為避免Helm V2 Tiller服務端一些潛在的安全問題,例如攻擊者可以通過Tiller在叢集內安裝未經授權的應用,並且使用更多的Helm特性,推薦您將Helm V2升級至Helm V3版本。本文介紹如何將Helm V2升級遷移至Helm V3。
升級遷移步驟
本小節以升級至Helm v3.3.0為例,介紹如何升級遷移Helm V2。關於Helm版本的更多資訊,請參見Helm。
若允許應用重裝,建議您參見文檔刪除應用後重裝。具體操作,請參見【組件升級】Helm V2 Tiller升級公告。
執行以下命令,安裝Helm V3。
wget https://get.helm.sh/helm-v3.3.0-linux-amd64.tar.gz tar -xzvf helm-v3.3.0-linux-amd64.tar.gz mv linux-amd64/helm /usr/local/bin/helm helm version
預期輸出:
version.BuildInfo{Version:"v3.3.0", GitCommit:"e29ce2a54e96cd02ccfce88bee4f58bb6e2a****", GitTreeState:"clean", GoVersion:"go1.13.4"}
執行以下命令,安裝Helm 2to3。
本小節以安裝Chart ack-node-local-dns為例,介紹如何安裝。
git clone https://github.com/helm/helm-2to3.git helm plugin install ./helm-2to3
執行以下命令,升級Chart ack-node-local-dns至Helm V3。
helm 2to3 convert ack-node-local-dns --delete-v2-releases
預期輸出:
2022/12/27 17:12:50 Release "ack-node-local-dns" will be converted from Helm v2 to Helm v3. 2022/12/27 17:12:50 [Helm 3] Release "ack-node-local-dns" will be created. 2022/12/27 17:12:50 [Helm 3] ReleaseVersion "ack-node-local-dns.v1" will be created. 2022/12/27 17:12:50 [Helm 3] ReleaseVersion "ack-node-local-dns.v1" created. 2022/12/27 17:12:50 [Helm 3] Release "ack-node-local-dns" created. 2022/12/27 17:12:50 [Helm 2] Release "ack-node-local-dns" will be deleted. 2022/12/27 17:12:50 [Helm 2] ReleaseVersion "ack-node-local-dns.v1" will be deleted. 2022/12/27 17:12:50 [Helm 2] ReleaseVersion "ack-node-local-dns.v1" deleted. 2022/12/27 17:12:50 [Helm 2] Release "ack-node-local-dns" deleted. 2022/12/27 17:12:50 Release "ack-node-local-dns" was converted successfully from Helm v2 to Helm v3.
Helm V2升級遷移常見問題
apiVersion版本不一致導致的資源已存在問題
問題現象
叢集版本升級後,Helm V2升級遷移出現錯誤提示rendered manifests contain a new resource that already exists. Unable to continue with update: existing resource conflict: kind: MutatingWebhookConfiguration, namespace: , name: mse-pilot-ack-mse-pilot。
問題原因
叢集版本升級後,1.22版本不支援v1beta1,而其他低版本還支援v1beta1,所以叢集升級到高版本之後可能報錯。
解決方案
您需要升級apiVersion版本。具體操作,請參見通過helm-mapkubeapis外掛程式原地升級apiVersion。
Helm V2升級至Helm V3,但升級Chart版本報錯
問題現象
Helm V2升級遷移至V3,但升級Chart版本時(例如,升級v1.3.5版本至v1.5.3),出現錯誤提示err: rendered manifests contain a resource that already exists. Unable to continue with update: MutatingWebhookConfiguration \"ack-node-local-dns-admission-controller\" in namespace \"\" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key \"app.kubernetes.io/managed-by\": must be set to \"Helm\"; annotation validation error: missing key \"meta.helm.sh/release-name\": must be set to \"ack-node-local-dns\"
。
問題原因
該資源沒有對應的Helm歸屬。
解決方案
您可以通過以下任意一種方式解決。
將該資源配置歸屬到對應的Helm。
執行以下命令,修改對應的設定檔。
kubectl edit MutatingWebhookConfiguration ack-node-local-dns-admission-controller
增加如下
annotations
和labels
對應到Release中。annotations: meta.helm.sh/release-name: ack-node-local-dns meta.helm.sh/release-namespace: kube-system labels: app.kubernetes.io/managed-by: Helm
執行以下命令,刪除該資源。
kubectl delete MutatingWebhookConfiguration ack-node-local-dns-admission-controller