无法加载云提供商配置'/etc/appgw/azure.json‘

Question

我无法通过应用程序网关和Azure网关连接我的应用程序。已计划使用入口控制器pod，但未处于就绪状态。

下面我附上了错误日志和入口控制器的描述。

我想找出这里的问题所在。我已经按照Azure文档使用AAD身份部署了AGIC。

错误:读取Az上下文文件"/etc/appgw/azure.json“失败:打开/etc/appgw/azure.json:权限被拒绝

Name:         ingress-azure-1601834933-77f4978499-jzsr5
Namespace:    default
Priority:     0
Node:         aks-agentpool-26714526-vmss000002/10.240.0.226
Start Time:   Fri, 09 Oct 2020 14:50:44 +0530
Labels:       aadpodidbinding=ingress-azure-1601834933
              app=ingress-azure
              pod-template-hash=77f4978499
              release=ingress-azure-1601834933
Annotations:  checksum/config: cfd91a5a7795ab06d41d6b5e7df20965936069437759bdf4e18323fc52894138
              prometheus.io/port: 8123
              prometheus.io/scrape: true
Status:       Running
IP:           10.240.1.2
IPs:
  IP:           10.240.1.2
Controlled By:  ReplicaSet/ingress-azure-1601834933-77f4978499
Containers:
  ingress-azure:
    Container ID:   docker://c93ed14bdeb798b6ff9e0e1feaafd9f23afba19b3dd31391c4635dbf69e2d2e6
    Image:          mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.2.1
    Image ID:       docker-pullable://mcr.microsoft.com/azure-application-gateway/kubernetes-ingress@sha256:cf1df9645ded72127967c99bbf88b758b5b19b698ba18a9ed74c3a7ebf016ef1
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Fri, 09 Oct 2020 16:22:59 +0530
    Last State:     Terminated
      Reason:       Error
      Exit Code:    255
      Started:      Fri, 09 Oct 2020 16:12:45 +0530
      Finished:     Fri, 09 Oct 2020 16:22:57 +0530
    Ready:          False
    Restart Count:  9
    Liveness:       http-get http://:8123/health/alive delay=15s timeout=1s period=20s #success=1 #failure=3
    Readiness:      http-get http://:8123/health/ready delay=5s timeout=1s period=10s #success=1 #failure=3
    Environment Variables from:
      ingress-azure-1601834933  ConfigMap  Optional: false
    Environment:
      AZURE_CLOUD_PROVIDER_LOCATION:  /etc/appgw/azure.json
      AGIC_POD_NAME:                  ingress-azure-1601834933-77f4978499-jzsr5 (v1:metadata.name)
      AGIC_POD_NAMESPACE:             default (v1:metadata.namespace)
    Mounts:
      /etc/appgw/azure.json from azure (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from ingress-azure-1601834933-token-j26h8 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  azure:
    Type:          HostPath (bare host directory volume)
    Path:          /etc/kubernetes/azure.json
    HostPathType:  File
  ingress-azure-1601834933-token-j26h8:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ingress-azure-1601834933-token-j26h8
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                    From     Message
  ----     ------     ----                   ----     -------
  Warning  Unhealthy  2m49s (x563 over 97m)  kubelet  Readiness probe failed: Get http://10.240.1.2:8123/health/ready: net/http: request canceled (Client.Timeout exceeded while awaiting headers)




-------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------



ERROR: logging before flag.Parse: I1009 10:22:18.658900       1 utils.go:115] Using verbosity level 3 from environment variable APPGW_VERBOSITY_LEVEL
ERROR: logging before flag.Parse: I1009 10:22:18.658983       1 main.go:78] Unable to load cloud provider config '/etc/appgw/azure.json'. Error: Reading Az Context file "/etc/appgw/azure.json" failed: open /etc/appgw/azure.json: permission denied
I1009 10:22:18.691424       1 environment.go:240] KUBERNETES_WATCHNAMESPACE is not set. Watching all available namespaces.
I1009 10:22:18.691567       1 main.go:128] Appication Gateway Details: Subscription="17dbc3e5-9c62-4898-80e8-47d8ac77d641" Resource Group="dev-cluster" Name="test-app-gateway"
I1009 10:22:18.691581       1 auth.go:46] Creating authorizer from Azure Managed Service Identity
I1009 10:22:18.691643       1 httpserver.go:57] Starting API Server on :8123

Answer 1

我也有同样的问题，根据https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/dockerfiles/deploy.Dockerfile它似乎是FileSystem的问题，他们建立了非根应用程序-入口-用户，它根本无法访问/etc文件夹...

来自项目维护人员的Answer：

akshaysngupta在14天前评论道:感谢您的报道。我们将在下一个次要版本中修复此问题。如果您在AGIC中使用“云提供商”配置，请使用1.2.0，因为1.2.1在AGIC进程中使用非root用户。

Answer 2

$ helm卸载ingress azure

$ helm install ingress azure application-gateway-kubernetes-ingress/ingress-azure helm-config.yaml -f --版本1.2.0

为我修复了问题