无法在RKE2 Kubernetes集群上部署pgadmin
我想将pgadmin部署在RKE2 Kubernetes集群上,以访问数据库。不幸的是,由于PSP问题,我认为pgadmin吊舱崩溃了。我知道PSP是不推荐的,我们计划很快切换到OPA,但在此期间使用pgadmin将是有效的。
部署文件如下所示:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
selector:
matchLabels:
app: pgadmin
replicas: 1
template:
metadata:
labels:
app: pgadmin
spec:
containers:
- name: pgadmin4
image: dpage/pgadmin4:latest
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@ind.nl"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test"
- name: PGADMIN_PORT
value: "80"
ports:
- containerPort: 80
name: pgadminport
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
---
apiVersion: v1
kind: Service
metadata:
name: pgadmin
labels:
app: pgadmin
spec:
selector:
app: pgadmin
type: NodePort
ports:
- port: 80
nodePort: 30200它返回带有权限问题的日志:
/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted当我将runAsUser和runAsGroup变量编辑为5050时,它返回以下日志:
/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: unable to change to root gid: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted当我将runAsGroup变量编辑回0时,它返回以下日志:
/entrypoint.sh: line 62: /venv/bin/python3: Operation not permitted
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [5050, -1, -1]: Operation not permitted
sudo: error initializing audit plugin sudoers_audit
/entrypoint.sh: line 84: /venv/bin/python3: Operation not permitted
/entrypoint.sh: exec: line 92: /venv/bin/gunicorn: Operation not permitted更新1:正在使用的PSP如下所示:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
psp.rke2.io/global-restricted: resolved
creationTimestamp: "2022-06-30T14:00:25Z"
name: global-restricted-psp
resourceVersion: "3493795"
uid: b7209f38-9609-4b81-b3ef-ab7a17b39bbd
spec:
allowPrivilegeEscalation: true
fsGroup:
ranges:
- max: 65535
min: 0
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 0
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim有人想办法吗?
回答 1
Stack Overflow用户
发布于 2022-07-01 16:46:11
我认为您在这里遗漏的是处理持久性数据的配置。我尝试了与您的部署文件相同的部署文件,只是添加了volumes & volumeMounts配置,尽管是一个emptyDir (您可能想要持久化数据),而且它可以工作。
然后使用以下命令
kubectl port-forward pgadmin-6ff557759c-m5cxn 8080:80 能够在本地访问http://127.0.0.1:8080上的pg-管理控制台。
下面是deployment.yaml文件:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgadmin
spec:
selector:
matchLabels:
app: pgadmin
replicas: 1
template:
metadata:
labels:
app: pgadmin
spec:
containers:
- name: pgadmin4
image: dpage/pgadmin4:latest
env:
- name: PGADMIN_DEFAULT_EMAIL
value: "test@ind.nl"
- name: PGADMIN_DEFAULT_PASSWORD
value: "test"
- name: PGADMIN_PORT
value: "80"
ports:
- containerPort: 80
name: pgadminport
securityContext:
runAsUser: 5050
runAsGroup: 5050
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
volumeMounts:
- mountPath: /var/lib/pgadmin
name: pgadmin-data
volumes:
- emptyDir: {}
name: pgadmin-data嗯,我还把runAsUser & runAsGroup改成了5050 (从这里的掌舵图中吸取了一些灵感:https://artifacthub.io/packages/helm/runix/pgadmin4 (虽然可能不需要)。
尽管如此,对于您来说,使用头盔图表要容易得多,因为它允许您通过现有的PersistentVolume或storageClass轻松处理配置以添加storageClass。
希望这能有所帮助!
https://stackoverflow.com/questions/72830820
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号