无法从 kubectl get pod pod_name -o yaml 生成的 yaml 更新 Kubernetes pod
Cannot update Kubernetes pod from yaml generated from kubectl get pod pod_name -o yaml
我的 kubernetes 中有一个 pod,需要更新才能拥有 securityContext。所以使用 -
生成了一个yaml文件
kubectl get pod pod_name -o yaml > mypod.yaml
更新所需的 securityContext 并执行命令后 -
kubectl apply -f mypod.yaml
pod 中没有观察到变化。
新创建的 yaml 文件运行良好。
新的 yaml 文件 -
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: myubuntuimage
不可变字段
在 Kubernetes 中,您可以找到有关 Immutable fields 的信息。
A lot of fields in APIs tend to be immutable, they can't be changed after creation. This is true for example for many of the fields in pods. There is currently no way to declaratively specify that fields are immutable, and one has to rely on either built-in validation for core types, or have to build a validating webhooks for CRDs.
为什么?
There are resources in Kubernetes which have immutable fields by design, i.e. after creation of an object, those fields cannot be mutated anymore. E.g. a pod's specification is mostly unchangeable once it is created. To change the pod, it must be deleted, recreated and rescheduled.
编辑现有容器配置
如果您想使用 security context 应用新配置 kubectl apply 您将收到如下错误:
The Pod "mypod" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
如果您使用 kubectl patch,将得到相同的输出
kubectl patch pod mypod -p '{"spec":{"securityContext":{"runAsUser":1010}}}'
另外kubectl edit不会更改此特定配置
$ kubectl edit pod
Edit cancelled, no changes made.
解决方案
如果您只需要一个 pod,您必须将其删除并使用请求的配置创建一个新的。
更好的解决方案是使用资源来确保满足一些自己的要求,例如 Deployment. After change of the current configuration, deployment will create new Replicaset 将创建具有新配置的新 pods。
by updating the PodTemplateSpec of the Deployment. A new ReplicaSet is created and the Deployment manages moving the Pods from the old ReplicaSet to the new one at a controlled rate. Each new ReplicaSet updates the revision of the Deployment.
我的 kubernetes 中有一个 pod,需要更新才能拥有 securityContext。所以使用 -
生成了一个yaml文件kubectl get pod pod_name -o yaml > mypod.yaml
更新所需的 securityContext 并执行命令后 -
kubectl apply -f mypod.yaml
pod 中没有观察到变化。
新创建的 yaml 文件运行良好。 新的 yaml 文件 -
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: myubuntuimage
不可变字段
在 Kubernetes 中,您可以找到有关 Immutable fields 的信息。
A lot of fields in APIs tend to be
immutable, they can't be changed after creation. This is true for example for many of the fields in pods. There is currently no way to declaratively specify that fields are immutable, and one has to rely on either built-in validation for core types, or have to build a validating webhooks for CRDs.
为什么?
There are resources in Kubernetes which have
immutable fieldsby design, i.e. after creation of an object, those fields cannot be mutated anymore. E.g. a pod's specification is mostly unchangeable once it is created. To change the pod, it must be deleted, recreated and rescheduled.
编辑现有容器配置
如果您想使用 security context 应用新配置 kubectl apply 您将收到如下错误:
The Pod "mypod" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
如果您使用 kubectl patch,将得到相同的输出
kubectl patch pod mypod -p '{"spec":{"securityContext":{"runAsUser":1010}}}'
另外kubectl edit不会更改此特定配置
$ kubectl edit pod
Edit cancelled, no changes made.
解决方案
如果您只需要一个 pod,您必须将其删除并使用请求的配置创建一个新的。
更好的解决方案是使用资源来确保满足一些自己的要求,例如 Deployment. After change of the current configuration, deployment will create new Replicaset 将创建具有新配置的新 pods。
by updating the
PodTemplateSpecof theDeployment. A newReplicaSetis created and theDeploymentmanages moving the Pods from the oldReplicaSetto the new one at a controlled rate. Each newReplicaSetupdates the revision of the Deployment.