支持“推出撤消”需要哪些角色权限?
What role permissions are required to support “rollout undo”?
我正在尝试为我们的 CI/CD 服务器设置一个可以支持回滚失败部署的角色。当前权限用于更新部署和相关资源并监视它们的状态,但是当我尝试 运行 例如“kubectl rollout undo deployment/admin”作为 CI 用户时,我得到了错误:
error: failed to retrieve replica sets from deployment admin: replicasets.apps is forbidden: User "ci-admin" cannot list resource "replicasets" in API group "apps" in the namespace "acceptance"
这是原来的角色配置:
# Server role that allows CI to push application deployments to Kubernetes
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployment-role
namespace: acceptance
rules:
- apiGroups: ["*"]
resources: ["deployments"]
resourceNames: ["admin", "backend", "web"]
verbs: ["patch", "update", "watch"]
- apiGroups: ["*"]
resources: ["deployments"]
verbs: ["get", "list"]
- apiGroups: ["*"]
resources: ["configmaps"]
resourceNames: ["admin-fluent-bit-config", "backend-fluent-bit-config", "web-fluent-bit-config"]
verbs: ["patch", "update", "watch"]
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["get", "list"]
- apiGroups: ["*"]
resources: ["horizontalpodautoscalers"]
resourceNames: ["backend"]
verbs: ["delete", "patch", "update"]
- apiGroups: ["*"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "get", "list"]
- apiGroups: ["*"]
resources: ["events", "pods", "pods/log"]
verbs: ["get", "list"]
我试图添加获取和列出副本集的权限以解决错误:
- apiGroups: ["*"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list"]
但我仍然遇到与以前相同的错误。
Kubernetes 文档根本没有帮助,因为似乎没有任何给定命令所需权限的完整列表。只有少数例子。
谁能告诉我回滚需要什么权限?
如@ForgetfulFellow 所述,您必须在 apiGroups.
中添加 extensions、apps
此外,您必须在 resources 字段中添加 replicasets,因为如果没有它,您将收到以下错误:
error: failed to retrieve replica sets from deployment sample-deploy: replicasets.apps is forbidden: User "user" cannot list resource "replicasets" in API group "apps" in the namespace "acceptance"
今天早上我又试了一次,它就像最初写的那样有效。
我对发生的事情的最佳猜测是 CI 当时实际上 运行 在另一个集群上。我们的客户在 9 月份将验收环境迁移到了一个新的 AWS 账户,但直到 mid-October 才完全清理旧环境。当我从我的开发箱更改新集群中的角色时,CI 服务器一定仍在使用旧集群的上下文,我没有注意到它,因为它们都有相同的名称. :/
抱歉误报。
我正在尝试为我们的 CI/CD 服务器设置一个可以支持回滚失败部署的角色。当前权限用于更新部署和相关资源并监视它们的状态,但是当我尝试 运行 例如“kubectl rollout undo deployment/admin”作为 CI 用户时,我得到了错误:
error: failed to retrieve replica sets from deployment admin: replicasets.apps is forbidden: User "ci-admin" cannot list resource "replicasets" in API group "apps" in the namespace "acceptance"
这是原来的角色配置:
# Server role that allows CI to push application deployments to Kubernetes
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployment-role
namespace: acceptance
rules:
- apiGroups: ["*"]
resources: ["deployments"]
resourceNames: ["admin", "backend", "web"]
verbs: ["patch", "update", "watch"]
- apiGroups: ["*"]
resources: ["deployments"]
verbs: ["get", "list"]
- apiGroups: ["*"]
resources: ["configmaps"]
resourceNames: ["admin-fluent-bit-config", "backend-fluent-bit-config", "web-fluent-bit-config"]
verbs: ["patch", "update", "watch"]
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["get", "list"]
- apiGroups: ["*"]
resources: ["horizontalpodautoscalers"]
resourceNames: ["backend"]
verbs: ["delete", "patch", "update"]
- apiGroups: ["*"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "get", "list"]
- apiGroups: ["*"]
resources: ["events", "pods", "pods/log"]
verbs: ["get", "list"]
我试图添加获取和列出副本集的权限以解决错误:
- apiGroups: ["*"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list"]
但我仍然遇到与以前相同的错误。
Kubernetes 文档根本没有帮助,因为似乎没有任何给定命令所需权限的完整列表。只有少数例子。
谁能告诉我回滚需要什么权限?
如@ForgetfulFellow 所述,您必须在 apiGroups.
extensions、apps
此外,您必须在 resources 字段中添加 replicasets,因为如果没有它,您将收到以下错误:
error: failed to retrieve replica sets from deployment sample-deploy: replicasets.apps is forbidden: User "user" cannot list resource "replicasets" in API group "apps" in the namespace "acceptance"
今天早上我又试了一次,它就像最初写的那样有效。
我对发生的事情的最佳猜测是 CI 当时实际上 运行 在另一个集群上。我们的客户在 9 月份将验收环境迁移到了一个新的 AWS 账户,但直到 mid-October 才完全清理旧环境。当我从我的开发箱更改新集群中的角色时,CI 服务器一定仍在使用旧集群的上下文,我没有注意到它,因为它们都有相同的名称. :/
抱歉误报。