如何在 Kubebuilder 中为不同类型的资源将 RBAC 角色添加到控制器
How to add RBAC roles to a Controller for a different kind of resource in Kubebuilder
我正在使用 Kubebuilder 创建一个新的 Operator,以部署 Kubernetes 控制器来管理新的 CRD 自定义资源定义。
这个新的 CRD(假设称为 MyNewResource
)需要 list/create/delete CronJobs。
因此,在定义了 Reconcile(...)
方法的 Controller Go 代码中,我添加了一个新的 RBAC 注释,以允许在 CronJobs 上进行协调(参见 here):
//+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete
然而,在构建推送和部署 Docker/Kubernetes 控制器(回购 myrepo
、make manifests
、然后 make install
、然后 make docker-build docker-push
、然后 make deploy
),然后在日志中我仍然看到:
E0111 09:35:18.785523 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.1/tools/cache/reflector.go:167: Failed to watch *v1beta1.CronJob: failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:myrepo-system:myrepo-controller-manager" cannot list resource "cronjobs" in API group "batch" at the cluster scope
我也看到有关缓存的问题,但它们可能不相关(不确定):
2022-01-11T09:35:57.857Z ERROR controller.mynewresource Could not wait for Cache to sync {"reconciler group": "mygroup.mydomain.com", "reconciler kind": "MyNewResource", "error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/internal/controller/controller.go:234
sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).startRunnable.func1
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/manager/internal.go:696
2022-01-11T09:35:57.858Z ERROR error received after stop sequence was engaged {"error": "leader election lost"}
2022-01-11T09:35:57.858Z ERROR setup problem running manager {"error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
如何让我的新 Operator 处理 CronJobs 资源?
目前,当我通过调用为我的 CRD 的新实例提供一些 YAML 时,我基本上无法以编程方式(Go 代码)创建新的 CronJobs:
kubectl create -f mynewresource-project/config/samples/
您需要创建新的 Role 或 ClusterRole(取决于您是希望您的权限是命名空间的还是集群范围的)并使用 RoleBinding/ClusterRoleBinding 将其绑定到您的 system:serviceaccount:myrepo-system:myrepo-controller-manager
用户。我将提供集群范围配置的示例。
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cronjobs-role
rules:
- apiGroups: [""]
resources: ["cronjobs"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
然后,使用 ClusterRoleBinding 绑定它:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cronjobs-rolebinding
subjects:
- kind: User
name: system:serviceaccount:myrepo-system:myrepo-controller-manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cronjob-role
apiGroup: rbac.authorization.k8s.io
根据您的日志判断,您可能想使用 batch
apiGroup,但我将留下更通用的示例。更多关于 k8s RBAC here.
Kubebuilder
使用 Kubebuilder,ClusterRole 和 ClusterRoleBinding YAML 代码会自动生成并存储在 config/rbac/
目录中。
要授予对所有组的绑定(而不仅仅是 batch
),您可以在 Go 注释中加上星号,如下所示:
//+kubebuilder:rbac:groups=*,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete
这会将 ClusterRole
的自动生成的 YAML 更改为:
rules:
- apiGroups:
- '*' # instead of simply: batch
部署更新后的操作员时,控制器应该能够 list/create/delete CronJobs。
我正在使用 Kubebuilder 创建一个新的 Operator,以部署 Kubernetes 控制器来管理新的 CRD 自定义资源定义。
这个新的 CRD(假设称为 MyNewResource
)需要 list/create/delete CronJobs。
因此,在定义了 Reconcile(...)
方法的 Controller Go 代码中,我添加了一个新的 RBAC 注释,以允许在 CronJobs 上进行协调(参见 here):
//+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete
然而,在构建推送和部署 Docker/Kubernetes 控制器(回购 myrepo
、make manifests
、然后 make install
、然后 make docker-build docker-push
、然后 make deploy
),然后在日志中我仍然看到:
E0111 09:35:18.785523 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.1/tools/cache/reflector.go:167: Failed to watch *v1beta1.CronJob: failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:myrepo-system:myrepo-controller-manager" cannot list resource "cronjobs" in API group "batch" at the cluster scope
我也看到有关缓存的问题,但它们可能不相关(不确定):
2022-01-11T09:35:57.857Z ERROR controller.mynewresource Could not wait for Cache to sync {"reconciler group": "mygroup.mydomain.com", "reconciler kind": "MyNewResource", "error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/internal/controller/controller.go:234
sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).startRunnable.func1
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.0/pkg/manager/internal.go:696
2022-01-11T09:35:57.858Z ERROR error received after stop sequence was engaged {"error": "leader election lost"}
2022-01-11T09:35:57.858Z ERROR setup problem running manager {"error": "failed to wait for mynewresource caches to sync: timed out waiting for cache to be synced"}
如何让我的新 Operator 处理 CronJobs 资源?
目前,当我通过调用为我的 CRD 的新实例提供一些 YAML 时,我基本上无法以编程方式(Go 代码)创建新的 CronJobs:
kubectl create -f mynewresource-project/config/samples/
您需要创建新的 Role 或 ClusterRole(取决于您是希望您的权限是命名空间的还是集群范围的)并使用 RoleBinding/ClusterRoleBinding 将其绑定到您的 system:serviceaccount:myrepo-system:myrepo-controller-manager
用户。我将提供集群范围配置的示例。
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cronjobs-role
rules:
- apiGroups: [""]
resources: ["cronjobs"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
然后,使用 ClusterRoleBinding 绑定它:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cronjobs-rolebinding
subjects:
- kind: User
name: system:serviceaccount:myrepo-system:myrepo-controller-manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cronjob-role
apiGroup: rbac.authorization.k8s.io
根据您的日志判断,您可能想使用 batch
apiGroup,但我将留下更通用的示例。更多关于 k8s RBAC here.
Kubebuilder
使用 Kubebuilder,ClusterRole 和 ClusterRoleBinding YAML 代码会自动生成并存储在 config/rbac/
目录中。
要授予对所有组的绑定(而不仅仅是 batch
),您可以在 Go 注释中加上星号,如下所示:
//+kubebuilder:rbac:groups=*,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete
这会将 ClusterRole
的自动生成的 YAML 更改为:
rules:
- apiGroups:
- '*' # instead of simply: batch
部署更新后的操作员时,控制器应该能够 list/create/delete CronJobs。