资源传播失败:ClusterResourcePlacementOverridden 为 False
本文讨论如何在 Microsoft azure Kubernetes Fleet Manager 中使用ClusterResourcePlacement对象 API 传播资源时排查ClusterResourcePlacementOverridden问题。
现象
使用 ClusterResourcePlacement Azure Kubernetes Fleet Manager 中的 API 对象传播资源时,部署将失败。 状态 clusterResourcePlacementOverridden 显示为 False。
原因
出现ClusterResourceOverrideResourceOverride此问题的原因可能是使用资源无效的字段路径创建的。
案例研究
在以下示例中,尝试重写由ClusterResourcePlacement所选群集传播的群集角色secret-reader。
但是, ClusterResourceOverride 使用资源路径无效创建。
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"secret-reader"},"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["get","watch","list"]}]}
creationTimestamp: "2024-05-14T15:36:48Z"
name: secret-reader
resourceVersion: "81334"
uid: 108e6312-3416-49be-aa3d-a665c5df58b4
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
通过 ClusterRole secret-reader .. 传播到成员群集 ClusterResourcePlacement的
ClusterResourceOverride 规范
spec:
clusterResourceSelectors:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
version: v1
policy:
overrideRules:
- clusterSelector:
clusterSelectorTerms:
- labelSelector:
matchLabels:
env: canary
jsonPatchOverrides:
- op: add
path: /metadata/labels/new-label
value: new-value
通过ClusterResourceOverride添加具有标签的群集的值new-value的新标签(new-label)来重写ClusterRolesecret-reader该标记env: canary。
ClusterResourcePlacement 规范
spec:
resourceSelectors:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
version: v1
policy:
placementType: PickN
numberOfClusters: 1
affinity:
clusterAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
clusterSelectorTerms:
- labelSelector:
matchLabels:
env: canary
strategy:
type: RollingUpdate
applyStrategy:
allowCoOwnership: true
ClusterResourcePlacement 状态:
status:
conditions:
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: found all cluster needed as specified by the scheduling policy, found
1 cluster(s)
observedGeneration: 1
reason: SchedulingPolicyFulfilled
status: "True"
type: ClusterResourcePlacementScheduled
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: All 1 cluster(s) start rolling out the latest resource
observedGeneration: 1
reason: RolloutStarted
status: "True"
type: ClusterResourcePlacementRolloutStarted
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: Failed to override resources in 1 cluster(s)
observedGeneration: 1
reason: OverriddenFailed
status: "False"
type: ClusterResourcePlacementOverridden
observedResourceIndex: "0"
placementStatuses:
- applicableClusterResourceOverrides:
- cro-1-0
clusterName: kind-cluster-1
conditions:
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: 'Successfully scheduled resources for placement in kind-cluster-1 (affinity
score: 0, topology spread score: 0): picked by scheduling policy'
observedGeneration: 1
reason: Scheduled
status: "True"
type: Scheduled
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: Detected the new changes on the resources and started the rollout process
observedGeneration: 1
reason: RolloutStarted
status: "True"
type: RolloutStarted
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: 'Failed to apply the override rules on the resources: add operation
does not apply: doc is missing path: "/metadata/labels/new-label": missing
value'
observedGeneration: 1
reason: OverriddenFailed
status: "False"
type: Overridden
selectedResources:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
version: v1
ClusterResourcePlacementOverridden如果条件为False,请检查placementStatuses该部分以获取故障的确切原因。
在这种情况下,该消息指示重写失败,因为路径 /metadata/labels/new-label 及其相应的值缺失。
根据群集角色 secret-reader的上一个示例,可以看到路径 /metadata/labels/ 不存在。 这意味着 labels 不存在。
因此,无法添加新标签。
解决方法
若要成功重写群集角色 secret-reader,请更正路径和值 ClusterResourceOverride,如以下代码所示:
jsonPatchOverrides:
- op: add
path: /metadata/labels
value:
newlabel: new-value
这会将具有值的新标签newlabel添加到 ClusterRolesecret-reader。new-value
联系我们寻求帮助
如果你有任何疑问或需要帮助,请创建支持请求或联系 Azure 社区支持。 你还可以将产品反馈提交到 Azure 反馈社区。