[英]How to add RBAC roles to a Controller for a different kind of resource in Kubebuilder
我正在使用 Kubebuilder 創建一個新的 Operator 來部署 Kubernetes controller 來管理新的 CRD 自定義資源定義。
這個新的 CRD(假設稱為MyNewResource
)需要列出/創建/刪除 CronJobs。
So in the Controller Go code where the Reconcile(...)
method is defined I added a new RBAC comment to allow the reconciliation to work on CronJobs (see https://book.kubebuilder.io/reference/markers/rbac.html ):
//+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete
然而,在構建推送和部署 Docker/Kubernetes controller 之后(repo myrepo
, make manifests
,然后make install
,然后make docker-build docker-push
,然后make deploy
),然后在日志中我仍然看到:
E0111 09:35:18.785523 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.1/tools/cache/reflector.go:167: Failed to watch *v1beta1.CronJob: failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:myrepo-system:myrepo-controller-manager" cannot list resource "cronjobs" in API group "batch" at the cluster scope
我還看到有關緩存的問題,但它們可能不相關(不確定):
2022-01-11T09:35:57.857Z ERROR controller.mynewresource Could not wait for Cache to sync {"reconciler group": "mygroup.mydomain.com", "reconciler kind": "MyNewResource", "error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/internal/controller/controller.go:234
sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).startRunnable.func1
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/manager/internal.go:696
2022-01-11T09:35:57.858Z ERROR error received after stop sequence was engaged {"error": "leader election lost"}
2022-01-11T09:35:57.858Z ERROR setup problem running manager {"error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
如何讓我的新 Operator 處理 CronJobs 資源?
目前,當我通過調用為我的 CRD 的新實例提供一些 YAML 時,基本上我無法以編程方式(Go 代碼)創建新的 CronJobs:
kubectl create -f mynewresource-project/config/samples/
您需要創建新的角色或 ClusterRole(取決於您是否希望您的權限被命名空間或集群范圍內)並使用 RoleBinding/ClusterRoleBinding 將其綁定到您的system:serviceaccount:myrepo-system:myrepo-controller-manager
用戶。 我將提供集群范圍配置的示例。
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cronjobs-role
rules:
- apiGroups: [""]
resources: ["cronjobs"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
然后,使用 ClusterRoleBinding 綁定它:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cronjobs-rolebinding
subjects:
- kind: User
name: system:serviceaccount:myrepo-system:myrepo-controller-manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cronjob-role
apiGroup: rbac.authorization.k8s.io
從您的日志來看,您可能想要使用batch
apiGroup,但我會留下更通用的示例。 更多關於 k8s RBAC 的信息在這里。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.