• 安装部署

  • kubesphere 3.3.1最小化安装之后无法正常创建普通用户

创建部署问题时,请参考下面模板,你提供的信息越多,越容易及时获得解答。如果未按模板创建问题,管理员有权关闭问题。
确保帖子格式清晰易读,用 markdown code block 语法格式化代码块。
你只花一分钟创建的问题,不能指望别人花上半个小时给你解答。

操作系统信息

虚拟机/物理机,Centos7.5 4C/8G

Kubernetes版本信息

基于二进制部署k8s集群1.23.0版本

#kubectl version 
lient Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.0", GitCommit:"ab69524f795c42094a6630298ff53f3c3ebab7f4", GitTreeState:"clean", BuildDate:"2021-12-07T18:16:20Z", GoVersion:"go1.17.3", Compiler:"gc", Platform:"linux/amd64"}

Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.0", GitCommit:"ab69524f795c42094a6630298ff53f3c3ebab7f4", GitTreeState:"clean", BuildDate:"2021-12-07T18:09:57Z", GoVersion:"go1.17.3", Compiler:"gc", Platform:"linux/amd64"}

容器运行时

docker版本如下图所示

KubeSphere版本信息
在已有K8s上安装kubesphere 3.3.1版本

问题是什么
kubesphere最小化安装之后,以admin管理员登录进去,发现没有创建普通用户的开关功能,很奇怪…不知道是哪个资源设置有问题,还请各位社区大佬指点一下,困惑我一个月了。

  1. 检查下ks-installer的安装日志,有没有异常日志


    kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l 'app in (ks-install, ks-installer)' -o jsonpath='{.items[0].metadata.name}') -f

    smartcat999 倒是没有特别关键的敏感错误信息,只有一些警告,应该不影响吧?如下所示:

    # kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l 'app in (ks-install, ks-installer)' -o jsonpath='{.items[0].metadata.name}') -f
2025-01-06T11:46:15+08:00 INFO     : shell-operator latest
2025-01-06T11:46:15+08:00 INFO     : HTTP SERVER Listening on 0.0.0.0:9115
2025-01-06T11:46:15+08:00 INFO     : Use temporary dir: /tmp/shell-operator
2025-01-06T11:46:15+08:00 INFO     : Initialize hooks manager ...
2025-01-06T11:46:15+08:00 INFO     : Search and load hooks ...
2025-01-06T11:46:15+08:00 INFO     : Load hook config from '/hooks/kubesphere/installRunner.py'
2025-01-06T11:46:16+08:00 INFO     : Load hook config from '/hooks/kubesphere/schedule.sh'
2025-01-06T11:46:16+08:00 INFO     : Initializing schedule manager ...
2025-01-06T11:46:16+08:00 INFO     : KUBE Init Kubernetes client
2025-01-06T11:46:16+08:00 INFO     : KUBE-INIT Kubernetes client is configured successfully
2025-01-06T11:46:16+08:00 INFO     : MAIN: run main loop
2025-01-06T11:46:16+08:00 INFO     : MAIN: add onStartup tasks
2025-01-06T11:46:16+08:00 INFO     : Running schedule manager ...
2025-01-06T11:46:16+08:00 INFO     : QUEUE add all HookRun@OnStartup
2025-01-06T11:46:16+08:00 INFO     : MSTOR Create new metric shell_operator_live_ticks
2025-01-06T11:46:16+08:00 INFO     : MSTOR Create new metric shell_operator_tasks_queue_length
2025-01-06T11:46:16+08:00 INFO     : GVR for kind 'ClusterConfiguration' is installer.kubesphere.io/v1alpha1, Resource=clusterconfigurations
2025-01-06T11:47:39+08:00 INFO     : EVENT Kube event '9f486a80-5a59-4249-9ef3-60064e1f7664'
2025-01-06T11:47:39+08:00 INFO     : QUEUE add TASK_HOOK_RUN@KUBE_EVENTS kubesphere/installRunner.py
2025-01-06T11:47:40+08:00 INFO     : TASK_RUN HookRun@KUBE_EVENTS kubesphere/installRunner.py
2025-01-06T11:47:40+08:00 INFO     : Running hook 'kubesphere/installRunner.py' binding 'KUBE_EVENTS' ...
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ***************************************************************

