【发布时间】:2022-01-08 02:39:03
【问题描述】:
我想创建一个 Kubernetes CronJob,用于删除可能剩余的资源(命名空间、ClusterRole、ClusterRoleBinding)(最初,标准将是“有标签=某事”和“超过 30 分钟”。(每个命名空间包含用于测试运行的资源)。
我创建了 CronJob、ServiceAccount、ClusterRole、ClusterRoleBinding,并将服务帐户分配给 cronjob 的 pod。
cronjob 使用包含 kubectl 的图像和一些脚本来选择正确的资源。
我的初稿是这样的:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app
namespace: default
labels:
app: my-app
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: my-app
namespace: default
labels:
app: my-app
spec:
concurrencyPolicy: Forbid
schedule: "*/1 * * * *"
jobTemplate:
# job spec
spec:
template:
# pod spec
spec:
serviceAccountName: my-app
restartPolicy: Never
containers:
- name: my-app
image: image-with-kubectl
env:
- name: MINIMUM_AGE_MINUTES
value: '2'
command: [sh, -c]
args:
# final script is more complex than this
- |
kubectl get namespaces
kubectl get clusterroles
kubectl get clusterrolebindings
kubectl delete Namespace,ClusterRole,ClusterRoleBinding --all-namespaces --selector=bla=true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-app
labels:
app: my-app
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: my-app
subjects:
- kind: ServiceAccount
name: my-app
namespace: default
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: my-app
labels:
app: my-app
rules:
- apiGroups: [""]
resources:
- namespaces
- clusterroles
- clusterrolebindings
verbs: [list, delete]
cronjob 能够列出和删除命名空间,但不能列出和删除集群角色或集群角色绑定。我错过了什么?
(实际上,我先用 Job 进行测试,然后再转到 CronJob):
NAME STATUS AGE
cattle-system Active 16d
default Active 16d
fleet-system Active 16d
gitlab-runner Active 7d6h
ingress-nginx Active 16d
kube-node-lease Active 16d
kube-public Active 16d
kube-system Active 16d
security-scan Active 16d
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope`
【问题讨论】:
-
您使用的是哪个版本的 Kubernetes,您是如何设置集群的?您是否使用裸机安装或某些云提供商?重现您的问题很重要。
标签: kubernetes kubernetes-rbac k8s-serviceaccount