How to connect fstab/cifs (flexvolume) on microk8s?

D

Deerenaros2020-07-03 14:05:07

CIFS

Deerenaros, 2020-07-03 14:05:07

I installed microk8s as a (seemingly) more loyal to whatever delivery of the cuber. I translated half of the zoo of services, and now it has come to the point that now I need to mount CIFS in the k8s pod. I started googling, found about CSI and Flexvolume, for the first there was an example , which, it would seem, should ideally fit. But.

Warning  FailedMount  50s (x45 over 76m)   kubelet, master  MountVolume.SetUp failed for volume "test" : Couldn't get secret default/cifs-secret err: Cannot get secret of type fstab/cifs

Details

[email protected]:~/yamls# kubectl describe pod/busybox
Name:         busybox
Namespace:    default
Priority:     0
Node:         master/172.17.101.90
Start Time:   Fri, 03 Jul 2020 11:13:22 +0300
Labels:       <none>
Annotations:  Status:  Pending
IP:           
IPs:          <none>
Containers:
  busybox:
    Container ID:  
    Image:         busybox
    Image ID:      
    Port:          <none>
    Host Port:     <none>
    Command:
      sleep
      3600
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /data from test (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-h942c (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  test:
    Type:       FlexVolume (a generic volume resource that is provisioned/attached using an exec based plugin)
    Driver:     fstab/cifs
    FSType:     cifs
    SecretRef:  &LocalObjectReference{Name:cifs-secret,}
    ReadOnly:   false
    Options:    map[mountOptions:dir_mode=0755,file_mode=0644,noperm networkPath://srv/path]
  default-token-h942c:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-h942c
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason       Age                  From                                      Message
  ----     ------       ----                 ----                                      -------
  Warning  FailedMount  15m (x7 over 51m)    kubelet, master  Unable to attach or mount volumes: unmounted volumes=[test], unattached volumes=[default-token-h942c test]: timed out waiting for the condition
  Warning  FailedMount  6m9s (x23 over 74m)  kubelet, master  Unable to attach or mount volumes: unmounted volumes=[test], unattached volumes=[test default-token-h942c]: timed out waiting for the condition
  Warning  FailedMount  50s (x45 over 76m)   kubelet, master  MountVolume.SetUp failed for volume "test" : Couldn't get secret default/cifs-secret err: Cannot get secret of type fstab/cifs

[email protected]:~/yamls# cat pod.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: cifs-secret
  namespace: default
data:
  username: '***='
  password: '*****=='
---
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
  - name: busybox
    image: busybox
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - name: test
      mountPath: /data
  volumes:
  - name: test
    flexVolume:
      driver: "fstab/cifs"
      fsType: "cifs"
      secretRef:
        name: "cifs-secret"
      options:
        networkPath: "//srv/path"
        mountOptions: "dir_mode=0755,file_mode=0644,noperm"

При этом если

[email protected]:~/yamls# cat pod.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: cifs-secret
  namespace: default
data:
  username: '***='
  password: '*****=='
///

Тогда

[email protected]:~/yamls# kubectl apply -f pod.yaml 
pod/busybox configured
The Secret "cifs-secret" is invalid: type: Invalid value: "fstab/cifs": field is immutable

[email protected]:~/yamls# tree /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/
└── fstab~cifs
    ├── cifs
    ├── LICENSE
    └── README.md

1 directory, 3 files

[email protected]:~/yamls# ps aux | grep kubelet
root      89326  0.0  0.0  14424  1112 pts/1    S+   13:55   0:00 grep --color=auto kubelet
root     108000  2.4  6.4 497056 259684 ?       Ssl  12:29   2:07 /snap/microk8s/1496/kube-apiserver --cert-dir=/var/snap/microk8s/1496/certs --service-cluster-ip-range=10.152.183.0/24 --authorization-mode=AlwaysAllow --basic-auth-file=/var/snap/microk8s/1496/credentials/basic_auth.csv --service-account-key-file=/var/snap/microk8s/1496/certs/serviceaccount.key --client-ca-file=/var/snap/microk8s/1496/certs/ca.crt --tls-cert-file=/var/snap/microk8s/1496/certs/server.crt --tls-private-key-file=/var/snap/microk8s/1496/certs/server.key --kubelet-client-certificate=/var/snap/microk8s/1496/certs/server.crt --kubelet-client-key=/var/snap/microk8s/1496/certs/server.key --secure-port=16443 --token-auth-file=/var/snap/microk8s/1496/credentials/known_tokens.csv --token-auth-file=/var/snap/microk8s/1496/credentials/known_tokens.csv --etcd-servers=https://127.0.0.1:12379 --etcd-cafile=/var/snap/microk8s/1496/certs/ca.crt --etcd-certfile=/var/snap/microk8s/1496/certs/server.crt --etcd-keyfile=/var/snap/microk8s/1496/certs/server.key --insecure-port=0 --requestheader-client-ca-file=/var/snap/microk8s/1496/certs/front-proxy-ca.crt --requestheader-allowed-names=front-proxy-client --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/var/snap/microk8s/1496/certs/front-proxy-client.crt --proxy-client-key-file=/var/snap/microk8s/1496/certs/front-proxy-client.key
root     108046  1.8  1.3 1559096 55200 ?       Ssl  12:29   1:35 /snap/microk8s/1496/kubelet --kubeconfig=/var/snap/microk8s/1496/credentials/kubelet.config --cert-dir=/var/snap/microk8s/1496/certs --client-ca-file=/var/snap/microk8s/1496/certs/ca.crt --anonymous-auth=false --network-plugin=cni --root-dir=/var/snap/microk8s/common/var/lib/kubelet --fail-swap-on=false --cni-conf-dir=/var/snap/microk8s/1496/args/cni-network/ --cni-bin-dir=/snap/microk8s/1496/opt/cni/bin/ --feature-gates=DevicePlugins=true --eviction-hard=memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi --container-runtime=remote --container-runtime-endpoint=/var/snap/microk8s/common/run/containerd.sock --containerd=/var/snap/microk8s/common/run/containerd.sock --node-labels=microk8s.io/cluster=true --cluster-domain=cluster.local --cluster-dns=10.152.183.10 --serialize-image-pulls=false --volume-plugin-dir=/usr/libexec/kubernetes/kubelet-plugins/volume/exec

[email protected]:~/yamls# snap list
Name      Version    Rev   Tracking       Publisher   Notes
core      16-2.45.1  9436  latest/stable  canonical✓  core
microk8s  v1.18.4    1496  1.18/stable    canonical✓  classic

Что сюда ещё добавить?

And the question in the sunset - and <well, why> is it so difficult? I still have to mount NFS and FTP, is there the same game? Are there any best practices?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Deerenaros, 2020-07-13
@Deerenaros

Based on :
Since the secret is determined to be immutable at the time of creation, it cannot be changed. The only way is to recreate.
kubectl delete secret cifs-secret
Existing pods using the secret will be removed and re-created.