stackoom
  简体   繁体   中英

Helm / Kubernetes - Statefulset & Permissions

 原文  2017-11-02 23:53:13       postgresql/ kubernetes/ containers/ statefulset/ kubernetes-helm

Question

I keep seeing this error: 

Events:
  FirstSeen LastSeen    Count   From        SubObjectPath   Type        Reason      Message
  --------- --------    -----   ----        -------------   --------    ------      -------
  12s       2s      12  {statefulset }          Warning     FailedCreate    create Pod pgset-0 in StatefulSet pgset failed error: pods "pgset-0" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{26}: 26 is not an allowed group]

I've created a ServiceAccount named "pgset-sa", and granted it the cluster-admin role. I've been researching other ways to get this to work (including editing scc restricted), but keep getting the error from fsGroup stating it's not an allowed group. What am I missing? 

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: "{{.Values.ContainerName}}"
  labels:
    name: "{{.Values.ReplicaName}}"
    app: "{{.Values.ContainerName}}"
    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
  annotations:
    "helm.sh/created": {{.Release.Time.Seconds | quote }}
spec:
  selector:
    matchLabels:
      app: "{{.Values.ContainerName}}"
  serviceName: "{{.Values.ContainerName}}"
  replicas: 2
  template:
    metadata:
      labels:
        app: "{{.Values.ContainerName}}"
    spec:
      serviceAccount: "{{.Values.ContainerServiceAccount}}"
      securityContext:
        fsGroup: 26
      terminationGracePeriodSeconds: 10
      containers:
      - name: {{.Values.ContainerName}}
        image: "{{.Values.PostgresImage}}"
        ports:
        - containerPort: 5432
          name: postgres
        resources:
          requests:
            cpu: {{default "100m" .Values.Cpu}}
            memory: {{default "100M" .Values.Memory}}
        env:
        - name: PGHOST
          value: /tmp
        - name: PG_PRIMARY_USER
          value: primaryuser
        - name: PG_MODE
          value: set
        - name: PG_PRIMARY_HOST
          value: "{{.Values.PrimaryName}}"
        - name: PG_PRIMARY_PORT
          value: "5432"
        - name: PG_PRIMARY_PASSWORD
          value: "{{.Values.PrimaryPassword}}"
        - name: PG_USER
          value: testuser
        - name: PG_PASSWORD
          value: "{{.Values.UserPassword}}"
        - name: PG_DATABASE
          value: userdb
        - name: PG_ROOT_PASSWORD
          value: "{{.Values.RootPassword}}"
        volumeMounts:
        - name: pgdata
          mountPath: "/pgdata"
          readOnly: false
      volumes:
      - name: pgdata
        persistentVolumeClaim:
          claimName: {{.Values.PVCName}}

1 answers

solution1
 2 ACCPTED  2017-11-03 00:35:20

Take a look at this document titled: Managing Security Context Constraints .

The service account associated with the statefulset must be granted a security context constraint sufficient to allow the pod (one that either allows exactly the fsGroup 26 or allows any fsGroup, in this case).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Install PostgreSQL on Kubernetes with Helm 3 Kubernetes Helm Chart - Debugging why the postgersql kubernetes statefulset did not claim the PVC kubernetes timescaledb statefulset: Changes lost on pod recreation Deploy sentry helm in kubernetes cluster How to have data persist in GKE kubernetes StatefulSet with postgres? Deploy Microservice to Kubernetes with PostgreSQL via using Helm postgreSQL kubernetes helm installation - reading from slaves Kubernetes helm for creating DB scripts for Database Conatiner How to change Postgresql max_connections config via Kubernetes statefulset environment variable?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM