支持“推出撤消”需要哪些角色权限?

What role permissions are required to support “rollout undo”?

我正在尝试为我们的 CI/CD 服务器设置一个可以支持回滚失败部署的角色。当前权限用于更新部署和相关资源并监视它们的状态,但是当我尝试 运行 例如“kubectl rollout undo deployment/admin”作为 CI 用户时,我得到了错误:

error: failed to retrieve replica sets from deployment admin: replicasets.apps is forbidden: User "ci-admin" cannot list resource "replicasets" in API group "apps" in the namespace "acceptance"

这是原来的角色配置:

# Server role that allows CI to push application deployments to Kubernetes
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployment-role
  namespace: acceptance
rules:
  - apiGroups: ["*"]
    resources: ["deployments"]
    resourceNames: ["admin", "backend", "web"]
    verbs: ["patch", "update", "watch"]
  - apiGroups: ["*"]
    resources: ["deployments"]
    verbs: ["get", "list"]
  - apiGroups: ["*"]
    resources: ["configmaps"]
    resourceNames: ["admin-fluent-bit-config", "backend-fluent-bit-config", "web-fluent-bit-config"]
    verbs: ["patch", "update", "watch"]
  - apiGroups: ["*"]
    resources: ["configmaps"]
    verbs: ["get", "list"]
  - apiGroups: ["*"]
    resources: ["horizontalpodautoscalers"]
    resourceNames: ["backend"]
    verbs: ["delete", "patch", "update"]
  - apiGroups: ["*"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["create", "get", "list"]
  - apiGroups: ["*"]
    resources: ["events", "pods", "pods/log"]
    verbs: ["get", "list"]

我试图添加获取和列出副本集的权限以解决错误:

  - apiGroups: ["*"]
    resources: ["deployments", "replicasets"]
    verbs: ["get", "list"]

但我仍然遇到与以前相同的错误。

Kubernetes 文档根本没有帮助,因为似乎没有任何给定命令所需权限的完整列表。只有少数例子。

谁能告诉我回滚需要什么权限?

如@ForgetfulFellow 所述,您必须在 apiGroups.

中添加 extensionsapps

此外,您必须在 resources 字段中添加 replicasets,因为如果没有它,您将收到以下错误:

error: failed to retrieve replica sets from deployment sample-deploy: replicasets.apps is forbidden: User "user" cannot list resource "replicasets" in API group "apps" in the namespace "acceptance"

今天早上我又试了一次,它就像最初写的那样有效。

我对发生的事情的最佳猜测是 CI 当时实际上 运行 在另一个集群上。我们的客户在 9 月份将验收环境迁移到了一个新的 AWS 账户,但直到 mid-October 才完全清理旧环境。当我从我的开发箱更改新集群中的角色时,CI 服务器一定仍在使用旧集群的上下文,我没有注意到它,因为它们都有相同的名称. :/

抱歉误报。