我正在尝试在我创建的命名空间上创建配额。
这是我的代码:
func newQuotaForUser(cr *userv1.User) *corev1.ResourceQuota {
labels := map[string]string{
"env": "sandbox",
"size": "personalsandbox",
}
hard := corev1.ResourceList{
"cpu": resource.MustParse("2"),
"memory": resource.MustParse("12Gi"),
"requests.storage": resource.MustParse("10Gi"),
}
return &corev1.ResourceQuota{
ObjectMeta: metav1.ObjectMeta{
Name: "personalsandbox",
Namespace: cr.Name + "-sbx",
Labels: labels,
},
Spec: corev1.ResourceQuotaSpec{
Hard: hard,
},
}
}
当我在本地运行它并使用管理员帐户登录到 minishift 时,我看到正在创建配额。但是,我正在尝试创建一个具有正确角色和角色绑定的服务帐户来创建配额。
这是我role.yaml认为会给服务帐户创建配额的权限:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onboarding-manager
rules:
- apiGroups:
- ""
- user.openshift.io
attributeRestrictions: null
resources:
- groups
- identities
- useridentitymappings
- users
- users/finalizers
- quota
- resourcequotas
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- namespaces
- quota
- resourcequotas
verbs:
- get
- list
- create
- update
- watch
- delete
- apiGroups:
- authorization.openshift.io/v1
- rbac.authorization.k8s.io
resources:
- rolebindings
- quota
- resourcequotas
verbs:
- create
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onboarding-manager
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- quota
- resourcequotas
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
- quota
- resourcequotas
verbs:
- "*"
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- "get"
- "create"
- apiGroups:
- apps
resources:
- deployments/finalizers
resourceNames:
- onboarding-manager
verbs:
- "update"
这是我在日志中看到的:
Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"delete\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"deletecollection\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"patch\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"update\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourceaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"subjectaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"authorization.openshift.io\"], Resources:[\"resourceaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"authorization.openshift.io\"], Resources:[\"subjectaccessreviews\"], Verbs:[\"create\"]}] user=&{system:serviceaccount:onboarding-manager:onboarding-manager a602b37b-f371-11e9-99cd-fe91ac5e87c0 [system:serviceaccounts system:serviceaccounts:onboarding-manager system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:[\"\" \"user.openshift.io\"], Resources:[\"users\"], ResourceNames:[\"~\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"\" \"project.openshift.io\"], Resources:[\"projectrequests\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"\" \"authorization.openshift.io\"], Resources:[\"clusterroles\"], Verbs:[\"get\" \"list\"]} PolicyRule{APIGroups:[\"rbac.authorization.k8s.io\"]