[英]Unable to deploy pgadmin on a Kubernetes cluster
我想在 Kubernetes 集群上部署pgadmin
來訪問數據庫。 不幸的是,我認為pgadmin
pod 由於 PSP 問題而崩潰。 我知道 PSP 已被棄用,我們計划很快切換到 OPA,但同時使用pgadmin
會很有效。
部署文件如下所示:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
selector:
matchLabels:
app: pgadmin
replicas: 1
template:
metadata:
labels:
app: pgadmin
spec:
containers:
- name: pgadmin4
image: dpage/pgadmin4:latest
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@ind.nl"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test"
- name: PGADMIN_PORT
value: "80"
ports:
- containerPort: 80
name: pgadminport
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
---
apiVersion: v1
kind: Service
metadata:
name: pgadmin
labels:
app: pgadmin
spec:
selector:
app: pgadmin
type: NodePort
ports:
- port: 80
nodePort: 30200
它返回帶有權限問題的日志:
/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted
當我將runAsUser
和runAsGroup
變量更改為 5050 時,它會返回以下日志:
/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: unable to change to root gid: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted
當我將runAsGroup
變量改回 0 時,它會返回以下日志:
/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [5050, -1, -1]: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted
更新:正在使用的 PSP 如下所示:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
psp.rke2.io/global-restricted: resolved
creationTimestamp: "2022-06-30T14:00:25Z"
name: global-restricted-psp
resourceVersion: "3493795"
uid: b7209f38-9609-4b81-b3ef-ab7a17b39bbd
spec:
allowPrivilegeEscalation: true
fsGroup:
ranges:
- max: 65535
min: 0
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 0
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
任何人的想法?
我認為您在這里缺少的是處理持久數據的配置。 我嘗試了與您相同的部署文件,只是添加了volumes
和volumeMounts
配置,盡管它是一個 emptyDir(您可能希望保留數據),並且它可以工作。
然后我使用命令
kubectl port-forward pgadmin-6ff557759c-m5cxn 8080:80
能夠在http://127.0.0.1:8080
上本地訪問 pg-admin 控制台。
這是 deployment.yaml 文件:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
selector:
matchLabels:
app: pgadmin
replicas: 1
template:
metadata:
labels:
app: pgadmin
spec:
containers:
- name: pgadmin4
image: dpage/pgadmin4:latest
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@ind.nl"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test"
- name: PGADMIN_PORT
value: "80"
ports:
- containerPort: 80
name: pgadminport
securityContext:
runAsUser: 5050
runAsGroup: 5050
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
volumeMounts:
- mountPath: /var/lib/pgadmin
name: pgadmin-data
volumes:
- emptyDir: {}
name: pgadmin-data
好吧,我還將runAsUser
和runAsGroup
更改為 5050(從這里的 helm 圖表中獲得一些靈感: https ://artifacthub.io/packages/helm/runix/pgadmin4(盡管可能不需要)。
話雖如此,使用 helm-chart 會容易得多,因為它允許您輕松處理配置以通過現有的PersistentVolumeClaim
或storageClass
添加PersistentVolume
。
希望這可以幫助!
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.