ingress create yaml文件后 ingress-nginx pod状态为CrashLoopBackOff
来源:6-6 ingress实践
扎西石
2021-12-10
[root@node1 ~]# kc describe pod nginx-ingress-controller-b4f59498f-vwrmc -n ingress-nginx
Events:
Type Reason Age From Message
Normal Pulling 2m28s kubelet Pulling image "registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.32.0"
Normal Scheduled 2m26s default-scheduler Successfully assigned ingress-nginx/nginx-ingress-controller-b4f59498f-vwrmc to node1
Normal Pulled 2m1s kubelet Successfully pulled image “registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.32.0” in 26.49768853s
Warning Unhealthy 91s (x2 over 112s) kubelet Readiness probe failed: Get “http://192.168.99.102:10254/healthz”: dial tcp 192.168.99.102:10254: connect: connection refused
Normal Created 61s (x4 over 113s) kubelet Created container nginx-ingress-controller
Normal Started 61s (x4 over 113s) kubelet Started container nginx-ingress-controller
Normal Pulled 61s (x3 over 111s) kubelet Container image “registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.32.0” already present on machine
Warning BackOff 58s (x10 over 110s) kubelet Back-off restarting failed container
[root@node1 ~]# kc logs nginx-ingress-controller-b4f59498f-vwrmc -n ingress-nginx
W1210 07:41:39.648335 6 flags.go:249] SSL certificate chain completion is disabled (–enable-ssl-chain-completion=false)
W1210 07:41:39.648496 6 client_config.go:543] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I1210 07:41:39.648718 6 main.go:220] Creating API client for https://10.1.0.1:443
NGINX Ingress controller
Release: 0.32.0
Build: git-446845114
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.17.10
I1210 07:41:39.675723 6 main.go:264] Running in Kubernetes cluster version v1.22 (v1.22.4) - git (clean) commit b695d79d4f967c403a96986f1750a35eb75e75f1 - platform linux/amd64
F1210 07:41:39.828634 6 ssl.go:389] unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied
1回答
-
清风
2021-12-10
参考这个:
6
I experienced the same. the solution is not to remove the capability section but to change the runAsuser
if you download the new release (0.27.1) deployment of the Nginx ingress controller, you can see:
securityContext: allowPrivilegeEscalation: true capabilities: drop: - ALL add: - NET_BIND_SERVICE # www-data -> 101 runAsUser: 101
The "runAsUser" line has a different user id. the user id in my old deployment was different so I got this error. Since I Changed the runAsUser to ID 101, the id in the kubernetes definitions is the same as the ID used in the new Nginx image and it works again :)
012021-12-13
相似问题