TimescaleDb单节点kubernetes在PodSecurityPolicy上的部署失败

Question

我正在安装0.18.0 TimescaleDb单舵图。状态集出现了，但是吊舱有以下错误：

values.yaml

timescaledb-single:
  image:
    pullPolicy: IfNotPresent

  service:
    primary:
      labels:
        team: my-team
    replica:
      labels:
        team: my-team

  prometheus:
    enabled: true
  
persistentVolumes:
    wal:
      size: 20G
    data:
      size: 5G

  replicaCount: 3

  serviceAccount:
    create: false  # There's an existing service account already from an earlier install.
    name: my-cluster-timescaledb

错误：

2022-11-14 18:14:17,077 ERROR: Error creating replica using method pgbackrest: /etc/timescaledb/scripts/pgbackrest_restore.sh exited with code=1
2022-11-14 18:14:17,077 ERROR: failed to bootstrap from leader 'my-cluster-timescaledb-0'
2022-11-14 18:14:27,076 ERROR: Permission denied
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 498, in wrapper
    return func(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 1088, in touch_member
    ret = self._api.patch_namespaced_pod(self._name, self._namespace, body)
  File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 483, in wrapper
    return getattr(self._core_v1_api, func)(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 419, in wrapper
    return self._api_client.call_api(method, path, headers, body, **kwargs)
  File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 388, in call_api
    return self._handle_server_response(response, _preload_content)
  File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 218, in _handle_server_response
    raise k8s_client.rest.ApiException(http_resp=response)
patroni.dcs.kubernetes.K8sClient.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'a34c6fd2-a1c3-4cdf-99cf-1288fddf8817', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'Date': 'Mon, 14 Nov 2022 18:14:27 GMT', 'Content-Length': '289'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \\"my-cluster-timescaledb-1\\" is forbidden: PodSecurityPolicy: unable to validate pod: []","reason":"Forbidden","details":{"name":"my-cluster-timescaledb-1","kind":"pods"},"code":403}\n'

我可以看到问题在于psp，但我不知道到底是什么操作导致了问题，所以很难更新psp。

除非错误是由其他原因引起的？我看到PATRONI正在尝试创建一些pgbackup db？如何修复此错误？

Answer 1

我以前从未经历过这个错误，因为Patroni在调用k8s api时返回一个403错误，这很可能是一个服务帐户问题，应该删除旧的服务帐户并创建一个新的帐户，所以请更改。

  serviceAccount:
    create: false  # There's an existing service account already from an earlier install.
    name: my-cluster-timescaledb

至：

  serviceAccount:
    create: true