部署 nginx 入口控制器时创建资源 "configmaps" 时出错
error create resource "configmaps" while deploying nginx ingress controller
我跟this_tutorial to deploy nginx ingress contoller. The yaml files used for deploying the ingress controller and describe output are copied to repo一模一样。
创建入口控制器后,pod 是 运行 但在入口控制器日志中看到以下错误。该错误表明 serviceaccount "nginx" 没有在命名空间 "ingress".
中创建资源 "configmaps" 的权限
我有问题,
- ClusterRole 中需要什么动词才能允许服务帐户
"nginx" 在我的命名空间中创建配置映射?
- 为什么 serviceaccount "nginx" 必须在
命名空间?因为,ingress controller 已经在命名空间中有 configmap 那么为什么 ingress controller 会尝试再次创建?
E1115 15:05:49.678247 7 leaderelection.go:228] error initially
creating leader election record: configmaps is forbidden: User
"system:serviceaccount:ingress:nginx" cannot create resource
"configmaps" in API group "" in the namespace "ingress"
(truncated)
I1115 15:05:49.742498 7 controller.go:220] ingress backend
successfully reloaded... E1115 15:06:03.379102 7
leaderelection.go:228] error initially creating leader election
record: configmaps is forbidden: User
"system:serviceaccount:ingress:nginx" cannot create resource
"configmaps" in API group "" in the namespace "ingress"
可以从 this_file.
访问详细的 kubectl 日志
[编辑]
root@desktop:~/github/# kubectl get -n ingress all
NAME READY STATUS RESTARTS AGE
pod/default-backend-7fcd7954d6-gdmvt 1/1 Running 0 3d14h
pod/default-backend-7fcd7954d6-hf65b 1/1 Running 0 3d14h
pod/nginx-ingress-controller-65bfcb57ff-9nz88 1/1 Running 0 2d22h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/default-backend ClusterIP 10.100.x.y <none> 80/TCP 3d14h
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/default-backend 2 2 2 2 3d14h
deployment.apps/nginx-ingress-controller 1 1 1 1 2d22h
NAME DESIRED CURRENT READY AGE
replicaset.apps/default-backend-7fcd7954d6 2 2 2 3d14h
replicaset.apps/nginx-ingress-controller-65bfcb57ff 1 1 1 2d22h
root@desktop:~/github# kubectl get -n ingress configmap
NAME DATA AGE
nginx-ingress-controller-conf 1 3d14h
nginx 服务帐户似乎未被授予在命名空间中创建 configmap 资源的权限。
看看这个 role definition and the role binding 文件。在进行任何必要的调整后应用它们,例如服务帐户名称(从 nginx-ingress-serviceaccount 到 nginx)。
Deployment configuration has this argument: --configmap=$(POD_NAMESPACE)/nginx-ingress-controller-conf. According to the nginx ingress controller documentation,即“...包含控制器自定义全局配置的 ConfigMap 的名称”。
我跟this_tutorial to deploy nginx ingress contoller. The yaml files used for deploying the ingress controller and describe output are copied to repo一模一样。
创建入口控制器后,pod 是 运行 但在入口控制器日志中看到以下错误。该错误表明 serviceaccount "nginx" 没有在命名空间 "ingress".
中创建资源 "configmaps" 的权限我有问题,
- ClusterRole 中需要什么动词才能允许服务帐户 "nginx" 在我的命名空间中创建配置映射?
- 为什么 serviceaccount "nginx" 必须在 命名空间?因为,ingress controller 已经在命名空间中有 configmap 那么为什么 ingress controller 会尝试再次创建?
E1115 15:05:49.678247 7 leaderelection.go:228] error initially creating leader election record: configmaps is forbidden: User "system:serviceaccount:ingress:nginx" cannot create resource "configmaps" in API group "" in the namespace "ingress"
(truncated)
I1115 15:05:49.742498 7 controller.go:220] ingress backend successfully reloaded... E1115 15:06:03.379102 7 leaderelection.go:228] error initially creating leader election record: configmaps is forbidden: User "system:serviceaccount:ingress:nginx" cannot create resource "configmaps" in API group "" in the namespace "ingress"
可以从 this_file.
访问详细的 kubectl 日志[编辑]
root@desktop:~/github/# kubectl get -n ingress all
NAME READY STATUS RESTARTS AGE
pod/default-backend-7fcd7954d6-gdmvt 1/1 Running 0 3d14h
pod/default-backend-7fcd7954d6-hf65b 1/1 Running 0 3d14h
pod/nginx-ingress-controller-65bfcb57ff-9nz88 1/1 Running 0 2d22h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/default-backend ClusterIP 10.100.x.y <none> 80/TCP 3d14h
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/default-backend 2 2 2 2 3d14h
deployment.apps/nginx-ingress-controller 1 1 1 1 2d22h
NAME DESIRED CURRENT READY AGE
replicaset.apps/default-backend-7fcd7954d6 2 2 2 3d14h
replicaset.apps/nginx-ingress-controller-65bfcb57ff 1 1 1 2d22h
root@desktop:~/github# kubectl get -n ingress configmap
NAME DATA AGE
nginx-ingress-controller-conf 1 3d14h
nginx 服务帐户似乎未被授予在命名空间中创建 configmap 资源的权限。
看看这个 role definition and the role binding 文件。在进行任何必要的调整后应用它们,例如服务帐户名称(从
nginx-ingress-serviceaccount到nginx)。Deployment configuration has this argument:
--configmap=$(POD_NAMESPACE)/nginx-ingress-controller-conf. According to the nginx ingress controller documentation,即“...包含控制器自定义全局配置的 ConfigMap 的名称”。