Kubernetes无法将卷挂载到文件夹 [英] Kubernetes can not mount a volume to a folder
问题描述
我正在按照这些文档进行设置我的cloud-sql数据库的sidecar代理.它指的是在github上的清单, -正如我在github repos等地方到处都发现的那样-似乎适用于每个人",但我遇到了麻烦.代理容器似乎无法成功启动,因此无法安装到/secrets/cloudsql.当我运行kubectl logs [mypod] cloudsql-proxy
:
I am following these docs on how to setup a sidecar proxy to my cloud-sql database. It refers to a manifest on github that -as I find it all over the place on github repos etc- seems to work for 'everyone' but I run into trouble. The proxy container can not mount to /secrets/cloudsql it seems as it can not succesfully start. When I run kubectl logs [mypod] cloudsql-proxy
:
invalid json file "/secrets/cloudsql/mysecret.json": open /secrets/cloudsql/mysecret.json: no such file or directory
所以秘密似乎是问题所在.
So the secret seems to be the problem.
清单的相关部分
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy",
"-instances=pqbq-224713:europe-west4:osm=tcp:5432",
"-credential_file=/secrets/cloudsql/mysecret.json"]
securityContext:
runAsUser: 2
allowPrivilegeEscalation: false
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
volumes:
- name: cloudsql-instance-credential
secret:
secretName: mysecret
要测试/调试秘密,我将卷安装到另一个确实启动的容器中,但是路径和文件/secrets/cloudsql/mysecret.json也不存在.但是,当我将秘密安装到一个已经存在的文件夹中时,我可以在此文件夹中找到mysecret.json文件(不是我所期望的...),而是(在我的情况下)它包含的两个秘密,因此我发现:/existingfolder/password
和/existingfolder/username
(显然这是这样工作的!!当我找到这些秘密时,它们会给出正确的字符串,因此看起来不错).
To test/debug the secret I mount the volume to an another container that does start, but then the path and file /secrets/cloudsql/mysecret.json does not exist either. However when I mount the secret to an already EXISTING folder I can find in this folder not the mysecret.json file (as I expected...) but (in my case) two secrets it contains, so I find: /existingfolder/password
and /existingfolder/username
(apparently this is how it works!? When I cat these secrets they give the proper strings, so they seem fine).
因此,系统似乎无法建立路径,这是权限问题吗?我尝试将代理容器简单地安装到根目录('/'),所以没有文件夹,但这给出了一个错误消息,表明不允许这样做.由于图像gcr.io/cloudsql-docker/gce-proxy:1.11
来自Google,我无法运行它,因此看不到它具有的文件夹.
So it looks like the path can not be made by the system, is this a permission issue? I tried simply mounting in the proxy container to the root ('/') so no folder, but that gives an error saying it is not allowed to do so. As the image gcr.io/cloudsql-docker/gce-proxy:1.11
is from Google and I can not get it running I can not see what folder it has.
我的问题:
- 是从清单创建的mountPath还是应该已经 在容器里?
- 我该如何工作?
- Is the mountPath created from the manifest or should it be already in the container?
- How can I get this working?
推荐答案
我解决了.我在cloudsql-proxy上使用的密码与在应用程序(env)上使用的密码相同,但是它必须是您从服务帐户生成的密钥,然后再从中进行保密.然后就可以了. 本教程帮助了我.
I solved it. I was using the same secret on the cloudsql-proxy as the ones used on the app (env), but it needs to be a key you generate from a service account and then make a secret out of that. Then it works. This tutorial helped me through.
这篇关于Kubernetes无法将卷挂载到文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!