TASK [download : Generating images list] ***************************************
skipping: [localhost]

TASK [download : Synchronizing images] *****************************************

TASK [kubesphere-defaults : KubeSphere | Setting images' namespace override] ***
skipping: [localhost]

TASK [kubesphere-defaults : KubeSphere | Configuring defaults] *****************
ok: [localhost] => {
    "msg": "Check roles/kubesphere-defaults/defaults/main.yml"
}

TASK [preinstall : KubeSphere | Stopping if Kubernetes version is nonsupport] ***
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [preinstall : KubeSphere | Checking StorageClass] *************************
changed: [localhost]

TASK [preinstall : KubeSphere | Stopping if StorageClass was not found] ********
skipping: [localhost]

TASK [preinstall : KubeSphere | Checking default StorageClass] *****************
changed: [localhost]

TASK [preinstall : KubeSphere | Stopping if default StorageClass was not found] ***
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [preinstall : KubeSphere | Stop if bad admin password] ********************
skipping: [localhost]

TASK [preinstall : KubeSphere | Checking KubeSphere component] *****************
changed: [localhost]

TASK [preinstall : KubeSphere | Getting KubeSphere component version] **********
skipping: [localhost]

TASK [preinstall : KubeSphere | Getting KubeSphere component version] **********
skipping: [localhost] => (item=ks-openldap) 
skipping: [localhost] => (item=ks-redis) 
skipping: [localhost] => (item=ks-minio) 
skipping: [localhost] => (item=ks-openpitrix) 
skipping: [localhost] => (item=elasticsearch-logging) 
skipping: [localhost] => (item=elasticsearch-logging-curator) 
skipping: [localhost] => (item=istio) 
skipping: [localhost] => (item=istio-init) 
skipping: [localhost] => (item=jaeger-operator) 
skipping: [localhost] => (item=ks-jenkins) 
skipping: [localhost] => (item=ks-sonarqube) 
skipping: [localhost] => (item=logging-fluentbit-operator) 
skipping: [localhost] => (item=uc) 
skipping: [localhost] => (item=metrics-server) 

PLAY RECAP *********************************************************************
localhost                  : ok=6    changed=3    unreachable=0    failed=0    skipped=7    rescued=0    ignored=0   
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ***************************************************************

TASK [download : Generating images list] ***************************************
skipping: [localhost]

TASK [download : Synchronizing images] *****************************************

TASK [kubesphere-defaults : KubeSphere | Setting images' namespace override] ***
skipping: [localhost]

TASK [kubesphere-defaults : KubeSphere | Configuring defaults] *****************
ok: [localhost] => {
    "msg": "Check roles/kubesphere-defaults/defaults/main.yml"
}

TASK [Metrics-Server | Getting metrics-server installation files] **************
skipping: [localhost]

TASK [metrics-server : Metrics-Server | Creating manifests] ********************
skipping: [localhost] => (item={'file': 'metrics-server.yaml'}) 

TASK [metrics-server : Metrics-Server | Checking Metrics-Server] ***************
skipping: [localhost]

TASK [Metrics-Server | Uninstalling old metrics-server] ************************
skipping: [localhost]

TASK [Metrics-Server | Installing new metrics-server] **************************
skipping: [localhost]

TASK [metrics-server : Metrics-Server | Waitting for metrics.k8s.io ready] *****
skipping: [localhost]

TASK [Metrics-Server | Importing metrics-server status] ************************
skipping: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=10   rescued=0    ignored=0   
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ***************************************************************

TASK [download : Generating images list] ***************************************
skipping: [localhost]

TASK [download : Synchronizing images] *****************************************

TASK [kubesphere-defaults : KubeSphere | Setting images' namespace override] ***
skipping: [localhost]

TASK [kubesphere-defaults : KubeSphere | Configuring defaults] *****************
ok: [localhost] => {
    "msg": "Check roles/kubesphere-defaults/defaults/main.yml"
}

