0

我正在尝试从传感器触发创建工作,但出现以下错误:

   Job.batch is forbidden: User \"system:serviceaccount:samplens:sample-sa\" cannot create resource \"Job\" in API group \"batch\" in the namespace \"samplens\"","errorVerbose":"timed out waiting for the condition: Job.batch is forbidden: User \"system:serviceaccount:samplens:sample-sa\" cannot create resource \"Job\" in API group \"batch\" in the namespace \"samplens\"\nfailed to execute trigger\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).triggerOne\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:328\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).triggerActions\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:269\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).listenEvents.func1.3\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:181\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357","triggerName":"sample-job","triggeredBy":["payload"],"triggeredByEvents":["38333939613965312d376132372d343262302d393032662d663731393035613130303130"],"stacktrace":"github.com/argoproj/argo-events/sensors.(*SensorContext).triggerActions\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:271\ngithub.com/argoproj/argo-events/sensors.(*SensorContext).listenEvents.func1.3\n\t/home/jenkins/agent/workspace/argo-events_master/sensors/listener.go:181"}
12

虽然我创建了一个serviceaccount,rolerolebinding. 这是我的serviceaccount创建文件:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sample-sa
  namespace: samplens

这是我的rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sample-role
  namespace: samplens
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - create
      - delete
      - get
      - watch
      - patch
  - apiGroups:
      - "batch"
    resources:
      - jobs
    verbs:
      - create
      - delete
      - get
      - watch
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sample-role-binding
  namespace: samplens
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: sample-role
subjects:
  - kind: ServiceAccount
    name: sample-sa
    namespace: samplens

这是我的sensor.yaml

apiVersion: argoproj.io/v1alpha1
kind: Sensor
metadata:
  name: webhook
spec:
  template:
    serviceAccountName: sample-sa
  dependencies:
    - name: payload
      eventSourceName: webhook
      eventName: devops-toolkit
  triggers:
    - template:
        name: sample-job
        k8s:
          group: batch
          version: v1
          resource: Job
          operation: create
          source:
            resource:
              apiVersion: batch/v1
              kind: Job
              metadata:
                name: samplejob-crypto
                annotations:
                  argocd.argoproj.io/hook: PreSync
                  argocd.argoproj.io/hook-delete-policy: HookSucceeded
              spec:
                ttlSecondsAfterFinished: 100
                serviceAccountName: sample-sa
                template:
                  spec:
                    serviceAccountName: sample-sa
                    restartPolicy: OnFailure
                    containers:
                      - name: sample-crypto-job
                        image: docker.artifactory.xxx.com/abc/def/yyz:master-b1b347a

传感器被正确触发,但未能创建作业。有人可以帮忙吗,我错过了什么?

4

2 回答 2

1

将此发布为社区 wiki 以获得更好的可见性,请随时编辑和扩展它。

原来的问题通过调整role和给予*动词来解决的。这意味着 argo 传感器实际上需要更多权限。

这是测试环境的有效解决方案,而生产 RBAC 应与principle of least privileges.

如何测试 RBAC

有一种kubectl语法可以测试是否按预期设置了 RBAC(服务帐户 + 角色 + 角色绑定)。

下面是如何检查SERVICE_ACCOUNT_NAMEin是否NAMESPACE可以在命名空间中创建作业的示例NAMESPACE

kubectl auth can-i --as=system:serviceaccount:NAMESPACE:SERVICE_ACCOUNT_NAME create jobs -n NAMESPACE

答案很简单:yesno

有用的链接:

于 2021-06-30T12:27:47.660 回答
0

刚刚在 argo-events 中遇到了同样的问题。希望这会在不久的将来得到修复,或者至少有一些更好的文档。

更改您的以下值sensor.yaml

spec.triggers[0].template.k8s.resource: jobs

相关文档(此时)似乎指向一些旧的 Kubernetes API v1.13 文档,所以我不知道为什么需要用复数“工作”来写,但这为我解决了这个问题。

示例 trigger中,Pod 被触发,值“pods”用于指向正确方向的相同字段。

于 2021-07-19T18:02:21.317 回答