如何在 Kubebuilder 中为不同类型的资源将 RBAC 角色添加到控制器

How to add RBAC roles to a Controller for a different kind of resource in Kubebuilder

我正在使用 Kubebuilder 创建一个新的 Operator,以部署 Kubernetes 控制器来管理新的 CRD 自定义资源定义。

这个新的 CRD(假设称为 MyNewResource)需要 list/create/delete CronJobs。

因此,在定义了 Reconcile(...) 方法的 Controller Go 代码中,我添加了一个新的 RBAC 注释,以允许在 CronJobs 上进行协调(参见 here):

//+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete

然而,在构建推送和部署 Docker/Kubernetes 控制器(回购 myrepomake manifests、然后 make install、然后 make docker-build docker-push、然后 make deploy),然后在日志中我仍然看到:

E0111 09:35:18.785523       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.1/tools/cache/reflector.go:167: Failed to watch *v1beta1.CronJob: failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:myrepo-system:myrepo-controller-manager" cannot list resource "cronjobs" in API group "batch" at the cluster scope

我也看到有关缓存的问题,但它们可能不相关(不确定):

2022-01-11T09:35:57.857Z        ERROR   controller.mynewresource        Could not wait for Cache to sync        {"reconciler group": "mygroup.mydomain.com", "reconciler kind": "MyNewResource", "error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start
        /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/internal/controller/controller.go:234
sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).startRunnable.func1
        /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/manager/internal.go:696
2022-01-11T09:35:57.858Z        ERROR   error received after stop sequence was engaged  {"error": "leader election lost"}
2022-01-11T09:35:57.858Z        ERROR   setup   problem running manager {"error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}

如何让我的新 Operator 处理 CronJobs 资源?

目前,当我通过调用为我的 CRD 的新实例提供一些 YAML 时,我基本上无法以编程方式(Go 代码)创建新的 CronJobs:

kubectl create -f mynewresource-project/config/samples/

您需要创建新的 Role 或 ClusterRole(取决于您是希望您的权限是命名空间的还是集群范围的)并使用 RoleBinding/ClusterRoleBinding 将其绑定到您的 system:serviceaccount:myrepo-system:myrepo-controller-manager 用户。我将提供集群范围配置的示例。

集群角色:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cronjobs-role
rules:
- apiGroups: [""]
  resources: ["cronjobs"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

然后,使用 ClusterRoleBinding 绑定它:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cronjobs-rolebinding
subjects:
- kind: User
  name: system:serviceaccount:myrepo-system:myrepo-controller-manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cronjob-role
  apiGroup: rbac.authorization.k8s.io

根据您的日志判断,您可能想使用 batch apiGroup,但我将留下更通用的示例。更多关于 k8s RBAC here.

Kubebuilder

使用 Kubebuilder,ClusterRole 和 ClusterRoleBinding YAML 代码会自动生成并存储在 config/rbac/ 目录中。

要授予对所有组的绑定(而不仅仅是 batch),您可以在 Go 注释中加上星号,如下所示:

//+kubebuilder:rbac:groups=*,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete

这会将 ClusterRole 的自动生成的 YAML 更改为:

rules:
 - apiGroups:
   - '*' # instead of simply: batch

部署更新后的操作员时,控制器应该能够 list/create/delete CronJobs。

看这里 reference RBAC for Kubebuilder comments