TASK [common : KubeSphere | Checking kube-node-lease namespace] ****************
changed: [localhost]

TASK [common : KubeSphere | Getting system namespaces] *************************
ok: [localhost]

TASK [common : set_fact] *******************************************************
ok: [localhost]

TASK [common : debug] **********************************************************
ok: [localhost] => {
    "msg": [
        "kubesphere-system",
        "kubesphere-controls-system",
        "kubesphere-monitoring-system",
        "kubesphere-monitoring-federated",
        "kube-node-lease"
    ]
}

TASK [common : KubeSphere | Creating KubeSphere namespace] *********************
changed: [localhost] => (item=kubesphere-system)
changed: [localhost] => (item=kubesphere-controls-system)
changed: [localhost] => (item=kubesphere-monitoring-system)
changed: [localhost] => (item=kubesphere-monitoring-federated)
changed: [localhost] => (item=kube-node-lease)

TASK [common : KubeSphere | Labeling system-workspace] *************************
changed: [localhost] => (item=default)
changed: [localhost] => (item=kube-public)
changed: [localhost] => (item=kube-system)
changed: [localhost] => (item=kubesphere-system)
changed: [localhost] => (item=kubesphere-controls-system)
changed: [localhost] => (item=kubesphere-monitoring-system)
changed: [localhost] => (item=kubesphere-monitoring-federated)
changed: [localhost] => (item=kube-node-lease)

TASK [common : KubeSphere | Labeling namespace for network policy] *************
changed: [localhost]

TASK [common : KubeSphere | Getting Kubernetes master num] *********************
changed: [localhost]

TASK [common : KubeSphere | Setting master num] ********************************
ok: [localhost]

TASK [KubeSphere | Getting common component installation files] ****************
changed: [localhost] => (item=common)

TASK [common : KubeSphere | Checking Kubernetes version] ***********************
changed: [localhost]

TASK [KubeSphere | Getting common component installation files] ****************
changed: [localhost] => (item=snapshot-controller)

TASK [common : KubeSphere | Creating snapshot controller values] ***************
changed: [localhost] => (item={'name': 'custom-values-snapshot-controller', 'file': 'custom-values-snapshot-controller.yaml'})

TASK [common : KubeSphere | Updating snapshot crd] *****************************
changed: [localhost]

TASK [common : KubeSphere | Deploying snapshot controller] *********************
changed: [localhost]

TASK [KubeSphere | Checking openpitrix common component] ***********************
changed: [localhost]

TASK [common : include_tasks] **************************************************
skipping: [localhost] => (item={'op': 'openpitrix-db', 'ks': 'mysql-pvc'}) 
skipping: [localhost] => (item={'op': 'openpitrix-etcd', 'ks': 'etcd-pvc'}) 

TASK [common : Getting PersistentVolumeName (mysql)] ***************************
skipping: [localhost]

TASK [common : Getting PersistentVolumeSize (mysql)] ***************************
skipping: [localhost]

TASK [common : Setting PersistentVolumeName (mysql)] ***************************
skipping: [localhost]

TASK [common : Setting PersistentVolumeSize (mysql)] ***************************
skipping: [localhost]

TASK [common : Getting PersistentVolumeName (etcd)] ****************************
skipping: [localhost]

TASK [common : Getting PersistentVolumeSize (etcd)] ****************************
skipping: [localhost]

TASK [common : Setting PersistentVolumeName (etcd)] ****************************
skipping: [localhost]

TASK [common : Setting PersistentVolumeSize (etcd)] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Checking mysql PersistentVolumeClaim] **************
changed: [localhost]

TASK [common : KubeSphere | Setting mysql db pv size] **************************
skipping: [localhost]

TASK [common : KubeSphere | Checking redis PersistentVolumeClaim] **************
changed: [localhost]

TASK [common : KubeSphere | Setting redis db pv size] **************************
skipping: [localhost]

TASK [common : KubeSphere | Checking minio PersistentVolumeClaim] **************
changed: [localhost]

