1

我想创建一个 Kubernetes CronJob 来删除可能剩​​余的资源(命名空间、ClusterRole、ClusterRoleBinding)(最初,标准将是“有标签=某事”和“超过 30 分钟”。(每个命名空间包含用于试运行)。

我创建了 CronJob、ServiceAccount、ClusterRole、ClusterRoleBinding,并将服务帐户分配给 cronjob 的 pod。

cronjob 使用包含 kubectl 的映像和一些脚本来选择正确的资源。

我的初稿是这样的:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app
  namespace: default
  labels:
    app: my-app

---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: my-app
  namespace: default
  labels:
    app: my-app
spec:
  concurrencyPolicy: Forbid
  schedule: "*/1 * * * *"
  jobTemplate:
    # job spec
    spec:
      template:
        # pod spec
        spec:
          serviceAccountName: my-app
          restartPolicy: Never
          containers:
          - name: my-app
            image: image-with-kubectl
            env:
            - name: MINIMUM_AGE_MINUTES
              value: '2'
            command: [sh, -c]
            args:
            # final script is more complex than this
            - |
              kubectl get namespaces
              kubectl get clusterroles
              kubectl get clusterrolebindings
              kubectl delete Namespace,ClusterRole,ClusterRoleBinding --all-namespaces --selector=bla=true

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-app
  labels:
    app: my-app
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-app
subjects:
  - kind: ServiceAccount
    name: my-app
    namespace: default
    apiGroup: ""

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: my-app
  labels:
    app: my-app
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - clusterroles
      - clusterrolebindings
    verbs: [list, delete]

cronjob 能够列出和删除命名空间,但不能列出和删除集群角色或集群角色绑定。我错过了什么?

(实际上,我先用 Job 对此进行测试,然后再转向 CronJob):

NAME              STATUS   AGE
cattle-system     Active   16d
default           Active   16d
fleet-system      Active   16d
gitlab-runner     Active   7d6h
ingress-nginx     Active   16d
kube-node-lease   Active   16d
kube-public       Active   16d
kube-system       Active   16d
security-scan     Active   16d
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope`
4

1 回答 1

2

您需要像这样更改 ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: my-app
  labels:
    app: my-app
rules:
  - apiGroups: [""]
    resources:
      - namespaces
    verbs: [list, delete]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources:
      - clusterroles
      - clusterrolebindings
    verbs: [list, delete]

资源现在位于正确的 apiGroup 中

于 2022-01-07T18:39:03.717 回答