我有一个用于向我的群集添加用户列表的头盔图,但我想修改我的default服务帐户以包含图像拉秘密。 helm中似乎没有任何补丁功能。
安装后挂钩是我能做的最好的吗?
我遇到过同样的问题。我做的是:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default
namespace: YOUR_NAMESPACE
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default
namespace: YOUR_NAMESPACE
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default
subjects:
- kind: ServiceAccount
name: default
namespace: YOUR_NAMESPACE
然后:
apiVersion: batch/v1
kind: Job
metadata:
name: create-image-pull-secret
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
spec:
restartPolicy: Never
containers:
- name: k8s
image: google/cloud-sdk
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c", "kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"YOUR_SECRET_NAME\"}]}'"]
请注意,我使用pre-install钩子。我这样做是因为我需要imagePullSecret为我的子依赖项工作。此外,patch命令允许使用尚不存在的秘密名称。
如果我正确理解你,更改helm背后的默认服务(实际上是服务器端:tiller)的方法是纯粹的Kubernetes,只需修补与helm follow命令相关的部署资源对象:
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"<YOUR_SVC_ACCOUNT>"}}}}'
按照@tproenca的说法,我遇到了类似的问题并通过使用以下命令制作名为patch.yml文件的模板文件来修复它:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
name: default
namespace: {{ .Release.Name }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
name: default
namespace: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default
subjects:
- kind: ServiceAccount
name: default
namespace: {{ .Release.Name }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: patch-sa
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
spec:
restartPolicy: Never
containers:
- name: sa
image: google/cloud-sdk
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c", "kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"secret-key\"}]}'"]
对于第一次安装,您不必手动将角色/角色绑定资源添加到命名空间,因为helm将执行此操作并为您删除它们。