我喜欢给每个gitlab命名空间/项目(微服务(一个来自Prometheus-operator提供的monitoring.coreos.com的服务监视器。 但是在运行创建它的 gitlab 管道时,会出现一个错误,即无法通过以下方式创建此资源
servicemonitors.monitoring.coreos.com "service-monitor" is forbidden: User "system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "ABC_NAMESPACE"
因此,我通过为单个命名空间应用角色和角色绑定来解决一个 mircroservice 的方法,但对所有命名空间这样做真的很好。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: CluserRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: ServiceAccount
name: gitlab-project-id-dev-service-account
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
是否可以为所有 gitlab 创建的命名空间提供角色绑定以获取此权限?
虽然仅在 gitlab 创建的命名空间中将此权限授予服务帐户并非易事,但您可以使用以下内容将此权限分配给群集中所有命名空间中的所有服务帐户。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
通过以下方式验证权限
kubectl auth can-i get servicemonitors --as=system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account -n ABC_NAMESPACE