错误创建资源"configmaps";在部署Nginx入口控制器时 [英] error create resource "configmaps" while deploying nginx ingress controller
问题描述
我完全像 this_tutorial 一样部署nginx入口控制器.用于部署入口控制器和描述输出的yaml文件被复制到 repo .
I followed exactly like this_tutorial to deploy nginx ingress contoller. The yaml files used for deploying the ingress controller and describe output are copied to repo.
创建入口控制器后,pod正在运行,但是在入口控制器日志中看到以下错误.该错误表明serviceaccount"nginx"无权在名称空间"ingress"中创建资源"configmaps".
After creating the ingress-controller, pod is running but seeing the below error in the ingress-controller log. The error says serviceaccount "nginx" have no permission to create resource "configmaps" in namespace "ingress".
我有问题
- 在ClusterRole中需要哪些动词才能允许服务帐户 "nginx"在我的命名空间中创建configmaps?
- 为什么serviceaccount"nginx"必须在 命名空间?因为,入口控制器在名称空间中已经有configmap,那么为什么入口控制器会尝试再次创建?
- what verbs are required in the ClusterRole to allow service account "nginx" to create configmaps in my namespace?
- Why serviceaccount "nginx" has to create configmaps in the namespace? Because,the ingress controller already has configmap in the namespace then why is the ingress controller tries to create again?
E1115 15:05:49.678247 7 Leaderelection.go:228]最初出现错误 创建领导者选举记录:禁止使用configmaps:用户 "system:serviceaccount:ingress:nginx"无法创建资源 名称空间"ingress"中API组"中的"configmaps"
E1115 15:05:49.678247 7 leaderelection.go:228] error initially creating leader election record: configmaps is forbidden: User "system:serviceaccount:ingress:nginx" cannot create resource "configmaps" in API group "" in the namespace "ingress"
(被截断)
I1115 15:05:49.742498 7 controller.go:220]入口后端 已成功重新加载... E1115 15:06:03.379102 7 Leaderelection.go:228]最初创建领导者选举时出错 记录:禁止使用configmaps:用户 "system:serviceaccount:ingress:nginx"无法创建资源 名称空间"ingress"中API组"中的"configmaps"
I1115 15:05:49.742498 7 controller.go:220] ingress backend successfully reloaded... E1115 15:06:03.379102 7 leaderelection.go:228] error initially creating leader election record: configmaps is forbidden: User "system:serviceaccount:ingress:nginx" cannot create resource "configmaps" in API group "" in the namespace "ingress"
可以从中访问 详细的kubectl日志. this_file
root@desktop:~/github/# kubectl get -n ingress all
NAME READY STATUS RESTARTS AGE
pod/default-backend-7fcd7954d6-gdmvt 1/1 Running 0 3d14h
pod/default-backend-7fcd7954d6-hf65b 1/1 Running 0 3d14h
pod/nginx-ingress-controller-65bfcb57ff-9nz88 1/1 Running 0 2d22h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/default-backend ClusterIP 10.100.x.y <none> 80/TCP 3d14h
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/default-backend 2 2 2 2 3d14h
deployment.apps/nginx-ingress-controller 1 1 1 1 2d22h
NAME DESIRED CURRENT READY AGE
replicaset.apps/default-backend-7fcd7954d6 2 2 2 3d14h
replicaset.apps/nginx-ingress-controller-65bfcb57ff 1 1 1 2d22h
root@desktop:~/github# kubectl get -n ingress configmap
NAME DATA AGE
nginx-ingress-controller-conf 1 3d14h
推荐答案
似乎未授予nginx服务帐户在命名空间中创建configmap资源的权限.
It looks like the nginx service account isn't granted permission to create configmap resources in the namespace.
Take a look at this role definition and the role binding files. Apply them after making any necessary adjustments, like for the service account name (from
nginx-ingress-serviceaccounttonginx).
部署配置具有以下参数:--configmap=\$(POD_NAMESPACE)/nginx-ingress-controller-conf.根据nginx入口控制器文档,即"...包含控制器自定义全局配置的ConfigMap的名称."
The Deployment configuration has this argument: --configmap=\$(POD_NAMESPACE)/nginx-ingress-controller-conf. According to the nginx ingress controller documentation, that is the "...Name of the ConfigMap containing custom global configurations for the controller".
这篇关于错误创建资源"configmaps";在部署Nginx入口控制器时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
