本文討論如何在 Microsoft Azure Kubernetes Fleet Manager 中使用ClusterResourcePlacementOverridden物件 API 來傳播資源時,針對 ClusterResourcePlacement 問題進行疑難排解。
癥狀
當您在 Azure Kubernetes Fleet Manager 中使用 ClusterResourcePlacement API 對象傳播資源時,部署會失敗。 狀態 clusterResourcePlacementOverridden 會顯示為 False。
原因
此問題可能是因為 ClusterResourceOverride 或 ResourceOverride 是使用資源無效的欄位路徑所建立。
案例研究
在下列範例中,嘗試覆蓋由 secret-reader 傳播至所選叢集的叢集角色ClusterResourcePlacement。
不過, ClusterResourceOverride 會使用資源無效的路徑來建立 。
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"secret-reader"},"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["get","watch","list"]}]}
creationTimestamp: "2024-05-14T15:36:48Z"
name: secret-reader
resourceVersion: "81334"
uid: 108e6312-3416-49be-aa3d-a665c5df58b4
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
ClusterRole
secret-reader由ClusterResourcePlacement傳播至成員叢集。
ClusterResourceOverride 規格
spec:
clusterResourceSelectors:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
version: v1
policy:
overrideRules:
- clusterSelector:
clusterSelectorTerms:
- labelSelector:
matchLabels:
env: canary
jsonPatchOverrides:
- op: add
path: /metadata/labels/new-label
value: new-value
ClusterResourceOverride 的目的是通過為具有標籤 ClusterRole 的叢集新增一個新標籤(secret-reader),其值為 new-label,以覆蓋 new-valueenv: canary。
ClusterResourcePlacement 規格
spec:
resourceSelectors:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
version: v1
policy:
placementType: PickN
numberOfClusters: 1
affinity:
clusterAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
clusterSelectorTerms:
- labelSelector:
matchLabels:
env: canary
strategy:
type: RollingUpdate
applyStrategy:
allowCoOwnership: true
ClusterResourcePlacement 狀態:
status:
conditions:
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: found all cluster needed as specified by the scheduling policy, found
1 cluster(s)
observedGeneration: 1
reason: SchedulingPolicyFulfilled
status: "True"
type: ClusterResourcePlacementScheduled
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: All 1 cluster(s) start rolling out the latest resource
observedGeneration: 1
reason: RolloutStarted
status: "True"
type: ClusterResourcePlacementRolloutStarted
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: Failed to override resources in 1 cluster(s)
observedGeneration: 1
reason: OverriddenFailed
status: "False"
type: ClusterResourcePlacementOverridden
observedResourceIndex: "0"
placementStatuses:
- applicableClusterResourceOverrides:
- cro-1-0
clusterName: kind-cluster-1
conditions:
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: 'Successfully scheduled resources for placement in kind-cluster-1 (affinity
score: 0, topology spread score: 0): picked by scheduling policy'
observedGeneration: 1
reason: Scheduled
status: "True"
type: Scheduled
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: Detected the new changes on the resources and started the rollout process
observedGeneration: 1
reason: RolloutStarted
status: "True"
type: RolloutStarted
- lastTransitionTime: "2024-05-14T16:16:18Z"
message: 'Failed to apply the override rules on the resources: add operation
does not apply: doc is missing path: "/metadata/labels/new-label": missing
value'
observedGeneration: 1
reason: OverriddenFailed
status: "False"
type: Overridden
selectedResources:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
version: v1
ClusterResourcePlacementOverridden如果條件為 False,請檢查 placementStatuses 區段以取得失敗的確切原因。
在此情況下,訊息表示覆寫失敗,因為路徑 /metadata/labels/new-label 及其對應的值遺失。
根據先前的叢集角色 secret-reader範例,您可以看到路徑 /metadata/labels/ 不存在。 這表示 labels 不存在。
因此,無法新增標籤。
解決辦法
若要成功覆寫叢集角色 secret-reader,請更正ClusterResourceOverride中的路徑和值,如下程式碼所示:
jsonPatchOverrides:
- op: add
path: /metadata/labels
value:
newlabel: new-value
這會將具有 值newlabel的新標籤new-value新增至 ClusterRole secret-reader。
與我們連絡,以取得說明
如果您有疑問,可以詢問 Azure 社群支援。 您也可以向 Azure 意見反應社群提交產品意見反應。