[英]Argo Workflows: `workflow-role` seems to be missing from Argo install
I am new to Argo Workflows and following along with this tutorial .我是 Argo Workflows 的新手,正在学习本教程。
Following along with it, we are to create a service account and then attach the pre-existing workflow-role
to the service account, like this:接下来,我们将创建一个服务帐户,然后将预先存在的workflow-role
附加到服务帐户,如下所示:
> kubectl create serviceaccount mike
serviceaccount/mike created # Response from my terminal
> kubectl create rolebinding mike --serviceaccount=argo:mike --role=workflow-role
rolebinding.rbac.authorization.k8s.io/mike created # Response from my terminal
But then when I tried to submit a job using that service account, it said that there is no such role workflow-role
:但是当我尝试使用该服务帐户提交作业时,它说没有这样的角色workflow-role
:
Message: Error (exit code 1): pods "mike-cli-hello-svlmn" is forbidden: User
"system:serviceaccount:argo:mike" cannot patch resource "pods" in API group "" in the namespace
"argo": RBAC: role.rbac.authorization.k8s.io "workflow-role" not found
(I also do not understand why my default API group is null, but I'm assuming that is unrelated.) (我也不明白为什么我的默认 API 组是 null,但我假设这无关。)
I then checked, and indeed there is no such role:后来查了一下,确实没有这个作用:
❯ kubectl get role
NAME CREATED AT
agent 2022-02-28T21:38:31Z
argo-role 2022-02-28T21:38:31Z
argo-server-role 2022-02-28T21:38:32Z
executor 2022-02-28T21:38:32Z
pod-manager 2022-02-28T21:38:32Z
submit-workflow-template 2022-02-28T21:38:32Z
workflow-manager 2022-02-28T21:38:32Z
Could it be that the role is workflow-manager
?难道这个角色是workflow-manager
? That sounds more like an automated service to manage the pipeline / DAG or something similar.这听起来更像是一种管理管道/DAG 或类似东西的自动化服务。
I am obviously quite new to Argo.我显然对 Argo 很陌生。 I have successfully launched jobs, but not when trying to use that newly created service account.我已成功启动作业,但在尝试使用新创建的服务帐户时却没有。
Should Argo have a default role of workflow-role
? Argo 应该有一个默认角色workflow-role
吗? How do I create it?我如何创建它?
Actually, I think I got it, but if someone sees this, a confirmation would be nice.事实上,我想我明白了,但如果有人看到这个,确认一下就好了。
I created a role file as follows:我创建了一个角色文件如下:
role.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: workflow
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
I then created the role via the standard然后我通过标准创建了角色
kubectl apply -f role.yaml
Then created the role-binding same as above:然后创建与上面相同的角色绑定:
kubectl create rolebinding mike --serviceaccount=argo:mike --role=workflow
Then I could submit jobs with the new service account without a problem:然后我可以毫无问题地使用新服务帐户提交作业:
argo submit --serviceaccount mike --watch argo_tutorial.yaml
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.