Jenkins在私有GKE集群中作为pod运行。当前,在使用Helm执行部署时,会遇到以下错误。
用户“ system:serviceaccount:jenkins:jenkins”无法在名称空间“ kube-system”的API组“”中列出资源“ pods”
用于部署的命令是
helm install --values = / values_env.yaml --name / --set image.repository = --set image.tag = --namespace
用户“ system:serviceaccount:jenkins:jenkins”无法在名称空间“ kube-system”的API组“”中列出资源“ pods”
答案 0 :(得分:0)
服务帐户jenkins没有特权列出pods kube-system。 您必须使用这些特权创建Roles并将其与ClusterJoleBinding / RoleBinding以及jenkins服务帐户绑定。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- delete
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins
roleRef:
kind: ClusterRole
name: jenkins
apiGroup: rbac.authorization.k8s.io