问题描述
我正在尝试从传感器触发作业创建,但出现以下错误:
Job.batch is forbidden: User \"system:serviceaccount:samplens:sample-sa\" cannot create resource \"Job\" in API group \"batch\" in the namespace \"samplens\"","errorVerbose":"timed out waiting for the condition: Job.batch is forbidden: User \"system:serviceaccount:samplens:sample-sa\" cannot create resource \"Job\" in API group \"batch\" in the namespace \"samplens\"\nFailed to execute trigger\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).triggerOne\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:328\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).triggerActions\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:269\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).listenEvents.func1.3\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:181\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357","triggerName":"sample-job","triggeredBy":["payload"],"triggeredByEvents":["38333939613965312d376132372d343262302d393032662d663731393035613130303130"],"stacktrace":"github.com/argoproj/argo-events/sensors.(*SensorContext).triggerActions\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:271\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).listenEvents.func1.3\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:181"}
12
虽然我已经创建了 serviceaccount、role 和 rolebinding。
这是我的 serviceaccount 创建文件:
apiVersion: v1
kind: ServiceAccount
Metadata:
name: sample-sa
namespace: samplens
这是我的rbac.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Metadata:
name: sample-role
namespace: samplens
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- watch
- patch
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- create
- delete
- get
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Metadata:
name: sample-role-binding
namespace: samplens
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sample-role
subjects:
- kind: ServiceAccount
name: sample-sa
namespace: samplens
这是我的sensor.yaml:
apiVersion: argoproj.io/v1alpha1
kind: Sensor
Metadata:
name: webhook
spec:
template:
serviceAccountName: sample-sa
dependencies:
- name: payload
eventSourceName: webhook
eventName: devops-toolkit
triggers:
- template:
name: sample-job
k8s:
group: batch
version: v1
resource: Job
operation: create
source:
resource:
apiVersion: batch/v1
kind: Job
Metadata:
name: samplejob-crypto
annotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
ttlSecondsAfterFinished: 100
serviceAccountName: sample-sa
template:
spec:
serviceAccountName: sample-sa
restartPolicy: OnFailure
containers:
- name: sample-crypto-job
image: docker.artifactory.xxx.com/abc/def/yyz:master-b1b347a
传感器正确触发,但未能创建作业。 有人可以帮忙吗,我错过了什么?
解决方法
将此作为社区维基发布以获得更好的可见性,您可以随意编辑和扩展它。
通过调整 role 并提供 * 动词,原始问题已解决。这意味着 argo 传感器实际上需要更多权限。
这是用于测试环境的有效解决方案,而对于生产 RBAC 应与 principle of least privileges 一起使用。
如何测试 RBAC
有一个 kubectl 语法可以测试 RBAC(服务帐户 + 角色 + 角色绑定)是否按预期设置。
下面是如何检查 SERVICE_ACCOUNT_NAME 中的 NAMESPACE 是否可以在命名空间 NAMESPACE 中创建作业的示例:
kubectl auth can-i --as=system:serviceaccount:NAMESPACE:SERVICE_ACCOUNT_NAME create jobs -n NAMESPACE
答案很简单:yes 或 no。
有用链接:
,刚刚在 argo-events 中遇到了同样的问题。希望这会在不久的将来得到解决,或者至少得到一些更好的文档。
在您的 sensor.yaml 中更改以下值:
spec.triggers[0].template.k8s.resource: jobs
relevant documentation(此时)似乎指向了一些旧的 Kubernetes API v1.13 文档,所以我不知道为什么需要用复数“jobs”来编写它,但这解决了问题给我。
在触发 Pod 的 example trigger 中,值“pods”使用的字段与为我指明正确方向的字段相同。