Closed gongzhao2 closed 3 years ago
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/178263358
The labels on this github issue will be updated when the story is started.
Hi @gongzhao2 can you confirm that the ClusterStore
section of your rendered file is updated to point to your registry?
This part of the rendered.yml
apiVersion: kpack.io/v1alpha1
kind: ClusterStore
metadata:
name: cf-buildpack-store
annotations:
kapp.k14s.io/change-group.kpack-resources: cf-for-k8s.cloudfoundry.org/kpack-resources
spec:
sources:
- image: gcr.io/paketo-buildpacks/ruby@sha256:6f765726dd17b0ba39d77d95e972c0e3893811e4450277414bd7ef58156de385
- image: gcr.io/paketo-community/python@sha256:494b194a0a6d44d8e2116298038e5bb2f0a0892f4c80a372de97d211a0706dc4
- image: gcr.io/paketo-buildpacks/java@sha256:54dba27a1fbb80c5f01238a286b7eeb2b3e06e400c14f4314350e3bdeefc267e
- image: gcr.io/paketo-buildpacks/nodejs@sha256:59c498f9d0187311f299dcb5666db5c6c209105170bc81b4e3ef32de009d4539
- image: gcr.io/paketo-buildpacks/go@sha256:29f3b58497cac958c18ec0646264d532de7c5b5505081b7e5f41366d009f34e3
- image: gcr.io/paketo-buildpacks/dotnet-core@sha256:7633a3a242297c1120202d863027222150ae63db4af0a113cbf35e7a9be91bd2
- image: gcr.io/paketo-buildpacks/php@sha256:70e756b3865670ad251057945989478365f50f7968009c8a248fa590de17b2a5
- image: gcr.io/paketo-buildpacks/procfile@sha256:61b05ad4392efb66a61098e816099a76b95e037605ceb92bb509e137987fef1d
---
apiVersion: kpack.io/v1alpha1
kind: ClusterStack
metadata:
name: bionic-stack
annotations:
kapp.k14s.io/change-group.kpack-resources: cf-for-k8s.cloudfoundry.org/kpack-resources
spec:
id: io.buildpacks.stacks.bionic
buildImage:
image: index.docker.io/paketobuildpacks/build@sha256:f89d964e263e1ec513420f7071691dc9ce59e659b8e214da78eca3fdd3b68566
runImage:
image: index.docker.io/paketobuildpacks/run@sha256:faf38e1f928b4bc33ce3923ffd14bf812c528919acfefb94030a7a43563d8057
Yes, I can confirm that I replace every "gcr.io" image with my docker hub registry.
apiVersion: kpack.io/v1alpha1
kind: ClusterStore
metadata:
name: cf-buildpack-store
annotations:
kapp.k14s.io/change-group.kpack-resources: cf-for-k8s.cloudfoundry.org/kpack-resources
spec:
sources:
- image: gongzhao2/paketo-buildpacks_ruby
- image: gongzhao2/paketo-community_python
- image: gongzhao2/paketo-buildpacks_java
- image: gongzhao2/paketo-buildpacks_nodejs
- image: gongzhao2/paketo-buildpacks_go
- image: gongzhao2/paketo-buildpacks_dotnet-core
- image: gongzhao2/paketo-buildpacks_php
- image: gongzhao2/paketo-buildpacks_procfile
---
apiVersion: kpack.io/v1alpha1
kind: ClusterStack
metadata:
name: bionic-stack
annotations:
kapp.k14s.io/change-group.kpack-resources: cf-for-k8s.cloudfoundry.org/kpack-resources
spec:
id: io.buildpacks.stacks.bionic
buildImage:
image: index.docker.io/paketobuildpacks/build@sha256:42db6f300377ccb187bea21b7c333026ad529f0385f4a8a4d7223480f2672777
runImage:
image: index.docker.io/paketobuildpacks/run@sha256:ae23d1e8ab33e93807ef42663ebefd431f4cabd3b270317a73564d496546dd10
I think this might be caused by the difference bewteen Huawei Cloud's Kubernetes cluster and native Kubernetes cluster. Since I use same rendered template to deploy cf-for-k8s in minikube successfully. I will continue investigate this issue and update it.
Are you able to access the docker registry from the cluster?
That particular command /cnb/lifecycle/detector
that is failing is part of kpack
itself, so seems like something with the kpack configuration is not quite right.
What revision of cf-for-k8s are you using?
I was able to use your relocated buildpack images in a GKE cluster to deploy an application and it worked fine.
I'm not sure what interplay there is between your cloud provider, the Cloud Native Buildpacks lifecycle and the container runtime. Your error suggests that the runtime is unable to start the container. Do you know what runtime the Hauwei cluster is using?
I cluster can access docker hub registry. I just clone cf-for-k8s repository from main branch, I think it's v4.2.0 version. regarding runtime part, Huawei uses docker as the container runtime.
Hi there, I found the root cause is that Huawei Cloud has some secuirty enhancement about Kubernetes "securityContext". I check the POD in the cf-workloads-staging namespace, found that there are some configuration of securityContext
$ kubectl get pods -n cf-workloads-staging
NAME READY STATUS RESTARTS AGE
41bc205a-4bf2-44a9-82fc-9412812b7fd2-build-1-lqklw-build-pod 0/1 Init:ContainerCannotRun 0 118s
...
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
...
How can I change the runAsUser or runAsGroup configuration, I can't found any related configuration in cf-for-k8s-rendered.yml
. I think this pod is created by some CRD resources, how can I change the default behavior?
cf-for-k8s doesn't make any opinions about runAsUser
or runAsGroup
- the only requirement is that the images are run as non-root. In the case of source code built images, Kpack and CNBs provide a numeric user ID. In the case of Docker/OCI images, the user is responsible for ensuring that the USER
directive is populated with a numeric. (The runtime is unable to determine whether a non-numeric user maps to root, so it requires a numeric.)
Workloads configuration is set by Eirini. Workloads & Jobs.
What does the describe status for the pod say? kubectl describe pod -n cf-workloads <pod-name>
Hi,
Close this issue since I successfully deploy cf-for-k8s on native Kubernetes cluster.
And the root couse is that Huawei Cloud have some secuirty enhancement which needs me run docker container as root
.
Thank you everyone!
Describe the bug
Hi Team, I follow this instruction to deploy cf in China Huawei Cloud kubernetes cluster. Since my cluster can't access to gcr.io, so I download these images manually and uploaded them in my docker hub, them I modify the images address in "cf-for-k8s-rendered.yml"
Then I use kapp to deploy cf successfully.
But when I try to push demo application, The app’s pod could not be initialized
this app report an error as below:
Expected behavior
Hope the demo application starts successfully
Additional context
Deploy instructions
kapp deploy -a cf -f ${TMP_DIR}/cf-for-k8s-rendered.yml -y
Cluster information
Huawei Cloud Kubernetes Cluster(v1.19.8) 5 nodes with 8v16G
CLI versions
ytt --version
: 0.33.0kapp --version
: 0.36.0kubectl version
: v1.19.8cf version
: 7.2.0+be4a5ce2b.2020-12-10