对接Tanzu Kubernetes集群常见问题及解决方法 on Huaweihttps://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/Recent content in 对接Tanzu Kubernetes集群常见问题及解决方法 on HuaweiHugozh-cn版权所有 © 华为技术有限公司 2025。保留一切权利。未创建PSP权限导致Pod无法创建https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/a-pod-cannot-be-created-because-the-psp-permission-is-not-created/Mon, 01 Jan 0001 00:00:00 +0000https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/a-pod-cannot-be-created-because-the-psp-permission-is-not-created/<h2 id="zh-cn_topic_0000001279996521_section1566717121452">现象描述</h2> <p>创建huawei-csi-controller和huawei-csi-node时,仅Deployment和DaemonSet资源创建成功,controller和node的Pod未创建。</p> <h2 id="zh-cn_topic_0000001279996521_section1425013451056">根因分析</h2> <p>创建资源使用的service account没有PSP策略的“use”权限。</p> <h2 id="zh-cn_topic_0000001279996521_section164471213145410">解决措施或规避方法</h2> <ol> <li> <p>使用远程访问工具(以PuTTY为例),通过管理IP地址,登录Kubernetes集群的任意master节点。</p> </li> <li> <p>执行<strong>vi</strong> <em>psp-use.yaml</em> 命令, 创建psp-use.yaml文件。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>vi psp-use.yaml </span></span></code></pre></div></li> <li> <p>配置psp-use.yaml文件。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>apiVersion: rbac.authorization.k8s.io/v1 </span></span><span style="display:flex;"><span>kind: ClusterRole </span></span><span style="display:flex;"><span>metadata: </span></span><span style="display:flex;"><span> name: huawei-csi-psp-role </span></span><span style="display:flex;"><span>rules: </span></span><span style="display:flex;"><span>- apiGroups: [&#39;policy&#39;] </span></span><span style="display:flex;"><span> resources: [&#39;podsecuritypolicies&#39;] </span></span><span style="display:flex;"><span> verbs: [&#39;use&#39;] </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span>apiVersion: rbac.authorization.k8s.io/v1 </span></span><span style="display:flex;"><span>kind: ClusterRoleBinding </span></span><span style="display:flex;"><span>metadata: </span></span><span style="display:flex;"><span> name: huawei-csi-psp-role-cfg </span></span><span style="display:flex;"><span>roleRef: </span></span><span style="display:flex;"><span> kind: ClusterRole </span></span><span style="display:flex;"><span> name: huawei-csi-psp-role </span></span><span style="display:flex;"><span> apiGroup: rbac.authorization.k8s.io </span></span><span style="display:flex;"><span>subjects: </span></span><span style="display:flex;"><span>- kind: Group </span></span><span style="display:flex;"><span> apiGroup: rbac.authorization.k8s.io </span></span><span style="display:flex;"><span> name: system:serviceaccounts:huawei-csi </span></span><span style="display:flex;"><span>- kind: Group </span></span><span style="display:flex;"><span> apiGroup: rbac.authorization.k8s.io </span></span><span style="display:flex;"><span> name: system:serviceaccounts:default </span></span></code></pre></div></li> <li> <p>执行以下命令,创建PSP权限。</p>修改主机挂载点https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/changing-the-mount-point-of-a-host/Mon, 01 Jan 0001 00:00:00 +0000https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/changing-the-mount-point-of-a-host/<h2 id="zh-cn_topic_0000001279996521_section1566717121452">现象描述</h2> <p>创建Pod时失败,华为CSI日志中报错“mount point does not exist”。</p> <h2 id="zh-cn_topic_0000001279996521_section1425013451056">根因分析</h2> <p>huawei-csi-node中的“pods-dir”目录原生Kubernetes集群与Tanzu Kubernetes集群不一致。</p> <h2 id="zh-cn_topic_0000001279996521_section164471213145410">解决措施或规避方法</h2> <ol> <li> <p>进入helm/esdk/目录,执行<strong>vi values.yaml</strong>命令打开配置文件。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>vi values.yaml </span></span></code></pre></div></li> <li> <p>将kubeletConfigDir参数修改为kubelet实际的安装目录。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic"># Specify kubelet config dir path.</span> </span></span><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic"># kubernetes and openshift is usually /var/lib/kubelet</span> </span></span><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic"># Tanzu is usually /var/vcap/data/kubelet</span> </span></span><span style="display:flex;"><span><span style="color:#8839ef">kubeletConfigDir</span>: /var/vcap/data/kubelet </span></span></code></pre></div></li> </ol>修改livenessprobe容器的默认端口https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/changing-the-default-port-of-the-livenessprobe-container/Mon, 01 Jan 0001 00:00:00 +0000https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/changing-the-default-port-of-the-livenessprobe-container/<h2 id="zh-cn_topic_0000001279996521_section1566717121452">现象描述</h2> <p>huawei-csi-controller组件中livenessprobe容器一直重启。</p> <h2 id="zh-cn_topic_0000001279996521_section1425013451056">根因分析</h2> <p>huawei-csi-controller的livenessprobe容器的默认端口(9808)与已有的Tanzu的vSphere CSI端口冲突。