如何在Kubernetes中的另一个命名空间中部署部署?

问题描述 投票:1回答:1

我正在使用部署在Kubernetes上的Jenkins。 Jenkins pods部署在'kubernetes-plugin'命名空间中,并使用服务帐户'jenkins',定义如下:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

但是当我在jenkins管道中使用kubectl apply -f web-api-deploy.yaml -n default时,它会报告以下错误:

deployments.extensions "news-app-web-api-dev" is forbidden: User "system:serviceaccount:kubernetes-plugin:jenkins" cannot get deployments.extensions in the namespace "default"

这意味着:在名称空间'kubernetes-plugin'中使用服务帐户'jenkins'时,无法在名称空间'default'上进行部署

那么有没有办法在另一个命名空间中部署部署?怎么样。

jenkins kubernetes jenkins-pipeline
1个回答
0
投票

那么有没有办法在另一个命名空间中部署部署?怎么样。

如果我没有弄错的话,this github project会给出在不同命名空间中运行的步骤。这一切归结为:

您需要在不同的命名空间中创建服务帐户,角色和RoleBinding,并像文档中所述使用它。这是相关部分:

Ensure you create the namespaces and roles with the following commands,
then run the tests in namespace kubernetes-plugin with the service account
jenkins (edit src/test/kubernetes/service-account.yml to use a different 
service account)

kubectl create namespace kubernetes-plugin-test
kubectl create namespace kubernetes-plugin-test-overridden-namespace
kubectl create namespace kubernetes-plugin-test-overridden-namespace2
kubectl apply -n kubernetes-plugin-test -f src/main/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace -f src/main/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace2 -f src/main/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test -f src/test/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace -f src/test/kubernetes/service-account.yml
kubectl apply -n kubernetes-plugin-test-overridden-namespace2 -f src/test/kubernetes/service-account.yml

同样适用于您的情况是在默认命名空间中创建新的Role和RoleBinding,从kubernetes-plugin命名空间引用jenkins ServiceAccount,如下所示:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: role-jenkins-default
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: roleb-jenkins-default
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-jenkins-default
subjects:
- kind: ServiceAccount
  name: jenkins
  namespace: kubernetes-plugin

请注意,为清楚起见,将role-roleb-前缀以及-deault后缀添加到名称中。同样适用于明确列出命名空间default以便于记账和清晰。

此更改应该让您通过问题中提到的错误。

© www.soinside.com 2019 - 2024. All rights reserved.