kubectl exec权限被拒绝

我有一个运行mariadb容器的pod，我想备份我的数据库，但是它失败，并显示Permission denied。

kubectl exec my-owncloud-mariadb-0 -it -- bash -c "mysqldump --single-transaction -h localhost -u myuser -ppassword mydatabase > owncloud-dbbackup_`date +"%Y%m%d"`.bak"

结果是

bash: owncloud-dbbackup_20191121.bak: Permission denied
command terminated with exit code 1

由于得到了sudo mysqldump，我无法运行sudo command not found。

我试图将备份文件导出到其他位置：/home，mysqldump所在的目录，/usr，...

这是我的豆荚的豆浆：

apiVersion: v1
kind: pod
metadata:
  creationTimestamp: "2019-11-20T14:16:58Z"
  generateName: my-owncloud-mariadb-
  labels:
    app: mariadb
    chart: mariadb-7.0.0
    component: master
    controller-revision-hash: my-owncloud-mariadb-77495ddc7c
    release: my-owncloud
    statefulset.kubernetes.io/pod-name: my-owncloud-mariadb-0
  name: my-owncloud-mariadb-0
  namespace: default
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: StatefulSet
    name: my-owncloud-mariadb
    uid: 47f2a129-8d4e-4ae9-9411-473288623ed5
  resourceVersion: "2509395"
  selfLink: /api/v1/namespaces/default/pods/my-owncloud-mariadb-0
  uid: 6a98de05-c790-4f59-b182-5aaa45f3b580
spec:
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - podAffinityTerm:
          labelSelector:
            matchLabels:
              app: mariadb
              release: my-owncloud
          topologyKey: kubernetes.io/hostname
        weight: 1
  containers:
  - env:
    - name: MARIADB_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          key: mariadb-root-password
          name: my-owncloud-mariadb
    - name: MARIADB_USER
      value: myuser
    - name: MARIADB_PASSWORD
      valueFrom:
        secretKeyRef:
          key: mariadb-password
          name: my-owncloud-mariadb
    - name: MARIADB_DATABASE
      value: mydatabase
    image: docker.io/bitnami/mariadb:10.3.18-debian-9-r36
    imagePullPolicy: IfNotPresent
    livenessProbe:
      exec:
        command:
        - sh
        - -c
        - exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
      failureThreshold: 3
      initialDelaySeconds: 120
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    name: mariadb
    ports:
    - containerPort: 3306
      name: mysql
      protocol: TCP
    readinessProbe:
      exec:
        command:
        - sh
        - -c
        - exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
      failureThreshold: 3
      initialDelaySeconds: 30
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    resources: {}
    terminationmessagePath: /dev/termination-log
    terminationmessagePolicy: File
    volumeMounts:
    - mountPath: /bitnami/mariadb
      name: data
    - mountPath: /opt/bitnami/mariadb/conf/my.cnf
      name: config
      subPath: my.cnf
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-pbgxr
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServicelinks: true
  hostname: my-owncloud-mariadb-0
  nodename: 149.202.36.244
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1001
    runAsUser: 1001
  serviceaccount: default
  serviceaccountName: default
  subdomain: my-owncloud-mariadb
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: data
    persistentVolumeclaim:
      claimName: data-my-owncloud-mariadb-0
  - configMap:
      defaultMode: 420
      name: my-owncloud-mariadb
    name: config
  - name: default-token-pbgxr
    secret:
      defaultMode: 420
      secretName: default-token-pbgxr
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:33:22Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:34:03Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:34:03Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:33:22Z"
    status: "True"
    type: podScheduled
  containerStatuses:
  - containerID: docker://3898b6a20bd8c38699374b7db7f04ccef752ffd5a5f7b2bc9f7371e6a27c963a
    image: bitnami/mariadb:10.3.18-debian-9-r36
    imageID: docker-pullable://bitnami/mariadb@sha256:a89e2fab7951c622e165387ead0aa0bda2d57e027a70a301b8626bf7412b9366
    lastState: {}
    name: mariadb
    ready: true
    restartCount: 0
    state:
      running:
        startedAt: "2019-11-20T14:33:24Z"
  hostIP: 149.202.36.244
  phase: Running
  podIP: 10.42.2.56
  qosClass: BestEffort
  startTime: "2019-11-20T14:33:22Z"

我想念他们的东西吗？

您可能没有权限写入容器内的位置。尝试以下命令

使用/ tmp或其他可以转储备份文件的位置

kubectl exec my-owncloud-mariadb-0 -it -- bash -c "mysqldump --single-transaction -h localhost -u myuser -ppassword mydatabase > /tmp/owncloud-dbbackup_`date +"%Y%m%d"`.bak"

鉴于您显示的pod YAML文件，您无法有效地使用kubectl exec进行数据库备份。

您将在Pod中获得一个Shell，并在其中运行mysqldump，以将转储文件写出Pod中的其他位置。您不能将其写入秘密目录或configmap目录，因此您的基本选择是将其写入Pod文件系统（一旦Pod退出，该文件系统将被删除，包括Kubernetes是否决定将Pod定位在文件系统中）。群集）或已装载的数据库目录（您的备份将完全保留，只要备份数据即可）。

我会从豆荚外面跑mysqldump。一种好的方法是创建一个单独的Job，该Job装入某种长期存储（或依赖外部对象存储；如果您在AWS上运行，例如S3），然后连接到数据库Pod，然后运行这样备份。这样做的优点是完全独立（因此您可以在不干扰实时数据库的情况下对其进行调试）并且还可以完全自动化（可以从Kubernetes CronJob启动它）。

kubectl exec似乎没有相同的标志docker exec来控制用户身份，因此您依赖于容器内部是否有其默认用户可以写入的路径。 /tmp通常是世界可写的，因此，如果您只希望该特定命令起作用，则尝试将转储文件放入/tmp/owncloud-dbbackup_...。

kubectl exec权限被拒绝

wangxd624565586 回答：kubectl exec权限被拒绝

大家都在问