如何在 Kubernetes 的另一个命名空间中部署部署？

Question

我正在使用部署在 Kubernetes 上的 Jenkins。 Jenkins pod 部署在“kubernetes-plugin”命名空间中，并使用服务帐户“jenkins”，定义如下：

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

但是当我在jenkins管道中使用kubectl apply -f web-api-deploy.yaml -n default时，报如下错误：

deployments.extensions "news-app-web-api-dev" is forbidden: User "system:serviceaccount:kubernetes-plugin:jenkins" cannot get deployments.extensions in the namespace "default"

这意味着：在命名空间“kubernetes-plugin”中使用服务帐户“jenkins”时，您不能在命名空间“default”上部署

那么有没有办法在另一个命名空间中部署部署？如何。

Answer 1

那么有没有办法在另一个命名空间中部署部署？如何。

如果我没记错的话，this github project 提供了在不同命名空间中运行的步骤。这一切都归结为：

您需要在不同的命名空间中创建 ServiceAccount、Role 和 RoleBinding，并按照文档中的说明使用它。这是相关部分：

Ensure you create the namespaces and roles with the following commands,
then run the tests in namespace kubernetes-plugin with the service account
jenkins (edit src/test/kubernetes/service-account.yml to use a different 
service account)

kubectl create namespace kubernetes-plugin-test
kubectl create namespace kubernetes-plugin-test-overridden-namespace
kubectl create namespace kubernetes-plugin-test-overridden-namespace2
kubectl apply -n kubernetes-plugin-test -f src/main/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace -f src/main/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace2 -f src/main/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test -f src/test/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace -f src/test/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace2 -f src/test/kubernetes/service-account.yml

同样适用于您的情况是在默认命名空间中创建新的 Role 和 RoleBinding，并从 kubernetes-plugin 命名空间引用 jenkins ServiceAccount，如下所示：

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: role-jenkins-default
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: roleb-jenkins-default
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-jenkins-default
subjects:
- kind: ServiceAccount
  name: jenkins
  namespace: kubernetes-plugin

请注意，为清楚起见，在名称中添加了 role- 和 roleb- 前缀以及 -deault 后缀。明确列出命名空间 default 也是如此，以便于记账和清晰。

此更改应该可以解决您问题中提到的错误。