我正在尝试在 Openshift 环境中使用 Filebeat 部署 ELK 堆栈。
Filebeat 正在尝试读取 Pod 的“/var/lib/docker/containers”路径下的日志文件,但失败并出现“权限被拒绝”错误。
我正在使用带有“runsAsAny”和“runAsUser: 0”的 SCC,
- apiVersion: v1
kind: SecurityContextConstraints
metadata:
name: hostpath
allowPrivilegedContainer: true
allowHostDirVolumePlugin: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
readOnlyRootFilesystem: false
supplementalGroups:
type: RunAsAny
users:
- my-admin-user
groups:
- my-admin-group
卷安装:
volumeMounts:
- mountPath: /var/lib/docker/containers
name: varlibdockercontainers
主机路径卷:
securityContext:
runAsUser: 0
volumes:
- hostPath:
path: /var/lib/docker/containers
type: ""
name: varlibdockercontainers
如果我在 SCC 中缺少某些内容,以便在“/var/lib/docker/containers”路径中至少具有读取权限,请告诉我。
我已经使用自动滚动策略部署了 mongo 有状态 pod,下面是它的模板。部署成功,Pod 进入 Running 状态。
- apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: mongo
spec:
serviceName: "mongo"
podManagementPolicy: Parallel
replicas: 3
strategy:
type: Rolling
template:
metadata:
labels:
role: mongo
environment: test
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mongo
image: mongo:4.0
imagePullPolicy: Always
command:
- mongod
- "--replSet"
- rs0
- "--bind_ip"
- 0.0.0.0
- "--smallfiles"
- "--noprealloc"
ports:
- containerPort: 27017
volumeMounts:
- name: mongo-persistent-storage
mountPath: /data/db
- name: mongo-sidecar
image: cvallance/mongo-k8s-sidecar
env:
- name: MONGO_SIDECAR_POD_LABELS
value: "role=mongo,environment=test"
updateStrategy: …