我希望在kubernetes中的部署具有从集群内重新启动自己的权限。
我知道我可以创建一个服务帐户并将其绑定到pod,但我缺少最具体的权限名称(即不只是允许'*'),以允许命令
kubectl rollout restart deploy <deployment>
这是我有什么,和??
apiVersion: v1
kind: ServiceAccount
metadata:
name: restart-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: restarter
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["list", "???"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: testrolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: restart-sa
namespace: default
roleRef:
kind: Role
name: restarter
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- image: nginx
name: nginx
serviceAccountName: restart-sa
我认为以下是重新启动部署所需的最低权限:
rules:
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
resourceNames: [$DEPLOYMENT]
verbs: ["get", "patch"]
如果您想要从集群内重新启动kubernetes部署本身的权限,您需要设置rbac授权权限。
在yaml文件中,您错过了Role:rules下的一些特定权限,您需要以以下格式添加动词:["get","watch","list"]
你需要在yaml文件中添加" deployment "而不是" Pod "。
确保在"spec:containers"下的部署yaml文件中添加了"serviceAccountName: restart-sa"。如下所述:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
serviceAccountName: restart-sa
然后可以使用下面的命令重新启动部署:
kubectl rollout restart deployment [deployment_name]
如果有人也面临这个问题,我面临一个类似的服务帐户无法执行rollout重启.
最后,我设法通过添加复制集来修复它到资源列表
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: restarter
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "patch"]
希望这对你也有帮助:)