如何解决Pod 不启动不可用和 ReplicaFailure
Pod 没有启动。 oc(kubectl) get pods 命令不显示 Pod。
类型:状态:原因
Progressing : True : NewreplicasetAvailable
可用:假:最小副本不可用
ReplicaFailure : True : FailedCreate
部署 YAML 文件:
kind: Deployment
apiVersion: apps/v1
Metadata:
annotations:
deployment.kubernetes.io/revision: '2'
selfLink: >-
/apis/apps/v1/namespaces/awag-project/deployments/integrated-repository-webapp
resourceVersion: '3460356'
name: integrated-repository-webapp
...
status:
observedGeneration: 10
unavailableReplicas: 1
conditions:
- type: Progressing
status: 'True'
...
reason: NewreplicasetAvailable
message: >-
replicaset "integrated-repository-webapp-d69879c5f" has successfully
progressed.
- type: Available
status: 'False'
...
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
- type: ReplicaFailure
status: 'True'
...
reason: FailedCreate
message: >-
pods "integrated-repository-webapp-d69879c5f-" is forbidden: unable to
validate against any security context constraint:
[spec.containers[0].securityContext.containers[0].hostPort: Invalid
value: 80: Host ports are not allowed to be used
spec.containers[0].securityContext.containers[0].hostPort: Invalid
value: 443: Host ports are not allowed to be used]
描述部署命令消息:
Name: integrated-repository-webapp
Namespace: awag-project
CreationTimestamp: Tue,13 Jul 2021 00:31:31 +0900
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 2
Selector: app=integrated-repository-webapp
Replicas: 1 desired | 0 updated | 0 total | 0 available | 1 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable,25% max surge
Pod Template:
Labels: app=integrated-repository-webapp
Containers:
integrated-repository-webapp:
Image: jp.icr.io/etp-namespace/integrated-repository
Ports: 9080/TCP,9443/TCP
Host Ports: 80/TCP,443/TCP
Environment Variables from:
integrated-repository-webapp-config ConfigMap Optional: false
Environment:
...
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Progressing True NewreplicasetAvailable
Available False MinimumReplicasUnavailable
ReplicaFailure True FailedCreate
Oldreplicasets: <none>
Newreplicaset: integrated-repository-webapp-d69879c5f (0/1 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
normal Scalingreplicaset 63m deployment-controller Scaled up replica set integrated-repository-webapp-f9cd69684 to 2
normal Scalingreplicaset 63m deployment-controller Scaled down replica set integrated-repository-webapp-f9cd69684 to 1
normal Scalingreplicaset 51m (x3 over 66m) deployment-controller Scaled up replica set integrated-repository-webapp-f9cd69684 to 1
normal Scalingreplicaset 17m (x3 over 53m) deployment-controller Scaled down replica set integrated-repository-webapp-f9cd69684 to 0
normal Scalingreplicaset 17m deployment-controller Scaled down replica set integrated-repository-webapp-d69879c5f to 0
normal Scalingreplicaset 17m (x2 over 18m) deployment-controller Scaled up replica set integrated-repository-webapp-d69879c5f to 1
编辑 1
为了由 root 用户启动 pod,我创建了一个 ServiceAccount 并附加到部署。 Pod 更改为挂起状态但未运行。 端口错误似乎已解决,但由于 MinimumReplicasUnavailable 而无法使用。
1.错误再现:
创建服务帐户“ir-sa”
oc 创建 sa ir-sa
oc adm policy add-scc-to-user privileged-z ir-sa
补丁部署
spec:
template:
spec:
serviceAccountName: ir-sa
2.部署YAML文件:
conditions:
- type: Progressing
status: 'True'
...
reason: NewreplicasetAvailable
message: >-
replicaset "integrated-repository-webapp-76c767549" has successfully
progressed.
- type: Available
status: 'False'
...