TASK [common : KubeSphere | Setting minio pv size] *****************************
skipping: [localhost]

TASK [common : KubeSphere | Checking openldap PersistentVolumeClaim] ***********
changed: [localhost]

TASK [common : KubeSphere | Setting openldap pv size] **************************
skipping: [localhost]

TASK [common : KubeSphere | Checking etcd db PersistentVolumeClaim] ************
changed: [localhost]

TASK [common : KubeSphere | Setting etcd pv size] ******************************
skipping: [localhost]

TASK [common : KubeSphere | Checking redis ha PersistentVolumeClaim] ***********
changed: [localhost]

TASK [common : KubeSphere | Setting redis ha pv size] **************************
skipping: [localhost]

TASK [common : KubeSphere | Checking es-master PersistentVolumeClaim] **********
changed: [localhost]

TASK [common : KubeSphere | Setting es master pv size] *************************
skipping: [localhost]

TASK [common : KubeSphere | Checking es data PersistentVolumeClaim] ************
changed: [localhost]

TASK [common : KubeSphere | Setting es data pv size] ***************************
skipping: [localhost]

TASK [KubeSphere | Creating common component manifests] ************************
changed: [localhost] => (item={'path': 'redis', 'file': 'redis.yaml'})

TASK [common : KubeSphere | Deploying etcd and mysql] **************************
skipping: [localhost] => (item=etcd.yaml) 
skipping: [localhost] => (item=mysql.yaml) 

TASK [common : KubeSphere | Getting minio installation files] ******************
skipping: [localhost] => (item=minio-ha) 

TASK [common : KubeSphere | Creating manifests] ********************************
skipping: [localhost] => (item={'name': 'custom-values-minio', 'file': 'custom-values-minio.yaml'}) 

TASK [common : KubeSphere | Checking minio] ************************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying minio] ***********************************
skipping: [localhost]

TASK [common : debug] **********************************************************
skipping: [localhost]

TASK [common : fail] ***********************************************************
skipping: [localhost]

TASK [common : KubeSphere | Importing minio status] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Generet Random password] ***************************
skipping: [localhost]

TASK [common : KubeSphere | Creating Redis Password Secret] ********************
skipping: [localhost]

TASK [common : KubeSphere | Getting redis installation files] ******************
skipping: [localhost] => (item=redis-ha) 

TASK [common : KubeSphere | Creating manifests] ********************************
skipping: [localhost] => (item={'name': 'custom-values-redis', 'file': 'custom-values-redis.yaml'}) 

TASK [common : KubeSphere | Checking old redis status] *************************
skipping: [localhost]

TASK [common : KubeSphere | Deleting and backup old redis svc] *****************
skipping: [localhost]

TASK [common : KubeSphere | Deploying redis] ***********************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying redis] ***********************************
skipping: [localhost] => (item=redis.yaml) 

TASK [common : KubeSphere | Importing redis status] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Getting openldap installation files] ***************
skipping: [localhost] => (item=openldap-ha) 

TASK [common : KubeSphere | Creating manifests] ********************************
skipping: [localhost] => (item={'name': 'custom-values-openldap', 'file': 'custom-values-openldap.yaml'}) 

TASK [common : KubeSphere | Checking old openldap status] **********************
skipping: [localhost]

TASK [common : KubeSphere | Shutdown ks-account] *******************************
skipping: [localhost]

TASK [common : KubeSphere | Deleting and backup old openldap svc] **************
skipping: [localhost]

TASK [common : KubeSphere | Checking openldap] *********************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying openldap] ********************************
skipping: [localhost]

TASK [common : KubeSphere | Loading old openldap data] *************************
skipping: [localhost]

TASK [common : KubeSphere | Checking openldap-ha status] ***********************
skipping: [localhost]

TASK [common : KubeSphere | Getting openldap-ha pod list] **********************
skipping: [localhost]

TASK [common : KubeSphere | Getting old openldap data] *************************
skipping: [localhost]

TASK [common : KubeSphere | Migrating openldap data] ***************************
skipping: [localhost]