</p> <h2 id="zh-cn_topic_0000001279996521_section164471213145410">解决措施或规避方法</h2> <p>将livenessprobe容器的默认端口修改为未占用端口。</p> <ol> <li> <p>进入“helm/esdk”目录,执行<strong>vi values.yaml</strong>命令打开配置文件。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>vi values.yaml </span></span></code></pre></div></li> <li> <p>将controller.livenessProbePort默认值9808修改为其他未占用端口,例如改为9809。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#8839ef">controller</span>: </span></span><span style="display:flex;"><span> <span style="color:#8839ef">livenessProbePort</span>: <span style="color:#fe640b">9809</span> </span></span></code></pre></div></li> <li> <p>使用Helm更新华为CSI,具体信息请参考 <a href="https://huawei.github.io/css-docs/css-docs/docs/installation-and-deployment/csi/upgrade/upgrade-using-helm/">使用Helm升级</a> 。</p> </li> </ol>创建临时卷失败https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/failed-to-create-an-ephemeral-volume/Mon, 01 Jan 0001 00:00:00 +0000https://huawei.github.io/css-docs/v4.11.0/troubleshooting/common-problems-and-solutions-for-interconnecting-with-the-tanzu-kubernetes-cluster/failed-to-create-an-ephemeral-volume/<h2 id="zh-cn_topic_0000001279996521_section1566717121452">现象描述</h2> <p>创建 <a href="https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes" target="_blank">通用临时卷</a> 失败,报错PodSecurityPolicy: unable to admit pod: [spec.volumes[0]: Invalid value: &ldquo;ephemeral&rdquo;: ephemeral volumes are not allowed to be used spec.volumes[0]</p> <h2 id="zh-cn_topic_0000001279996521_section1425013451056">根因分析</h2> <p>当前使用的PSP策略中没有使用“ephemeral”卷的权限。</p> <h2 id="zh-cn_topic_0000001279996521_section164471213145410">解决措施或规避方法</h2> <p>在默认PSP &ldquo;pks-privileged&quot;和&quot;pks-restricted&quot;中增加使用“ephemeral”卷的权限,以修改&quot;pks-privileged&quot;举例:</p> <ol> <li> <p>使用远程访问工具(以PuTTY为例),通过管理IP地址,登录Kubernetes集群的任意master节点。</p> </li> <li> <p>执行命令, 修改pks-privileged的配置。</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>kubectl edit psp pks-privileged </span></span></code></pre></div></li> <li> <p>在spec.volumes中增加“ephemeral”,示例如下:</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic"># Please edit the object below. Lines beginning with a &#39;#&#39; will be ignored,</span> </span></span><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic"># and an empty file will abort the edit. If an error occurs while saving this file will be</span> </span></span><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic"># reopened with the relevant failures.</span> </span></span><span style="display:flex;"><span><span style="color:#9ca0b0;font-style:italic">#</span> </span></span><span style="display:flex;"><span><span style="color:#8839ef">apiVersion</span>: policy/v1beta1 </span></span><span style="display:flex;"><span><span style="color:#8839ef">kind</span>: PodSecurityPolicy </span></span><span style="display:flex;"><span><span style="color:#8839ef">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#8839ef">annotations</span>: </span></span><span style="display:flex;"><span> <span style="color:#8839ef">apparmor.security.beta.kubernetes.io/allowedProfileName</span>: <span style="color:#40a02b">&#39;*&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#8839ef">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span>: <span style="color:#40a02b">&#39;*&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#8839ef">creationTimestamp</span>: <span style="color:#40a02b">&#34;2022-10-11T08:07:00Z&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#8839ef">name</span>: pks-privileged </span></span><span style="display:flex;"><span> <span style="color:#8839ef">resourceVersion</span>: <span style="color:#40a02b">&#34;1227763&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#8839ef">uid</span>: 2f39c44a-2ce7-49fd-87ca-2c5dc3bfc0c6 </span></span><span style="display:flex;"><span><span style="color:#8839ef">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#8839ef">allowPrivilegeEscalation</span>: <span style="color:#fe640b">true</span> </span></span><span style="display:flex;"><span> <span style="color:#8839ef">allowedCapabilities</span>: </span></span><span style="display:flex;"><span> - <span style="color:#40a02b">&#39;*&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#8839ef">supplementalGroups</span>: </span></span><span style="display:flex;"><span> <span style="color:#8839ef">rule</span>: RunAsAny </span></span><span style="display:flex;"><span> <span style="color:#8839ef">volumes</span>: </span></span><span style="display:flex;"><span> - glusterfs </span></span><span style="display:flex;"><span> - hostPath </span></span><span style="display:flex;"><span> - iscsi </span></span><span style="display:flex;"><span> - nfs </span></span><span style="display:flex;"><span> - persistentVolumeClaim </span></span><span style="display:flex;"><span> - ephemeral </span></span></code></pre></div></li> <li> <p>执行命令,确认是否添加成功。</p>