存储虚假 SSL 证书的意外错误：无法创建 PEM 证书

Question

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       0.26.1
  Build:         git-2de5a893a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: openresty/1.15.8.2

-------------------------------------------------------------------------------

W0719 06:58:01.543840       6 flags.go:243] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W0719 06:58:01.544045       6 client_config.go:541] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0719 06:58:01.544341       6 main.go:182] Creating API client for https://10.233.0.1:443
I0719 06:58:01.558257       6 main.go:226] Running in Kubernetes cluster version v1.16 (v1.16.3) - git (clean) commit b3cbbae08ec52a7fc73d334838e18d17e8512749 - platform linux/amd64
F0719 06:58:01.857260       6 ssl.go:389] unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied

1.我的ingress-controller有3个副本，但是2个副本正常，1个副本异常。

我是中国人，我会说一点英文。欢迎帮忙解答

Answer 1

MountVolume.SetUp 卷“ingress-nginx-token-w8mq2”失败：无法同步秘密缓存：等待条件超时

NAME                             READY   STATUS             RESTARTS   AGE
ingress-nginx-controller-7p77g   1/1     Running            0          3h19m
ingress-nginx-controller-9cwzt   0/1     CrashLoopBackOff   2          12m
ingress-nginx-controller-qbww8   1/1     Running            0          3h19m

Answer 2

如果我正确理解您的问题，您可以通过在 yaml 文件的SecurityContext中添加runAsUser指令来解决它。 看例子yaml：

securityContext:
  runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  fsGroupChangePolicy: "OnRootMismatch"

在这里你可以找到关于 Kuberenetes 安全上下文的完整指南。 您需要输入有权创建证书的用户 ID。

也可以看看：

• 堆栈上的类似问题
• 与此问题相关的文章和可能的解决方案