尝试执行从init容器复制的文件时,Kubernetes卷emptyDir权限被拒绝
我对emptydir有问题: 将任何文件从init容器复制到emptydir会使其在主容器中无法执行 在我的4个节点中的3个节点上发生,在单个主节点上没有问题 成功运行它的主节点在某些文件上显示差异selinux标签 群集信息:尝试执行从init容器复制的文件时,Kubernetes卷emptyDir权限被拒绝,kubernetes,Kubernetes,我对emptydir有问题: 将任何文件从init容器复制到emptydir会使其在主容器中无法执行 在我的4个节点中的3个节点上发生,在单个主节点上没有问题 成功运行它的主节点在某些文件上显示差异selinux标签 群集信息: RHEL 7,SELinux许可,内部数据中心上的VM kubernetes 1.20,由kubeadm部署 4节点群集(1是主群集) Ex Pod Spec(在3个节点上失败,在单个主节点上成功): 显示故障的日志: uid=0(root) gid=0(root)
- RHEL 7,SELinux许可,内部数据中心上的VM
- kubernetes 1.20,由kubeadm部署
- 4节点群集(1是主群集)
uid=0(root) gid=0(root) groups=0(root)
total 140K
drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0 60 Apr 8 00:32 .
drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 49 Apr 8 00:32 ..
-rwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0 139K Apr 8 00:32 mem-ls
total 8.0K
drwx------. 2 root root system_u:object_r:unlabeled_t:s0 37 Apr 1 01:26 .
drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 49 Apr 8 00:32 ..
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 3.1K Dec 5 2019 .bashrc
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 161 Dec 5 2019 .profile
total 140K
drwxrwxrwx. 2 root root system_u:object_r:container_file_t:s0 25 Apr 8 00:32 .
drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 49 Apr 8 00:32 ..
-rwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0 139K Apr 8 00:32 empty-dir-ls
bash: /empty-dir/empty-dir-ls: Permission denied
uid=0(root) gid=0(root) groups=0(root)
total 140K
drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0 60 Apr 8 00:34 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0 139K Apr 8 00:34 mem-ls
total 8.0K
drwx------. 2 root root system_u:object_r:container_share_t:s0 37 Apr 1 01:26 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 3.1K Dec 5 2019 .bashrc
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 161 Dec 5 2019 .profile
total 140K
drwxrwxrwx. 2 root root system_u:object_r:container_file_t:s0 25 Apr 8 00:34 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0 139K Apr 8 00:34 empty-dir-ls
total 8.0K
drwx------. 2 root root system_u:object_r:container_share_t:s0 37 Apr 1 01:26 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 3.1K Dec 5 2019 .bashrc
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 161 Dec 5 2019 .profile
非常感谢您的指导或建议 经过几天的谷歌搜索和故障排除,我解决了这个问题-问题是: /var在fstab中与noexec一起装入 我的单个主节点是在其他节点之前设置的。在此期间,公司策略必须在/var上采用默认的noexec挂载选项以提高安全性。您可以从fstab中的/var条目中删除noexec(得到它的批准),或者为/var/lib/kubelet创建一个新的挂载,并在没有noexec的情况下挂载该挂载。无论哪种方式,您都需要重新启动 对于遇到此问题的任何人,我还发现了其他几个潜在原因:
- ACL-如果您在任何地方使用ACL,请确保没有/var/lib/kubelet的条目:
getfacl-e/var/lib/kubelet/pods- SELinux-如果在强制模式下运行,请使用ls检查SELinux标签的-Z选项。这些标签看起来不错,不确定是否有一系列可接受的标签,但可能值得检查
- Pod安全策略:如果您仍然有这些策略,那么它们将被弃用。
- Pod安全上下文:确保正确配置这些上下文
- Noexec或/var/lib/kubelet/pods上的其他装载选项-这是我的问题。假设您的系统使用fstab在引导时装载,请从包含/var/lib/kubelet/pods的装载点删除noexec。或者,在/var/lib/kubelet/pods处创建一个新的装载点,并从其fstab条目中省略noexec
uid=0(root) gid=0(root) groups=0(root)
total 140K
drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0 60 Apr 8 00:34 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0 139K Apr 8 00:34 mem-ls
total 8.0K
drwx------. 2 root root system_u:object_r:container_share_t:s0 37 Apr 1 01:26 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 3.1K Dec 5 2019 .bashrc
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 161 Dec 5 2019 .profile
total 140K
drwxrwxrwx. 2 root root system_u:object_r:container_file_t:s0 25 Apr 8 00:34 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0 139K Apr 8 00:34 empty-dir-ls
total 8.0K
drwx------. 2 root root system_u:object_r:container_share_t:s0 37 Apr 1 01:26 .
drwxr-xr-x. 1 root root system_u:object_r:container_share_t:s0 49 Apr 8 00:34 ..
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 3.1K Dec 5 2019 .bashrc
-rw-r--r--. 1 root root system_u:object_r:container_share_t:s0 161 Dec 5 2019 .profile
ls -alhZ /var/lib/kubelet/pods/
drwxr-xr-x. root root system_u:object_r:container_file_t:s0 .
drwxr-xr-x. root root system_u:object_r:container_file_t:s0 ..
drwxr-x---. root root system_u:object_r:container_file_t:s0 [poduid]
drwxr-x---. root root system_u:object_r:container_file_t:s0 [poduid]
# edit emptydir-test.yaml to specify node as needed, then
kubectl apply -f emptydir-test.yaml
kubectl get po -o wide # confirm it runs/fails on node
# ssh to node
ls -alhZ /var/lib/kubelet/pods/$(kubectl get po emptydir-test -o jsonpath='{.metadata.uid}')/volumes/kubernetes.io~empty-dir/empty-dir
# drwxrwxrwx. root root system_u:object_r:container_file_t:s0 .
# drwxr-xr-x. root root system_u:object_r:container_file_t:s0 ..
# -rwxr-xr-x. root root system_u:object_r:container_file_t:s0 empty-dir-ls
sudo /var/lib/kubelet/pods/$(kubectl get po emptydir-test -o jsonpath='{.metadata.uid}')/volumes/kubernetes.io~empty-dir/empty-dir/empty-dir-ls -alh /
# output should either be the result of ls -alh on / or a permission denied error
# if it's a permission denied error, you may have a noexec mount options issue
# check current mounts for noexec option:
sudo findmnt -l | grep "/var" | grep noexec
# look for /var/lib or a mount along /var/lib/kubelet/pods with noexec option
# check fstab:
grep "/var" /etc/fstab
# /dev/mapper/vg01-lv_var /var xfs nodev,noexec,nosuid 1 2
# either remove noexec from the mount options or create a new mount point for /var/lib/kubelet and omit noexec
# then reboot to take effect and run the emptydir-test pod on affected nodes