Closed TomatoAres closed 4 years ago
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
:memo: Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.
It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Welcome @TomatoAres!
It looks like this is your first PR to kubernetes-incubator/external-storage 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.
You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.
You can also check if kubernetes-incubator/external-storage has its own contribution guidelines.
You may want to refer to our testing guide if you run into trouble with your tests not passing.
If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!
Thank you, and welcome to Kubernetes. :smiley:
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by:
To complete the pull request process, please assign cofyc
You can assign the PR to them by writing /assign @cofyc
in a comment when ready.
The full list of commands accepted by this bot can be found here.
/assign @cofyc
/assign @cofyc
I have alreay register to cla.But CI failed becase of cla.
it does not need secret permission in cluster role anymore, because it now supports userSecretNamespace
parameter https://github.com/kubernetes-incubator/external-storage/pull/552/files
you can create secret in one namespace, e.g. rbd-provisioner, then configure this role for your provisioner namespace. this is for safety. cluster-level secret permission is too wide for a provisioner.
@cofyc I have tried many times according to readme,and I am in RBAC mode ,my namespace is default.But always failed,I just tried it again:
[root@k8s-master01 examples]# kubectl create -f examples/class.yaml
error: the path "examples/class.yaml" does not exist
[root@k8s-master01 examples]# cd ..
[root@k8s-master01 rbd]# kubectl create -f examples/class.yaml
storageclass.storage.k8s.io/rbd created
[root@k8s-master01 rbd]# kubectl create -f examples/claim.yaml
persistentvolumeclaim/claim1 created
[root@k8s-master01 rbd]# kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
claim1 Pending rbd 5s
[root@k8s-master01 rbd]# kubectl describe pvc claim1
Name: claim1
Namespace: default
StorageClass: rbd
Status: Pending
Volume:
Labels: <none>
Annotations: volume.beta.kubernetes.io/storage-provisioner: ceph.com/rbd
Finalizers: [kubernetes.io/pvc-protection]
Capacity:
Access Modes:
VolumeMode: Filesystem
Mounted By: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ExternalProvisioning 10s (x3 over 16s) persistentvolume-controller waiting for a volume to be created, either by external provisioner "ceph.com/rbd" or manually created by system administrator
Normal Provisioning 0s (x2 over 15s) ceph.com/rbd_rbd-provisioner-98b88f5d6-vh95q_4c8450aa-272e-11ea-a49d-cef16b3a1441 External provisioner is provisioning volume for claim "default/claim1"
Warning ProvisioningFailed 0s (x2 over 15s) ceph.com/rbd_rbd-provisioner-98b88f5d6-vh95q_4c8450aa-272e-11ea-a49d-cef16b3a1441 failed to provision volume with StorageClass "rbd": failed to get admin secret from ["kube-system"/"ceph-admin-secret"]: secrets "ceph-admin-secret" is forbidden: User "system:serviceaccount:default:rbd-provisioner" cannot get resource "secrets" in API group "" in the namespace "kube-system"
[root@k8s-master01 rbd]# kubectl get pod
NAME READY STATUS RESTARTS AGE
rbd-provisioner-98b88f5d6-vh95q 1/1 Running 0 2m18s
[root@k8s-master01 rbd]# kubectl get secrets --all
--all-namespaces --allow-missing-template-keys
[root@k8s-master01 rbd]# kubectl get secrets --all-namespaces |grep ceph
kube-system ceph-admin-secret kubernetes.io/rbd 1 6m28s
kube-system ceph-secret kubernetes.io/rbd 1 5m35s
After I add the auth of get secrect,it works.
do you install role/rolebinding in kube-system
namespace?
cd $GOPATH/src/github.com/kubernetes-incubator/external-storage/ceph/rbd/deploy
NAMESPACE=kube-system
sed -r -i "s/namespace: [^ ]+/namespace: $NAMESPACE/g" ./rbac/clusterrolebinding.yaml ./rbac/rolebinding.yaml
kubectl -n $NAMESPACE apply -f ./rbac
This will create this role and given get kube-system/secrets
permission for rbd-provisioner.
with userSecretNamespace
parameter, permission in one namespace is required right now.
Hi there,
Am new to this technology so please ignore me if anything am asking stupidly .. am very curious to know how cephrbd provisioner works with csi increamental backup with k8s.. Can anyone educate me ..
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
/close