TASK [common : KubeSphere | Disabling old openldap] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Restarting openldap] *******************************
skipping: [localhost]

TASK [common : KubeSphere | Restarting ks-account] *****************************
skipping: [localhost]

TASK [common : KubeSphere | Importing openldap status] *************************
skipping: [localhost]

TASK [common : KubeSphere | Checking KubeSphere Config is Exists] **************
changed: [localhost]

TASK [common : KubeSphere | Generet Random password] ***************************
skipping: [localhost]

TASK [common : KubeSphere | Creating Redis Password Secret] ********************
skipping: [localhost]

TASK [common : KubeSphere | Getting redis installation files] ******************
skipping: [localhost] => (item=redis-ha) 

TASK [common : KubeSphere | Creating manifests] ********************************
skipping: [localhost] => (item={'name': 'custom-values-redis', 'file': 'custom-values-redis.yaml'}) 

TASK [common : KubeSphere | Checking old redis status] *************************
skipping: [localhost]

TASK [common : KubeSphere | Deleting and backup old redis svc] *****************
skipping: [localhost]

TASK [common : KubeSphere | Deploying redis] ***********************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying redis] ***********************************
skipping: [localhost] => (item=redis.yaml) 

TASK [common : KubeSphere | Importing redis status] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Getting openldap installation files] ***************
skipping: [localhost] => (item=openldap-ha) 

TASK [common : KubeSphere | Creating manifests] ********************************
skipping: [localhost] => (item={'name': 'custom-values-openldap', 'file': 'custom-values-openldap.yaml'}) 

TASK [common : KubeSphere | Checking old openldap status] **********************
skipping: [localhost]

TASK [common : KubeSphere | Shutdown ks-account] *******************************
skipping: [localhost]

TASK [common : KubeSphere | Deleting and backup old openldap svc] **************
skipping: [localhost]

TASK [common : KubeSphere | Checking openldap] *********************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying openldap] ********************************
skipping: [localhost]

TASK [common : KubeSphere | Loading old openldap data] *************************
skipping: [localhost]

TASK [common : KubeSphere | Checking openldap-ha status] ***********************
skipping: [localhost]

TASK [common : KubeSphere | Getting openldap-ha pod list] **********************
skipping: [localhost]

TASK [common : KubeSphere | Getting old openldap data] *************************
skipping: [localhost]

TASK [common : KubeSphere | Migrating openldap data] ***************************
skipping: [localhost]

TASK [common : KubeSphere | Disabling old openldap] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Restarting openldap] *******************************
skipping: [localhost]

TASK [common : KubeSphere | Restarting ks-account] *****************************
skipping: [localhost]

TASK [common : KubeSphere | Importing openldap status] *************************
skipping: [localhost]

TASK [common : KubeSphere | Getting minio installation files] ******************
skipping: [localhost] => (item=minio-ha) 

TASK [common : KubeSphere | Creating manifests] ********************************
skipping: [localhost] => (item={'name': 'custom-values-minio', 'file': 'custom-values-minio.yaml'}) 

TASK [common : KubeSphere | Checking minio] ************************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying minio] ***********************************
skipping: [localhost]

TASK [common : debug] **********************************************************
skipping: [localhost]

TASK [common : fail] ***********************************************************
skipping: [localhost]

TASK [common : KubeSphere | Importing minio status] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Getting elasticsearch and curator installation files] ***
skipping: [localhost]

TASK [common : KubeSphere | Creating custom manifests] *************************
skipping: [localhost] => (item={'name': 'custom-values-elasticsearch', 'file': 'custom-values-elasticsearch.yaml'}) 
skipping: [localhost] => (item={'name': 'custom-values-elasticsearch-curator', 'file': 'custom-values-elasticsearch-curator.yaml'}) 

TASK [common : KubeSphere | Checking elasticsearch data StatefulSet] ***********
skipping: [localhost]

TASK [common : KubeSphere | Checking elasticsearch storageclass] ***************
skipping: [localhost]

TASK [common : KubeSphere | Commenting elasticsearch storageclass parameter] ***
skipping: [localhost]

