更新时间:2024-11-15 GMT+08:00
容器集群防护插件卸载失败怎么办?
故障原因
当集群网络异常或插件正在工作时,通过HSS控制台卸载插件可能会失败。
解决措施
在任一集群节点执行如下操作,即可卸载容器集群防护插件。
- 登录任一集群节点。
- 在/tmp目录下新建plugin.yaml文件,并将如下脚本内容拷贝至plugin.yaml文件中。
apiVersion: v1 kind: Namespace metadata: labels: admission.gatekeeper.sh/ignore: no-self-managing control-plane: controller-manager gatekeeper.sh/system: "yes" pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: v1.24 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest name: gatekeeper-system --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: assign.mutations.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: assignimage.mutations.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: assignmetadata.mutations.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: configs.config.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: constraintpodstatuses.status.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplatepodstatuses.status.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplate.expansion.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplatepodstatuses.status.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: modifyset.mutations.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: mutatorpodstatuses.status.gatekeeper.sh --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role namespace: gatekeeper-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-rolebinding namespace: gatekeeper-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: gatekeeper-manager-role subjects: - kind: ServiceAccount name: gatekeeper-admin namespace: gatekeeper-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: gatekeeper-manager-role subjects: - kind: ServiceAccount name: gatekeeper-admin namespace: gatekeeper-system --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: labels: gatekeeper.sh/system: "yes" name: gatekeeper-mutating-webhook-configuration --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: gatekeeper.sh/system: "yes" name: gatekeeper-validating-webhook-configuration
- 在/tmp目录下新建uninstall.sh文件,并将如下脚本内容拷贝至uninstall.sh文件中。
#!/bin/bash kubectl delete -f /tmp/plugin.yaml kubectl delete ns cgs-provider
- 执行如下命令卸载容器集群防护插件。
bash /tmp/uninstall.sh
回显如下图类似信息,表示插件卸载完成。
父主题: 容器安全
