Kubernetes pod: “无操作许可” 尝试访问挂载的卷时

huangapple go评论63阅读模式
英文:

Kubernetes pod: "Operation not permitted" while trying to access a mounted volume

问题

我正在运行 Windows 10 上的 Docker Desktop 4.10,启用了 K8s。我通过 Helm 3.12 使用 helm chart 部署了以下 k8s 资源:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: fab-rabbitmq
  labels:
    type: mydata
spec:
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  storageClassName: hostpath
  hostPath:
    path: /c/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc1
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: 2Gi
  storageClassName: hostpath
  selector:
    matchLabels:
      type: "mydata"
---
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
    - name: myfrontend
      image: nginx
      volumeMounts:
      - mountPath: "/mydata"
        name: vol1
  volumes:
    - name: vol1
      persistentVolumeClaim:
        claimName: pvc1

在部署图表后,Pod 正确运行,PVC 绑定到 PV。我还将 Windows 安全权限设置为 C:\data 上的 Everyone 具有完全控制权。

然而,当我访问 Pod 并尝试列出文件夹中的文件时,我收到以下错误:

kubectl exec -it pod1 bash
# ls -la mydata
ls: reading directory 'mydata': Operation not permitted

我似乎找不到真正访问挂载文件夹的方法。

当我尝试使用 docker run -v /c/data:/mydata nginx 运行一个简单的容器并访问 /mydata 时,它可以工作。

你有什么想法,我做错了什么?

英文:

I am running Docker Desktop 4.10 on Windows 10, with K8s enabled. I have the following k8s resources deployed through a helm chart, using Helm 3.12:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: fab-rabbitmq
  labels:
    type: mydata
spec:
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  storageClassName: hostpath
  hostPath:
    path: /c/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc1
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: 2Gi
  storageClassName: hostpath
  selector:
    matchLabels:
      type: "mydata"
---
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
    - name: myfrontend
      image: nginx
      volumeMounts:
      - mountPath: "/mydata"
        name: vol1
  volumes:
    - name: vol1
      persistentVolumeClaim:
        claimName: pvc1

After deploying the chart, the pod runs correctly, the PVC is bound to the PV. I also set Windows security permissions to Everyone-full control on C:\data.

However, when I access the pod and try to list the files in the folder, I get the following error:

kubectl exec -it pod1 bash
# ls -la mydata
ls: reading directory 'mydata': Operation not permitted

I can't seem to find a way to really have access to the mounted folder.

When I try to run a simple container using docker run -v /c/data:/mydata nginx and access /mydata, it works.

Any ideas what I am doing wrong?

答案1

得分: 1

我在这里这里找到了解释。在Minikube中运行时,“主机路径”实际上不是物理主机上的路径,而是Minikube节点内的路径。这是因为Minikube实际上是所有Pod的主机(因此它们的节点)。所以基本上,正确执行这个操作的步骤如下:

  1. 通过运行 minimuke start --mount --mount-string=C:\myfolder:/folder/in/minikube 确保物理路径在Minikube内挂载。
  2. 在设置PV时,指定:hostPath.path: /folder/in/minikube:/folder/in/pod
英文:

I found the explanation here and here. When running in Minikube, the "host path" is not actually the path on the physical host but rather a path inside the Minikube node. That's because Minikube IS actually the host of all pods (hence their node). So basically, the steps to do this correctly are:

  1. Ensure the physical path is mounted inside Minikube by running minimuke start --mount --mount-string=C:\myfolder:/folder/in/minikube
  2. When setting up the PV, specify: hostPath.path: /folder/in/minikube:/folder/in/pod

huangapple
  • 本文由 发表于 2023年6月8日 00:43:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76425478.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定