使用Helm安装nginx-ingress返回"Error:呈现清单包含已经存在的资源“

Question

我有一个使用Terraform在Azure上部署Kubernetes集群的GitLab管道。我第一次使用管道的时候一切都很好。当我完成测试后，我运行了销毁阶段，所有的东西都被销毁了。昨天，我重新运行了创建集群的管道，除了使用helm安装nginx入口的最后一个阶段外，所有阶段都进行得很顺利。

install_nginx_ingress:
  stage: install_dependencies
  image:  alpine/helm:3.1.1
  script:
    - helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
    - helm repo update
    - >
      helm install nginx-ingress ingress-nginx/ingress-nginx
      --namespace default
      --set controller.replicaCount=2
  dependencies:
    - apply
  rules:
    - if: $CI_COMMIT_BRANCH ==  $CI_DEFAULT_BRANCH && $PHASE == "DEPLOY"

当这个阶段被执行时，这就是我在GitLab控制台中拥有的：

$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
"ingress-nginx" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "ingress-nginx" chart repository
Update Complete. ⎈ Happy Helming!⎈ 
$ helm install nginx-ingress ingress-nginx/ingress-nginx --namespace default --set controller.replicaCount=2
Error: rendered manifests contain a resource that already exists. 
Unable to continue with install: could not get information about the resource: poddisruptionbudgets.policy "nginx-ingress-ingress-nginx-controller" is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot get resource "poddisruptionbudgets" in API group "policy" in the namespace "default"
Cleaning up project directory and file based variables
ERROR: Job failed: command terminated with exit code 1

怎么回事!？

Answer 1

检查这条错误行。这就解释了这个问题。

Unable to continue with install: could not get information about the resource: poddisruptionbudgets.policy "nginx-ingress-ingress-nginx-controller" is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot get resource "poddisruptionbudgets" in API group "policy" in the namespace "default"

对于nginx-ingress-ingress-nginx-controller资源上的get操作，您的poddisruptionbudgets没有RBAC权限。

看起来，kubernetes/ingress-nginx图表已经定义了PodDisruptionBudget，但是ClusterRole不包含对poddisruptionbudgets资源的任何权限。