Kubernetes Pod 无法挂载 Secret Volume

Kubernetes Pod 无法挂载 Secret Volume

我正在关注HashiCorp 教程一切看起来都很好,直到我尝试启动“webapp”pod - 一个简单的pod,其唯一功能是演示它可以启动和安装一个秘密卷。

错误(权限被拒绝)显示在该命令输出的底部:

kubectl describe pod webapp
Name:             webapp
Namespace:        default
Priority:         0
Service Account:  webapp-sa
Node:             docker-desktop/192.168.65.4
Start Time:       Tue, 14 Feb 2023 09:32:07 -0500
Labels:           <none>
Annotations:      <none>
Status:           Pending
IP:
IPs:              <none>
Containers:
  webapp:
    Container ID:
    Image:          jweissig/app:0.0.1
    Image ID:
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /mnt/secrets-store from secrets-store-inline (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5b76r (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  secrets-store-inline:
    Type:              CSI (a Container Storage Interface (CSI) volume source)
    Driver:            secrets-store.csi.k8s.io
    FSType:
    ReadOnly:          true
    VolumeAttributes:      secretProviderClass=vault-database
  kube-api-access-5b76r:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason       Age              From               Message
  ----     ------       ----             ----               -------
  Normal   Scheduled    9s               default-scheduler  Successfully assigned default/webapp to docker-desktop
  Warning  FailedMount  2s (x5 over 9s)  kubelet            MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod default/webapp, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "db-password": Error making API request.

URL: GET http://vault.default:8200/v1/secret/data/db-pass
Code: 403. Errors:

* 1 error occurred:
  * permission denied

我在一台 Win11 机器上执行此操作,该机器上运行着 DockerDesktop 和 Kubernetes。(我对 K8s 还很陌生。)我的 K8s 安装看起来不错,因为我能够运行其他示例。

我需要在这里授予什么权限?也许 Vault 需要允许下面的 REST 调用?

curl http://localhost:8200/v1/secret/data/db-pass
curl: (7) Failed to connect to localhost port 8200: Connection refused

Vault 正在此机器上的 k8s 中运行,其日志中显示:

2023-02-14 09:07:14 You may need to set the following environment variables:
2023-02-14 09:07:14     $ export VAULT_ADDR='http://[::]:8200'

所以它确实暴露了端口 8200 - 但它可能需要对 REST 调用进行某种身份验证?

更新:看起来问题处于较低级别,涉及 Vault:

kubectl get pods
NAME                                    READY   STATUS    RESTARTS      AGE
vault-0                                 1/1     Running   1 (22m ago)   32m
vault-agent-injector-77fd4cb69f-mf66p   1/1     Running   1 (22m ago)   32m

vault status
Error checking seal status: Get "http://[::]:8200/v1/sys/seal-status": dial tcp [::]:8200: connect: connection refused

因此,如果它没有响应vault status,它可能不会接受任何其他命令/连接。

我该如何解决这个问题?

答案1

  1. 就本教程而言,它确实有效。我不确定我做错了什么,但我再次运行了它,它成功了。如果我不得不猜测,我会怀疑配置 Pod 所涉及的一些 YAML 格式不正确(因为空格很重要)。
  2. vault status命令有效,但只能从 Vault pod 内运行的终端执行。Kubernetes-in-Docker-on-DockerDesktop 集群不为这些 pod 公开任何端口,因此即使我已经vault-cli在 PC 上安装了,也无法vault status从 pod 外部使用。

相关内容