[英]Adding helm hooks to RBAC resources
我想創建一個post-install,post-upgrade helm hook(更准確地說是一個Job )。
這將需要以下 RBAC 資源(我已經添加了相應的 helm-hook 注釋)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ .Release.Name }}-post-install-role"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ .Release.Name }}-post-install-rolebinding"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: "{{ .Release.Name }}-post-install-sa"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ .Release.Name }}-post-install-role"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ .Release.Name }}-post-install-sa"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
在我相應的Job規范中:
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
...
serviceAccountName: "{{ .Release.Name }}-post-install-sa"
我認為通過將pre-添加到 RBAC 資源,我會確保這些是在實際Job之前創建的,這是一個post- thing。
通過還將hook-delete-policy為before-hook-creation,hook-succeeded,hook-failed ,這些也將在所有情況下(無論作業失敗還是成功)都被刪除,以避免出於安全考慮讓它們閑置。
但是,由於無法找到ServiceAccount , Job創建錯誤
error looking up service account elastic/elastic-stack-post-install-sa: serviceaccount "elastic-stack-post-install-sa" not found
這是為什么?
嘗試使用 hook 權重來確保確定性順序。Helm 首先加載具有最低權重的 hook(從負到正)
"helm.sh/hook-weight": "0"
示例:以最低權重創建服務帳戶。
正如 PGS 所建議的,“ helm.sh/hook-weight ”注釋是這里的解決方案。
重要筆記:
鈎子權重可以是正數、零或負數,但必須表示為字符串。 示例: "helm.sh/hook-weight": "-5" (注意:-5 用雙引號括起來)
當 Helm 開始執行特定種類的鈎子時,它將按升序對這些鈎子進行排序。
吊鈎重量確保以下:
Helm RBAC 規則在這些創建的名稱中創建命名空間和資源
[英]Helm RBAC rules to create namespaces and resources inside those created name
Kubernetes中存在哪些RBAC規則的apiGroup和資源?
[英]What apiGroups and resources exist for RBAC rules in kubernetes?
deletecollection kube.netes (tekton) 資源 - 需要特定的 RBAC?
[英]deletecollection kubernetes (tekton) resources - specific RBAC needed?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.