在Kubernetes中为运行kubectl的Cronjob设置RBAC

时间:2019-10-09 03:43:40

标签: kubernetes kubectl 

➜  ~ kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:54Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.10", GitCommit:"e3c134023df5dea457638b614ee17ef234dc34a6", GitTreeState:"clean", BuildDate:"2019-07-08T03:40:54Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

我正在尝试从Cronjob运行kubectl来更改部署中的pod数量。

我按照https://stackoverflow.com/a/54908449/3477266

的建议创建了Cronjob及其角色 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: scheduled-autoscaler-service-account
  namespace: default

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: scheduler-autoscaler-role
rules:
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  verbs:
  - patch
  - get
  - list

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: schedule-autoscaler-role-binding
subjects:
- kind: ServiceAccount
  name: scheduled-autoscaler-service-account
  namespace: default
roleRef:
  kind: Role
  name: schedule-autoscaler-role
  apiGroup: ""

---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: adwords-api-scale-up-cron-job
spec:
  schedule: "*/2 * * * *"
  jobTemplate:
    spec:
      activeDeadlineSeconds: 100
      template:
        spec:
          serviceAccountName: scheduled-autoscaler-service-account
          containers:
          - name: adwords-api-scale-up-container
            image: bitnami/kubectl:1.15-debian-9
            command:
              - bash
            args:
              - "-xc"
              - |
                kubectl scale --replicas=2 --v=7 
deployment/adwords-api-deployment
          restartPolicy: OnFailure

但是在运行此作业的广告连播中出现以下错误:

  

来自服务器的错误(禁止):deployments.extensions禁止“ adwords-api-deployment”:用户“ system:serviceaccount:default:scheduled-autoscaler-service-account”无法在API组“扩展名”中获取资源“ deployments”在“默认”命名空间中

我该如何调试问题所在?在我看来,我已经赋予了它在邮件中抱怨的所有权限,但仍然无法正常工作。

预先感谢

更新: 我解决了我的问题。在RoleBinding中定义角色时,这只是角色名称中的错字。那里的名字有误。

但是,只有在得知我可以使用以下命令检查权限后,我才能发现这一点:

kubectl auth can-i list deployment --as=system:serviceaccount:default:scheduled-autoscaler-service-account -n default

我认为这可能更复杂,也许是由于缺乏Kubernetes的经验。

2 个答案:

答案 0 :(得分:0)

我认为您不能在绑定中将apiGroup留空。尝试apiGroup: rbac.authorization.k8s.io吗?

答案 1 :(得分:0)

您可能必须在相应的Job模板中为kubectl二进制文件提供来自源k8s集群主机的特定kubeconfig文件,以便建立与目标k8s集群的连接从相关的Pod中确定有关群集,AuthenticationAuthorization机制的足够信息。

我一直在对原始CronJob配置进行一些调整,设法添加hostPath卷安装,将源k8s主机kubeconfig的路径映射为$HOME/.kube作业发布的Pod:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: adwords-api-scale-up-cron-job
spec:
  schedule: "*/2 * * * *"
  jobTemplate:
    spec:
      activeDeadlineSeconds: 100
      template:
        spec:
          serviceAccountName: scheduled-autoscaler-service-account
          containers:
          - name: adwords-api-scale-up-container
            image: bitnami/kubectl:1.15-debian-9
            command:
              - bash
            args:
              - "-xc"
              - |
                kubectl scale --replicas=2 --v=7 deployment/adwords-api-deployment
            volumeMounts:
            - name: kubectl-config
              mountPath: /.kube/
              readOnly: true
          volumes:
          - name: kubectl-config
            hostPath:
              path: $HOME/.kube # Replace $HOME with an evident path location
          restartPolicy: OnFailure

我检查了您授予的RBAC条规则,这些规则很好,同时在与我的环境类似的情况下重现了您的问题。

相关问题
最新问题