我已经创建了一个舵轮图表。在这个图表中,我有一个带有安装后钩子(下面的代码)、自定义资源和配置映射的Job模板。
apiVersion: batch/v1
kind: Job
metadata:
name: postinstall-hook
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-delete-policy": hook-succeeded # hooks are not deleted witout this annotation
spec:
serviceAccountName: {{ .Values.serviceAccount }}
automountServiceAccountToken: true
template:
spec:
containers:
- name: kubectl
image: bitnami/kubectl
imagePullPolicy: Always
command: ["/bin/bash", "-c", "while true; do running_jobs=$(kubectl get jobs -n {{ .Release.Namespace }} -o jsonpath='{.items[?(@.status.active==1)].metadata.name}'); if [ -z "$running_jobs" ]; then echo "All jobs have completed"; break; else echo "Waiting for the following jobs to complete: $running_jobs"; sleep 30; fi; done"]
restartPolicy: Never
terminationGracePeriodSeconds: 10
当我安装使用helm时,我使用的是特定的服务帐户。服务帐户对命名空间:ns1具有访问权限,但我希望将其部署在命名空间n2上,因此我在现有的服务帐户中为该服务帐户添加了一个角色和角色绑定,以便对另一个命名空间执行操作。
当我部署图表时,作业失败并出现错误:
创建pod "postinstall-hook-"禁止:查找错误查询服务帐户ns2/serviceaccountname: serviceaccount" serviceaccount"没有找到
服务帐户在这个命名空间中不存在是真的。但是我想使用存在于命名空间ns1上的服务帐户,因此我创建了角色和角色绑定。
服务帐户清单:
apiVersion: v1
kind: ServiceAccount
metadata:
name: devops-deploy
namespace: devops
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
metadata:
name: devops-deploy-secret
namespace: devops
annotations:
kubernetes.io/service-account.name: devops-deploy
type: kubernetes.io/service-account-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops-deploy-role
namespace: devops
rules:
- apiGroups: ["apps"]
resources: ["deployments","replicasets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create","get","watch","list","update","patch","delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["*"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["*"]
- apiGroups: ["k6.io"]
resources: ["k6s"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# - apiGroups: ["apps"]
# resources: ["replicasets"]
# verbs: ["get","create","delete","update","list","watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops-deploy-rb
namespace: devops
subjects:
- kind: ServiceAccount
name: devops-deploy
roleRef:
kind: Role
name: devops-deploy-role
apiGroup: rbac.authorization.k8s.io
---
###
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-exec-from-ns1
namespace: k6
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-deploy-role
subjects:
- kind: ServiceAccount
name: devops-deploy
namespace: devops
### Stack Over Flow answer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-describe-cr
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","create","delete","update","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-describe-crb
subjects:
- kind: ServiceAccount
name: devops-deploy
namespace: devops
roleRef:
kind: ClusterRole
name: kube-describe-cr
apiGroup: rbac.authorization.k8s.io
只需在命名空间N1上创建SA到命名空间N2的RoleBinding。
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-exec-from-ns1
namespace: ns2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: job-exec
subjects:
- kind: ServiceAccount
name: ns1-service-account
namespace: ns1
如果您仍然有问题,请分享RBAC和RoleBinding清单。