存储伪造SSL证书时出现意外错误:无法创建PEM证书

Question

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       0.26.1
  Build:         git-2de5a893a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: openresty/1.15.8.2

-------------------------------------------------------------------------------

W0719 06:58:01.543840       6 flags.go:243] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
W0719 06:58:01.544045       6 client_config.go:541] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0719 06:58:01.544341       6 main.go:182] Creating API client for https://10.233.0.1:443
I0719 06:58:01.558257       6 main.go:226] Running in Kubernetes cluster version v1.16 (v1.16.3) - git (clean) commit b3cbbae08ec52a7fc73d334838e18d17e8512749 - platform linux/amd64
F0719 06:58:01.857260       6 ssl.go:389] unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied

1.我的入口控制器有3个副本，但2个副本是正常的，1个副本是excption。

我是一个中国人，我几乎不会说英语。欢迎使用帮助回答

Answer 1

如果我理解正确的话，您可以通过在您的yaml文件的SecurityContext中添加runAsUser指令来解决它。请看示例yaml：

securityContext:
  runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  fsGroupChangePolicy: "OnRootMismatch"

Here您可以在Kuberenetes中找到有关安全上下文的完整指南。您需要输入有权创建证书的用户ID。

另请参阅：

• similar question on stack
• article and possible solution related to this problem