TASK [common : KubeSphere | Creating elasticsearch credentials secret] *********
skipping: [localhost]

TASK [common : KubeSphere | Checking internal es] ******************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying elasticsearch-logging] *******************
skipping: [localhost]

TASK [common : KubeSphere | Getting PersistentVolume Name] *********************
skipping: [localhost]

TASK [common : KubeSphere | Patching PersistentVolume (persistentVolumeReclaimPolicy)] ***
skipping: [localhost]

TASK [common : KubeSphere | Deleting elasticsearch] ****************************
skipping: [localhost]

TASK [common : KubeSphere | Waiting for seconds] *******************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying elasticsearch-logging] *******************
skipping: [localhost]

TASK [common : KubeSphere | Importing es status] *******************************
skipping: [localhost]

TASK [common : KubeSphere | Deploying elasticsearch-logging-curator] ***********
skipping: [localhost]

TASK [common : KubeSphere | Getting fluentbit installation files] **************
skipping: [localhost]

TASK [common : ks-logging | Getting Kubernetes Node info] **********************
skipping: [localhost]

TASK [common : ks-logging | Setting container runtime of kubernetes] ***********
skipping: [localhost]

TASK [common : ks-logging | Setting container runtime of kubernetes] ***********
skipping: [localhost]

TASK [common : ks-logging | Debug container_runtime] ***************************
skipping: [localhost]

TASK [common : ks-logging | Debug logging_container_runtime] *******************
skipping: [localhost]

TASK [common : KubeSphere | Creating custom manifests] *************************
skipping: [localhost] => (item={'path': 'fluentbit', 'file': 'custom-fluentbit-fluentBit.yaml'}) 
skipping: [localhost] => (item={'path': 'init', 'file': 'custom-fluentbit-operator-deployment.yaml'}) 

TASK [common : KubeSphere | Preparing fluentbit operator setup] ****************
skipping: [localhost]

TASK [common : KubeSphere | Deploying new fluentbit operator] ******************
skipping: [localhost]

TASK [common : KubeSphere | Importing fluentbit status] ************************
skipping: [localhost]

TASK [common : Setting persistentVolumeReclaimPolicy (mysql)] ******************
skipping: [localhost]

TASK [common : Setting persistentVolumeReclaimPolicy (etcd)] *******************
skipping: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=27   changed=22   unreachable=0    failed=0    skipped=112  rescued=0    ignored=0   
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ***************************************************************

TASK [download : Generating images list] ***************************************
skipping: [localhost]

TASK [download : Synchronizing images] *****************************************

TASK [kubesphere-defaults : KubeSphere | Setting images' namespace override] ***
skipping: [localhost]

TASK [kubesphere-defaults : KubeSphere | Configuring defaults] *****************
ok: [localhost] => {
    "msg": "Check roles/kubesphere-defaults/defaults/main.yml"
}

TASK [ks-core/init-token : KubeSphere | Creating KubeSphere directory] *********
ok: [localhost]

TASK [ks-core/init-token : KubeSphere | Getting installation init files] *******
changed: [localhost] => (item=jwt-script)

TASK [ks-core/init-token : KubeSphere | Creating KubeSphere Secret] ************
changed: [localhost]

TASK [ks-core/init-token : KubeSphere | Creating KubeSphere Secret] ************
ok: [localhost]

TASK [ks-core/init-token : KubeSphere | Creating KubeSphere Secret] ************
skipping: [localhost]

TASK [ks-core/init-token : KubeSphere | Enabling Token Script] *****************
changed: [localhost]

TASK [ks-core/init-token : KubeSphere | Getting KubeSphere Token] **************
changed: [localhost]

TASK [ks-core/init-token : KubeSphere | Checking KubeSphere secrets] ***********
changed: [localhost]

TASK [ks-core/init-token : KubeSphere | Deleting KubeSphere secret] ************
skipping: [localhost]

TASK [ks-core/init-token : KubeSphere | Creating components token] *************
changed: [localhost]

TASK [ks-core/ks-core : KubeSphere | Setting Kubernetes version] ***************
ok: [localhost]

