Kubernetes无法将卷挂载到文件夹 [英] Kubernetes can not mount a volume to a folder

问题描述

我正在按照这些文档进行设置我的cloud-sql数据库的sidecar代理.它指的是在github上的清单， -正如我在github repos等地方到处都发现的那样-似乎适用于每个人"，但我遇到了麻烦.代理容器似乎无法成功启动，因此无法安装到/secrets/cloudsql.当我运行kubectl logs [mypod] cloudsql-proxy:

I am following these docs on how to setup a sidecar proxy to my cloud-sql database. It refers to a manifest on github that -as I find it all over the place on github repos etc- seems to work for 'everyone' but I run into trouble. The proxy container can not mount to /secrets/cloudsql it seems as it can not succesfully start. When I run kubectl logs [mypod] cloudsql-proxy:

invalid json file "/secrets/cloudsql/mysecret.json": open /secrets/cloudsql/mysecret.json: no such file or directory

所以秘密似乎是问题所在.

So the secret seems to be the problem.

清单的相关部分

- name: cloudsql-proxy
  image: gcr.io/cloudsql-docker/gce-proxy:1.11
  command: ["/cloud_sql_proxy",
            "-instances=pqbq-224713:europe-west4:osm=tcp:5432",
            "-credential_file=/secrets/cloudsql/mysecret.json"]
  securityContext:
    runAsUser: 2
    allowPrivilegeEscalation: false
  volumeMounts:
    - name: cloudsql-instance-credentials
      mountPath: /secrets/cloudsql
      readOnly: true
volumes:
  - name: cloudsql-instance-credential
      secret:
        secretName: mysecret

要测试/调试秘密，我将卷安装到另一个确实启动的容器中，但是路径和文件/secrets/cloudsql/mysecret.json也不存在.但是，当我将秘密安装到一个已经存在的文件夹中时，我可以在此文件夹中找到mysecret.json文件(不是我所期望的...)，而是(在我的情况下)它包含的两个秘密，因此我发现:/existingfolder/password和/existingfolder/username(显然这是这样工作的！！当我找到这些秘密时，它们会给出正确的字符串，因此看起来不错).

To test/debug the secret I mount the volume to an another container that does start, but then the path and file /secrets/cloudsql/mysecret.json does not exist either. However when I mount the secret to an already EXISTING folder I can find in this folder not the mysecret.json file (as I expected...) but (in my case) two secrets it contains, so I find: /existingfolder/password and /existingfolder/username (apparently this is how it works!? When I cat these secrets they give the proper strings, so they seem fine).

因此，系统似乎无法建立路径，这是权限问题吗?我尝试将代理容器简单地安装到根目录('/')，所以没有文件夹，但这给出了一个错误消息，表明不允许这样做.由于图像gcr.io/cloudsql-docker/gce-proxy:1.11来自Google，我无法运行它，因此看不到它具有的文件夹.

So it looks like the path can not be made by the system, is this a permission issue? I tried simply mounting in the proxy container to the root ('/') so no folder, but that gives an error saying it is not allowed to do so. As the image gcr.io/cloudsql-docker/gce-proxy:1.11 is from Google and I can not get it running I can not see what folder it has.

我的问题:

1. 是从清单创建的mountPath还是应该已经 在容器里?
2. 我该如何工作?

1. Is the mountPath created from the manifest or should it be already in the container?
2. How can I get this working?

推荐答案

我解决了.我在cloudsql-proxy上使用的密码与在应用程序(env)上使用的密码相同，但是它必须是您从服务帐户生成的密钥，然后再从中进行保密.然后就可以了. 本教程帮助了我.

I solved it. I was using the same secret on the cloudsql-proxy as the ones used on the app (env), but it needs to be a key you generate from a service account and then make a secret out of that. Then it works. This tutorial helped me through.

这篇关于Kubernetes无法将卷挂载到文件夹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！