我在secret上遵循Kubernetes文档。我有这个secret.yaml文件:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
val1: YXNkZgo=
stringData:
val1: asdf
和secret-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: myval
mountPath: /etc/secret
readOnly: true
volumes:
- name: myval
secret:
secretName: val1
items:
- key: val1
path: myval
我在这两个文件上使用kubectl apply -f。然后使用kubectl exec -it mysecretpod -- cat /etc/secret/myval,我可以在mysecretpod的/etc/secret/myval文件中看到asdf的值。
然而,我希望挂载的路径是/etc/myval。因此,我在secret-pod.yaml中做了以下更改:
volumeMounts:
- name: myval
mountPath: /etc
readOnly: true
在该文件上再次使用kubectl apply -f后,我使用kubectl get pods --all-namespaces检查pod创建。这是我看到的:
NAMESPACE NAME READY STATUS RESTARTS AGE
default mysecretpod 0/1 CrashLoopBackOff 2 (34s ago) 62s
使用kubectl describe pods mysecretpod查看pod,这是我看到的:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 35s default-scheduler Successfully assigned default/mysecretpod to minikube
Normal Pulled 32s kubelet Successfully pulled image "nginx" in 2.635766453s
Warning Failed 31s kubelet Error: failed to start container "mypod": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/c84a8d278dc2f131daf9f322d26ff8c54d68cea8cd9c0ce209f68d7a9b677b3c/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/4aaf54c61f7c80937a8edc094b27d6590538632e0209165e0b8c96e9e779a4b6/merged/etc/resolv.conf: read-only file system: unknown
Normal Pulled 28s kubelet Successfully pulled image "nginx" in 3.313846185s
Warning Failed 28s kubelet Error: failed to start container "mypod": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/c84a8d278dc2f131daf9f322d26ff8c54d68cea8cd9c0ce209f68d7a9b677b3c/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/34af5138f14d192ade7e53211476943ea82cd2c8186d69ca79a3adf2abbc0978/merged/etc/resolv.conf: read-only file system: unknown
Warning BackOff 24s kubelet Back-off restarting failed container
Normal Pulling 9s (x3 over 34s) kubelet Pulling image "nginx"
Normal Created 7s (x3 over 32s) kubelet Created container mypod
Normal Pulled 7s kubelet Successfully pulled image "nginx" in 2.73055072s
Warning Failed 6s kubelet Error: failed to start container "mypod": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/c84a8d278dc2f131daf9f322d26ff8c54d68cea8cd9c0ce209f68d7a9b677b3c/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/01bfa6b2c35d5eb12ad7ad204a5acc58688c1e04d9b5891382e48c26d2e7077f/merged/etc/resolv.conf: read-only file system: unknown
为什么会失败?是否有可能在/etc级别而不是/etc/something级别安装一个秘密?如果是,我该如何实现?非常感谢!
volumeMounts:
- name: myval
mountPath: /etc
readOnly: true
代替/etc目录,尝试作为单个文件挂载:
apiVersion: v1
kind: Secret
metadata:
name: nginx
type: Opaque
stringData:
val1: asdf
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
volumeMounts:
- name: myval
mountPath: /etc/myval
subPath: myval
volumes:
- name: myval
secret:
secretName: nginx
items:
- key: val1
path: myval
...