TASK [ks-core/ks-core : KubeSphere | Getting Kubernetes master num] ************
changed: [localhost]

TASK [ks-core/ks-core : KubeSphere | Setting master num] ***********************
ok: [localhost]

TASK [ks-core/ks-core : KubeSphere | Override master num] **********************
skipping: [localhost]

TASK [ks-core/ks-core : KubeSphere | Setting enableHA] *************************
ok: [localhost]

TASK [ks-core/ks-core : KubeSphere | Checking ks-core Helm Release] ************
changed: [localhost]

TASK [ks-core/ks-core : KubeSphere | Checking ks-core Exsit] *******************
changed: [localhost]

TASK [ks-core/ks-core : KubeSphere | Convert ks-core to helm mananged] *********
skipping: [localhost] => (item={'ns': 'kubesphere-controls-system', 'kind': 'serviceaccounts', 'resource': 'kubesphere-cluster-admin', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-controls-system', 'kind': 'serviceaccounts', 'resource': 'kubesphere-router-serviceaccount', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-controls-system', 'kind': 'role', 'resource': 'system:kubesphere-router-role', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-controls-system', 'kind': 'rolebinding', 'resource': 'nginx-ingress-role-nisa-binding', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-controls-system', 'kind': 'deployment', 'resource': 'default-http-backend', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-controls-system', 'kind': 'service', 'resource': 'default-http-backend', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'secrets', 'resource': 'ks-controller-manager-webhook-cert', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'serviceaccounts', 'resource': 'kubesphere', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'configmaps', 'resource': 'ks-console-config', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'configmaps', 'resource': 'ks-router-config', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'configmaps', 'resource': 'sample-bookinfo', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'clusterroles', 'resource': 'system:kubesphere-router-clusterrole', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'clusterrolebindings', 'resource': 'system:nginx-ingress-clusterrole-nisa-binding', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'clusterrolebindings', 'resource': 'system:kubesphere-cluster-admin', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'clusterrolebindings', 'resource': 'kubesphere', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'services', 'resource': 'ks-apiserver', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'services', 'resource': 'ks-console', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'services', 'resource': 'ks-controller-manager', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'deployments', 'resource': 'ks-apiserver', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'deployments', 'resource': 'ks-console', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'deployments', 'resource': 'ks-controller-manager', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'validatingwebhookconfigurations', 'resource': 'users.iam.kubesphere.io', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'validatingwebhookconfigurations', 'resource': 'resourcesquotas.quota.kubesphere.io', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'validatingwebhookconfigurations', 'resource': 'network.kubesphere.io', 'release': 'ks-core'}) 
skipping: [localhost] => (item={'ns': 'kubesphere-system', 'kind': 'users.iam.kubesphere.io', 'resource': 'admin', 'release': 'ks-core'}) 

TASK [ks-core/ks-core : KubeSphere | Patch admin user] *************************
skipping: [localhost]

TASK [ks-core/ks-core : KubeSphere | Getting ks-core helm charts] **************
changed: [localhost] => (item=ks-core)

TASK [ks-core/ks-core : KubeSphere | Checking KubeSphere Admin User] ***********
changed: [localhost]

TASK [ks-core/ks-core : set_fact] **********************************************
ok: [localhost]

TASK [ks-core/ks-core : shell] *************************************************
skipping: [localhost]

TASK [ks-core/ks-core : KubeSphere | Creating manifests] ***********************
changed: [localhost] => (item={'path': 'ks-core', 'file': 'custom-values-ks-core.yaml'})

