修复Kubernetes v1.14中的microk8s仪表板和microk8s-hostpath(持久卷)
毎度、ググっても出てこない小ネタを取り扱っております。
本記事は個人的な見解であり、筆者の所属するいかなる団体にも関係ございません。
Kubernetesをサーバー1台で動かすには便利なMicroK8sですが、Kubernetes 1.14.6を動かしたときにいろいろエラーではまったので困る人が減るようにここに書いておきます。
0. Kubeflow 0.5.1不兼容Kubernetes v1.15的问题。
Kubeflow v0.5.1をインストールしようとしたのですが、Kubernetes v1.15 には対応していません。理由は、Ksonnetがv1.15には対応していないからです。Ksonnetはもうメンテナンスされず、Kubernets v1.15に対応する予定もありません。
※注:Kubeflow 0.6では、Ksonnetの代わりにKustomizeを使います。Kubeflow 0.6は、Kubernetes v1.15にも対応しています。
请查看以下内容,此事项与本篇文章无关。
在Qiita上使用MicroK8S(Kubernetes v1.14.6)运行Kubeflow 0.5.1 –
https://qiita.com/ynott/items/b250373e39938b1d4e7a
降级Kubernetes版本
暫時先將Kubernetes降級至v1.14.6版本試試看,這樣應該可以吧。
$ microk8s.reset
$ sudo snap refresh microk8s --channel=1.14/stable --classic
启用RBAC、DNS和仪表盘。
$ microk8s.enable rbac
$ microk8s.enable dns
$ microk8s.enable dashboard
大致上确认所有的Pod是否已经启动。
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system heapster-v1.5.2-5c5498f57c-slz9b 4/4 Running 0 73s
kube-system kube-dns-6bfbdd666c-lnztc 3/3 Running 0 96s
kube-system kubernetes-dashboard-6fd7f9c494-lr9vl 0/1 CrashLoopBackOff 3 73s
kube-system monitoring-influxdb-grafana-v4-78777c64c8-skltl 2/2 Running 0 73s
仪表板出现CrashLoopBackOff错误…(泪流满面)。
2. 仪表盘没有响应问题
查看仪表板中Pod的日志,发现出现了以下错误。
$ kubectl log -n kube-system kubernetes-dashboard-6fd7f9c494-lr9vl
2019/09/11 04:37:02 Storing encryption key in a secret
panic: secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot create resource "secrets" in API group "" in the namespace "kube-system"
只需一个选择,以下是对上述内容的本地化汉语释义:
2-1. 设置Dashboard的角色和角色绑定。
当我在kubectl get clusterrole -n kube-system中查看时,发现没有dashboard的角色。当然,也没有clusterrolebinding。
但存在kubernetes-dashboard的serviceaccount。我通过搜索找到了角色。
可以从这个链接中提取出所需的部分。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal-role
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal-rolebinding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal-role
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
适用
kubectl apply -f dashboard-role.yaml
等了一会儿,它就开始运行了。
启用存储
$ microk8s.enable storage
Enabling default storage class
deployment.extensions/hostpath-provisioner created
storageclass.storage.k8s.io/microk8s-hostpath unchanged
Storage will be available soon
一看起來似乎是平常地在移動。
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system heapster-v1.5.2-5c5498f57c-slz9b 4/4 Running 0 30m
kube-system hostpath-provisioner-6d744c4f7c-8hn9k 1/1 Running 0 2m47s
kube-system kube-dns-6bfbdd666c-lnztc 3/3 Running 0 31m
kube-system kubernetes-dashboard-6fd7f9c494-lr9vl 1/1 Running 9 30m
kube-system monitoring-influxdb-grafana-v4-78777c64c8-skltl 2/2 Running 0 30m
主机路径提供程序未运行的问题
查看 hostpath-provisioner-6d744c4f7c-8hn9k。
kubectl logs -f pod/hostpath-provisioner-6d744c4f7c-8hn9k -n kube-system
E0911 05:07:23.834527 1 reflector.go:201] github.com/juju-solutions/hostpath-provisioner/vendor/github.com/kubernetes-incubator/external-storage/lib/controller/controller.go:295: Failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "persistentvolumes" in API group "" at the cluster scope
E0911 05:07:23.834720 1 reflector.go:201] github.com/juju-solutions/hostpath-provisioner/vendor/github.com/kubernetes-incubator/external-storage/lib/controller/controller.go:294: Failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope
E0911 05:07:23.835713 1 reflector.go:201] github.com/juju-solutions/hostpath-provisioner/vendor/github.com/kubernetes-incubator/external-storage/lib/controller/controller.go:265: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope
不行了。。
应用ServiceAccount、ClusterRole、ClusterRoleBinding。
最新的 storage.yaml 已经修复好了,所以请获取以下链接中的文件:
https://raw.githubusercontent.com/ubuntu/microk8s/master/microk8s-resources/actions/storage.yaml
然后再次运行 kubectl apply -f storage.yaml。
不过,由于 $ARCH 和 $SNAP_COMMON 可能为空,所以需要进行替换。
$ wget https://raw.githubusercontent.com/ubuntu/microk8s/master/microk8s-resources/actions/storage.yaml
$ sed -i -e 's|\$ARCH|amd64|g' storage.yaml
$ sed -i -e 's|\$SNAP_COMMON|/var/snap/microk8s/common|g' storage.yaml
使用kubectl apply进行应用
$ kubectl apply -f storage.yaml
deployment.extensions/hostpath-provisioner configured
storageclass.storage.k8s.io/microk8s-hostpath unchanged
serviceaccount/microk8s-hostpath created
clusterrole.rbac.authorization.k8s.io/microk8s-hostpath unchanged
clusterrolebinding.rbac.authorization.k8s.io/microk8s-hostpath unchanged
$ kubectl logs -n kube-system hostpath-provisioner-58c4d46947-2f6lh
I0911 05:47:41.651964 1 controller.go:293] Starting provisioner controller ab8727d6-d457-11e9-9d85-ee707c114ee2!
我移动了。看起来不错。
确认PVC是否移动
准备以下类型的PVC材料
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: demo-volume-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: microk8s-hostpath
resources:
requests:
storage: 500M
---
使用kubectl apply进行应用
$ kubectl apply -f demo-persistent-volume-claim.yml
persistentvolumeclaim/demo-volume-claim created
$ kubectl get pvc -A
NAMESPACE NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
default demo-volume-claim Bound pvc-f501dd62-d459-11e9-b7a7-000c29ab8f9c 500M RWO microk8s-hostpath 6s
因为看起来不错,所以删除
$ kubectl delete -f demo-persistent-volume-claim.yml
persistentvolumeclaim "demo-volume-claim" deleted
$ kubectl get pvc -A
No resources found.
