort: Invalid
        value: 443: Host ports are not allowed to be used]

描述部署命令消息:

Name:                   integrated-repository-webapp
Namespace:              awag-project
CreationTimestamp:      Tue, 13 Jul 2021 00:31:31 +0900
Labels:                 <none>
Annotations:            deployment.kubernetes.io/revision: 2
Selector:               app=integrated-repository-webapp
Replicas:               1 desired | 0 updated | 0 total | 0 available | 1 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=integrated-repository-webapp
  Containers:
   integrated-repository-webapp:
    Image:       jp.icr.io/etp-namespace/integrated-repository
    Ports:       9080/TCP, 9443/TCP
    Host Ports:  80/TCP, 443/TCP
    Environment Variables from:
      integrated-repository-webapp-config  ConfigMap  Optional: false
    Environment:
   ...
    Mounts:                                              <none>
  Volumes:                                               <none>
Conditions:
  Type             Status  Reason
  ----             ------  ------
  Progressing      True    NewReplicaSetAvailable
  Available        False   MinimumReplicasUnavailable
  ReplicaFailure   True    FailedCreate
OldReplicaSets:    <none>
NewReplicaSet:     integrated-repository-webapp-d69879c5f (0/1 replicas created)
Events:
  Type    Reason             Age                From                   Message
  ----    ------             ----               ----                   -------
  Normal  ScalingReplicaSet  63m                deployment-controller  Scaled up replica set integrated-repository-webapp-f9cd69684 to 2
  Normal  ScalingReplicaSet  63m                deployment-controller  Scaled down replica set integrated-repository-webapp-f9cd69684 to 1
  Normal  ScalingReplicaSet  51m (x3 over 66m)  deployment-controller  Scaled up replica set integrated-repository-webapp-f9cd69684 to 1
  Normal  ScalingReplicaSet  17m (x3 over 53m)  deployment-controller  Scaled down replica set integrated-repository-webapp-f9cd69684 to 0
  Normal  ScalingReplicaSet  17m                deployment-controller  Scaled down replica set integrated-repository-webapp-d69879c5f to 0
  Normal  ScalingReplicaSet  17m (x2 over 18m)  deployment-controller  Scaled up replica set integrated-repository-webapp-d69879c5f to 1

已编辑 1

要由 root 用户启动 pod,我创建了一个 ServiceAccount 并附加到部署。Pod 更改为挂起状态但未运行。端口错误似乎已解决,但由于 MinimumReplicasUnavailable,它不可用。

1.错误重现:

创建服务帐户“ir-sa”

oc 创建 sa ir-sa

oc adm policy add-scc-to-user privileged-z ir-sa

部署补丁

spec:
template:
  spec:
    serviceAccountName: ir-sa

2.部署YAML文件:

conditions:
   - type: Progressing
     status: 'True'
     ...
     reason: NewReplicaSetAvailable
     message: >-
       ReplicaSet "integrated-repository-webapp-76c767549" has successfully
       progressed.
   - type: Available
     status: 'False'
     ...
     reason: MinimumReplicasUnavailable
     message: Deployment does not have minimum availability.

3.describe pod命令输出

 Type     Reason                  Age                    From               Message
  ----     ------                  ----                   ----               -------
  Normal   Scheduled               5m46s                  default-scheduler  Successfully assigned awag-project/integrated-repository-webapp-76c767549-rrbcx to 10.244.0.11
  Normal   AddedInterface          5m46s                  multus             Add eth0 [172.17.20.41/32]
  Warning  FailedCreatePodSandBox  5m45s                  kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to add hostport mapping for sandbox k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0(61bf202c0bd3423444ec64e8f50a9a1aa2cdf173fe9a638e31a3113ec8775eed): cannot open hostport 443 for pod k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0_: listen tcp4 :443: bind: address already in use
  Normal   AddedInterface          5m44s                  multus             Add eth0 [172.17.20.56/32]
…

