我正在寻找一种解决方案,允许用户回滚部署的先前版本,而无权修改部署(图像,环境变量,策略等)。
我正在尝试为将只使用CICD Pipelines部署新版本的开发人员创建角色,但是我希望他们能够在必要时返回。
当前的角色尤其是:
- apiGroups:
- ""
- apps.openshift.io
attributeRestrictions: null
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups:
- ""
- apps.openshift.io
attributeRestrictions: null
resources:
- deploymentconfigs/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
- apps.openshift.io
attributeRestrictions: null
resources:
- deploymentconfigrollbacks
- deploymentconfigs/instantiate
- deploymentconfigs/rollback
verbs:
- create
- apiGroups:
- ""
- apps.openshift.io
attributeRestrictions: null
resources:
- deploymentconfigs/log
- deploymentconfigs/status
verbs:
- get
- list
- watch
我收到以下错误:
$ oc rollback DC_NAME --to-version=19
Error from server (Forbidden): deploymentconfigs.apps.openshift.io "DC_NAME" is forbidden: User "foo" cannot update deploymentconfigs.apps.openshift.io in the namespace "NAMESPACE_NAME": User "foo" cannot update deploymentconfigs.apps.openshift.io in project "NAMESPACE_NAME"
或
$ oc rollout undo dc DC_NAME --to-revision=19
Error from server (Forbidden): deploymentconfigs.apps.openshift.io "DC_NAME" is forbidden: User "foo" cannot update deploymentconfigs.apps.openshift.io in the namespace "NAMESPACE_NAME": User "foo" cannot update deploymentconfigs.apps.openshift.io in project "NAMESPACE_NAME"
如果我将动词“ update”添加到资源“ deploymentconfigs”中,则没有任何错误,但是开发人员可以修改部署。
你有什么主意吗?
谢谢
答案 0 :(得分:1)
登录Openshift的用户具有哪个访问级别?
首先,您需要使用下面的命令进行咨询:
oc get rolebindings | grep your-username
您需要具有 edit 或 admin 等角色级别的用户才能运行回滚命令。