[英]I am getting permission issue (cannot create resource \“Job\” in API group \"batch) while creating jobs via sensors of argo-events
我正在嘗試從傳感器觸發作業創建,但出現以下錯誤:
Job.batch is forbidden: User \"system:serviceaccount:samplens:sample-sa\" cannot create resource \"Job\" in API group \"batch\" in the namespace \"samplens\"","errorVerbose":"timed out waiting for the condition: Job.batch is forbidden: User \"system:serviceaccount:samplens:sample-sa\" cannot create resource \"Job\" in API group \"batch\" in the namespace \"samplens\"\nfailed to execute trigger\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).triggerOne\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:328\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).triggerActions\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:269\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).listenEvents.func1.3\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:181\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357","triggerName":"sample-job","triggeredBy":["payload"],"triggeredByEvents":["38333939613965312d376132372d343262302d393032662d663731393035613130303130"],"stacktrace":"github.com/argoproj/argo-events/sensors.(*SensorContext).triggerActions\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:271\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).listenEvents.func1.3\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:181"}
12
雖然我已經創建了serviceaccount
、 role
和rolebinding
。 這是我的serviceaccount
創建文件:
apiVersion: v1
kind: ServiceAccount
metadata:
name: sample-sa
namespace: samplens
這是我的rbac.yaml
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sample-role
namespace: samplens
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- watch
- patch
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- create
- delete
- get
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: sample-role-binding
namespace: samplens
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sample-role
subjects:
- kind: ServiceAccount
name: sample-sa
namespace: samplens
這是我的sensor.yaml
:
apiVersion: argoproj.io/v1alpha1
kind: Sensor
metadata:
name: webhook
spec:
template:
serviceAccountName: sample-sa
dependencies:
- name: payload
eventSourceName: webhook
eventName: devops-toolkit
triggers:
- template:
name: sample-job
k8s:
group: batch
version: v1
resource: Job
operation: create
source:
resource:
apiVersion: batch/v1
kind: Job
metadata:
name: samplejob-crypto
annotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
ttlSecondsAfterFinished: 100
serviceAccountName: sample-sa
template:
spec:
serviceAccountName: sample-sa
restartPolicy: OnFailure
containers:
- name: sample-crypto-job
image: docker.artifactory.xxx.com/abc/def/yyz:master-b1b347a
傳感器正確觸發但未能創建作業。 有人可以幫忙嗎,我錯過了什么?
將此作為社區 wiki 發布以獲得更好的可見性,請隨意編輯和擴展它。
原來的問題是通過調整role
和給*
動詞來解決的。 這意味着 argo 傳感器實際上需要更多權限。
這是用於測試環境的工作解決方案,而對於生產 RBAC 應以principle of least privileges
使用。
如何測試 RBAC
有一個kubectl
語法可以測試 RBAC(服務帳戶 + 角色 + 角色綁定)是否按預期設置。
下面是如何檢查NAMESPACE
SERVICE_ACCOUNT_NAME
是否可以在命名空間NAMESPACE
創建作業的示例:
kubectl auth can-i --as=system:serviceaccount:NAMESPACE:SERVICE_ACCOUNT_NAME create jobs -n NAMESPACE
答案很簡單: yes
或no
。
有用的鏈接:
剛剛在 argo-events 中遇到了同樣的問題。 希望這會在不久的將來得到解決,或者至少有一些更好的文檔。
更改sensor.yaml
的以下值:
spec.triggers[0].template.k8s.resource: jobs
相關文檔(此時)似乎指向了一些舊的 Kubernetes API v1.13 文檔,所以我不知道為什么需要用復數“jobs”來編寫它,但這為我解決了這個問題。
在觸發Pod 的示例 trigger 中,值“pods”使用的字段與為我指明正確方向的字段相同。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.