  Warning  FailedCreatePodSandBox  44s (x141 over 5m27s)  kubelet            (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to add hostport mapping for sandbox k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0(d47342c920507c8e9c65c3afd808caec4f73524d5c08b76ab2dc0db0b1004453): cannot open hostport 443 for pod k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0_: listen tcp4 :443: bind: address already in use

已编辑 2

我添加了 Ingress 并将部署的端口更改为 444。Pod 仍然处于挂起状态,但原因更改为 ImagePullBackOff。

1.创建入口

kubectl get ingress 命令输出(实际的ingeress-subdomain 被编辑为INGRESS-SUBDOMAIN)

NAME                                   CLASS    HOSTS                                                                                              ADDRESS   PORTS     AGE
integrated-repository-webapp-ingress   <none>   INGRESS-SUBDOMAIN            80, 443   24h

2.将部署的443端口改为444

部署 YAML(spec.template.spec.ports)

   ports:
            - hostPort: 80
              containerPort: 9080
              protocol: TCP
            - hostPort: 444←(it was 443 before)
              containerPort: 9443
              protocol: TCP

3.得到不同的错误信息

部署 YAML 文件

status:
  observedGeneration: 28
  replicas: 2
  updatedReplicas: 1
  unavailableReplicas: 2
  conditions:
    - type: Available
      status: 'False'
      …
      reason: MinimumReplicasUnavailable
      message: Deployment does not have minimum availability.
    - type: Progressing
      status: 'False'
       …
      reason: ProgressDeadlineExceeded
      message: >-
        ReplicaSet "integrated-repository-webapp-5bcb99db9d" has timed out
        progressing.

描述 pod 命令输出

Name:         integrated-repository-webapp-5bcb99db9d-s76br
Namespace:    awag-project
…
Status:       Pending
…
Containers:
  integrated-repository-webapp:
   …
    Ports:          9080/TCP, 9443/TCP
    Host Ports:     80/TCP, 444/TCP
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Environment Variables from:
      integrated-repository-webapp-config  ConfigMap  Optional: false
    …
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  ir-sa-token-v848t:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ir-sa-token-v848t
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason          Age                    From               Message
  ----     ------          ----                   ----               -------
  Normal   Scheduled       41m                    default-scheduler  Successfully assigned awag-project/integrated-repository-webapp-5bcb99db9d-s76br to 10.244.0.12
  Normal   AddedInterface  41m                    multus             Add eth0 [172.17.54.125/32]
  Normal   Pulling         40m (x4 over 41m)      kubelet            Pulling image "jp.icr.io/etp-namespace/integrated-repository"
  Warning  Failed          40m (x4 over 41m)      kubelet            Failed to pull image "jp.icr.io/etp-namespace/integrated-repository": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: The login credentials are not valid, or your IBM Cloud account is not active.
  Warning  Failed          40m (x4 over 41m)      kubelet            Error: ErrImagePull
  Warning  Failed          6m49s (x153 over 41m)  kubelet            Error: ImagePullBackOff
  Normal   BackOff         105s (x175 over 41m)   kubelet            Back-off pulling image "jp.icr.io/etp-namespace/integrated-repository"

标签: kubernetesopenshiftibm-cloudkubernetes-pod

解决方案

  message: >-
    pods "integrated-repository-webapp-d69879c5f-" is forbidden: unable to
    validate against any security context constraint:
    [spec.containers[0].securityContext.containers[0].hostPort: Invalid
    value: 80: Host ports are not allowed to be used
    spec.containers[0].securityContext.containers[0].hostPort: Invalid
    value: 443: Host ports are not allowed to be used]

您正在尝试将容器中的应用程序绑定到小于 1024 的端口 80 和 443,这对于非 root 用户是不允许的,在您的情况下到底发生了什么。如上一期https://stackoverflow.com/a/68328710/1025312用户SYN提到 Openshift 使用随机 UID。因此,您需要将容器中的端口更改为例如 8080、8443 或任何其他大于 1024 的端口。

推荐阅读