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
3.describe pod 命令输出
Type Reason Age From Message
---- ------ ---- ---- -------
normal Scheduled 5m46s default-scheduler Successfully assigned awag-project/integrated-repository-webapp-76c767549-rrbcx to 10.244.0.11
normal AddedInterface 5m46s multus Add eth0 [172.17.20.41/32]
Warning FailedCreatePodSandBox 5m45s kubelet Failed to create pod sandBox: rpc error: code = UnkNown desc = Failed to add hostport mapping for sandBox k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0(61bf202c0bd3423444ec64e8f50a9a1aa2cdf173fe9a638e31a3113ec8775eed): cannot open hostport 443 for pod k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0_: listen tcp4 :443: bind: address already in use
normal AddedInterface 5m44s multus Add eth0 [172.17.20.56/32]
…
Warning FailedCreatePodSandBox 44s (x141 over 5m27s) kubelet (combined from similar events): Failed to create pod sandBox: rpc error: code = UnkNown desc = Failed to add hostport mapping for sandBox k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0(d47342c920507c8e9c65c3afd808caec4f73524d5c08b76ab2dc0db0b1004453): cannot open hostport 443 for pod k8s_integrated-repository-webapp-76c767549-rrbcx_awag-project_07f11210-f70e-4553-b598-862b101eb57a_0_: listen tcp4 :443: bind: address already in use
编辑 2
我添加了 Ingress 并将部署的端口更改为 444。 Pod 仍处于待处理状态,但原因已更改为 ImagePullBackOff。
1.创建入口
kubectl get ingress 命令输出 (实际的ingeress-subdomain被编辑为INGRESS-SUBDOMAIN)
NAME CLASS HOSTS ADDRESS PORTS AGE
integrated-repository-webapp-ingress <none> INGRESS-SUBDOMAIN 80,443 24h
2.将部署的端口 443 更改为 444
部署 YAML(spec.template.spec.ports)
ports:
- hostPort: 80
containerPort: 9080
protocol: TCP
- hostPort: 444←(it was 443 before)
containerPort: 9443
protocol: TCP
3.收到不同的错误信息
部署 YAML 文件
status:
observedGeneration: 28
replicas: 2
updatedReplicas: 1
unavailableReplicas: 2
conditions:
- type: Available
status: 'False'
…
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
- type: Progressing
status: 'False'
…
reason: ProgressDeadlineExceeded
message: >-
replicaset "integrated-repository-webapp-5bcb99db9d" has timed out
progressing.
描述 pod 命令输出
Name: integrated-repository-webapp-5bcb99db9d-s76br
Namespace: awag-project
…
Status: Pending
…
Containers:
integrated-repository-webapp:
…
Ports: 9080/TCP,9443/TCP
Host Ports: 80/TCP,444/TCP
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment Variables from:
integrated-repository-webapp-config ConfigMap Optional: false
…
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
ir-sa-token-v848t:
Type: Secret (a volume populated by a Secret)
SecretName: ir-sa-token-v848t
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
normal Scheduled 41m default-scheduler Successfully assigned awag-project/integrated-repository-webapp-5bcb99db9d-s76br to 10.244.0.12
normal AddedInterface 41m multus Add eth0 [172.17.54.125/32]
normal Pulling 40m (x4 over 41m) kubelet Pulling image "jp.icr.io/etp-namespace/integrated-repository"
Warning Failed 40m (x4 over 41m) kubelet Failed to pull image "jp.icr.io/etp-namespace/integrated-repository": rpc error: code = UnkNown desc = unable to retrieve auth token: invalid username/password: unauthorized: The login credentials are not valid,or your IBM Cloud account is not active.
Warning Failed 40m (x4 over 41m) kubelet Error: ErrImagePull
Warning Failed 6m49s (x153 over 41m) kubelet Error: ImagePullBackOff
normal BackOff 105s (x175 over 41m) kubelet Back-off pulling image "jp.icr.io/etp-namespace/integrated-repository"
解决方法
message: >-
pods "integrated-repository-webapp-d69879c5f-" is forbidden: unable to
validate against any security context constraint:
[spec.containers[0].securityContext.containers[0].hostPort: Invalid
value: 80: Host ports are not allowed to be used
spec.containers[0].securityContext.containers[0].hostPort: Invalid
value: 443: Host ports are not allowed to be used]
您正在尝试将容器中的应用程序绑定到端口 80 和 443,这些端口 https://stackoverflow.com/a/68328710/1025312 用户 SYN 已经提到 Openshift 使用随机 UID。因此,您需要将容器中的端口更改为 8080、8443 或任何其他大于 1024 的端口。
,我需要 ImagePullSecret 的设置。
oc get secret all-icr-io -n default -o yaml | sed 's/default/my-project/g' | oc create -n my-project -f -
然后在 ir-sa(ServiceAccount) 启用 all-icr-io
oc secrets link ir-sa all-icr-io --for=pull -n my-project
然后删除 ImagePullBackoff 状态 pod。
https://cloud.ibm.com/docs/containers?topic=containers-registry#copy_imagePullSecret Step2 ~4
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。