文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >在端口80 (hostNetwork)上helm3安装traefik时出现权限问题

在端口80 (hostNetwork)上helm3安装traefik时出现权限问题
EN

Stack Overflow用户
提问于 2021-02-10 22:01:59
回答 1查看 1K关注 0票数 3

我正在学习helm3和k8s (microk8s)。在尝试执行以下命令时:

代码语言:javascript
复制
helm install traefik traefik/traefik  -n traefik --values traefik-values.yaml

traefik-values.yaml的值如下:

代码语言:javascript
复制
additionalArguments:
  - "--certificatesresolvers.letsencrypt.acme.email=<my-email>"
  - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json"
  - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
  - "--certificatesResolvers.letsencrypt.acme.tlschallenge=true"
  - "--api.insecure=true"
  - "--accesslog=true"
  - "--log.level=INFO"
hostNetwork: true
ipaddress: <my-ip>
service:
  type: ClusterIP
ports:
  web:
    port: 80
  websecure:
    port: 443

我收到这个绑定权限错误

代码语言:javascript
复制
traefik.go:76: command traefik error: error while building entryPoint web: error preparing server: error opening listener: listen tcp :80: bind: permission denied

另一方面,我可以使用以下yaml文件(类似于Traefik's site上的示例)在相同的端口(80和443)上安装Traefik:

代码语言:javascript
复制
---
apiVersion: v1
kind: Namespace
metadata:
  name: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: traefik
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: traefik
  labels:
    k8s-app: traefik-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
      name: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      tolerations:
      - effect: NoSchedule
        operator: Exists
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      containers:
      - image: traefik:2.4
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        # - name: admin
        #   containerPort: 8080
        #   hostPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --providers.kubernetesingress=true
        # you need to manually set this IP to the incoming public IP
        # that your ingress resources would use. Note it only affects
        # status and kubectl UI, and doesn't really do anything
        # It could even be left out https://github.com/containous/traefik/issues/6303
        - --providers.kubernetesingress.ingressendpoint.ip=<my-server-ip>
        ## uncomment these and the ports above and below to enable
        ## the web UI on the host NIC port 8080 in **insecure** mode
        - --api.dashboard=true
        - --api.insecure=true
        - --log=true
        - --log.level=INFO
        - --accesslog=true
        - --entrypoints.web.address=:80
        - --entrypoints.websecure.address=:443
        - --certificatesresolvers.leresolver.acme.tlschallenge=true # <== Enable TLS-ALPN-01 to generate and renew ACME certs
        - --certificatesresolvers.leresolver.acme.email=<email> # <== Setting email for certs
        - --certificatesresolvers.leresolver.acme.storage=/data/acme.json # <== Defining acme file to store cert information
        
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: traefik
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    # - protocol: TCP
      # port: 8080
      # name: admin
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: traefik

这两个规格并不完全相同,但据我所知非常相似。它们都在'traefik‘名称空间中创建一个ServiceAccount并授予一个ClusterRole。

哪部分决定端口80的权限?

kubernetes
kubernetes-helm
traefik
microk8s
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2021-02-11 00:12:41

Traefik的头盔图上有一个open issuewhere Jasper Ben建议了一个可行的解决方案:

代码语言:javascript
复制
hostNetwork: true
ports:
  web:
    port: 80
    redirectTo: websecure
  websecure:
    port: 443

securityContext:
  capabilities:
    drop: [ALL]
    add: [NET_BIND_SERVICE]
  readOnlyRootFilesystem: true
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0

舵表中缺少的部分是securityContext中的NET_BIND_SERVICE功能。

票数 6
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/66138370

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档