TASK [ks-core/ks-core : KubeSphere | Upgrade CRDs] *****************************
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/app_v1beta1_application.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/application.kubesphere.io_helmapplications.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/application.kubesphere.io_helmapplicationversions.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/application.kubesphere.io_helmcategories.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/application.kubesphere.io_helmreleases.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/application.kubesphere.io_helmrepos.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/cluster.kubesphere.io_clusters.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/gateway.kubesphere.io_gateways.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/gateway.kubesphere.io_nginxes.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_federatedrolebindings.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_federatedroles.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_federatedusers.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_globalrolebindings.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_globalroles.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_groupbindings.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_groups.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_loginrecords.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_rolebases.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_users.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_workspacerolebindings.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/iam.kubesphere.io_workspaceroles.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/network.kubesphere.io_ipamblocks.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/network.kubesphere.io_ipamhandles.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/network.kubesphere.io_ippools.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/network.kubesphere.io_namespacenetworkpolicies.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/quota.kubesphere.io_resourcequotas.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/servicemesh.kubesphere.io_servicepolicies.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/servicemesh.kubesphere.io_strategies.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/storage.kubesphere.io_storageclasseraccessor.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/tenant.kubesphere.io_workspaces.yaml)
changed: [localhost] => (item=/kubesphere/kubesphere/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml)

TASK [ks-core/ks-core : KubeSphere | Creating ks-core] *************************
changed: [localhost]

TASK [ks-core/ks-core : KubeSphere | Creating manifests] ***********************
changed: [localhost] => (item={'path': 'ks-core', 'file': 'ks-upgrade.yaml'})

TASK [ks-core/ks-core : Kubesphere | Checking Users Manger and Workspaces Manger] ***
changed: [localhost]

TASK [ks-core/ks-core : Kubesphere | Checking migration job] *******************
skipping: [localhost]

TASK [ks-core/ks-core : KubeSphere | Creating migration job] *******************
skipping: [localhost]

TASK [ks-core/ks-core : KubeSphere | Importing ks-core status] *****************
changed: [localhost]

TASK [ks-core/prepare : KubeSphere | Checking core components (1)] *************
changed: [localhost]

TASK [ks-core/prepare : KubeSphere | Checking core components (2)] *************
changed: [localhost]

TASK [ks-core/prepare : KubeSphere | Checking core components (3)] *************
skipping: [localhost]

TASK [ks-core/prepare : KubeSphere | Checking core components (4)] *************
skipping: [localhost]

TASK [ks-core/prepare : KubeSphere | Updating ks-core status] ******************
skipping: [localhost]

TASK [ks-core/prepare : set_fact] **********************************************
skipping: [localhost]

TASK [ks-core/prepare : KubeSphere | Creating KubeSphere directory] ************
ok: [localhost]

TASK [ks-core/prepare : KubeSphere | Getting installation init files] **********
changed: [localhost] => (item=ks-init)

TASK [ks-core/prepare : KubeSphere | Initing KubeSphere] ***********************
changed: [localhost] => (item=role-templates.yaml)

TASK [ks-core/prepare : KubeSphere | Generating kubeconfig-admin] **************
skipping: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=29   changed=21   unreachable=0    failed=0    skipped=16   rescued=0    ignored=0   
Start installing monitoring
Start installing multicluster
Start installing openpitrix
Start installing network
**************************************************
Waiting for all tasks to be completed ...
task network status is successful  (1/4)
task openpitrix status is successful  (2/4)
task multicluster status is successful  (3/4)
task monitoring status is successful  (4/4)
**************************************************
Collecting installation results ...
#####################################################
###              Welcome to KubeSphere!           ###
#####################################################

Console: http://10.10.203.121:30880
Account: admin
Password: P@88w0rd
NOTES:
  1. After you log into the console, please check the
     monitoring status of service components in
     "Cluster Management". If any service is not
     ready, please wait patiently until all components 
     are up and running.
  2. Please change the default password after login.

#####################################################
https://kubesphere.io             2025-01-06 11:53:41
#####################################################

      1. 打开浏览器console 控制台,输入globals.user.globalRules检查下当前用户的权限信息


        1. 使用kubectl get globalroles查询下权限相关的CRD资源

        2. 使用kubectl get globalroles platform-admin -o yaml 检查下管理员权限数据是否包含基础权限模版 role-template-manage-users


          bixiaoyu
          看起来 从接口获取数据 到 前端页面 解析出来的权限结果不对,少了user-manage的权限,需要再检查下接口返回的数据

              smartcat999 是不是我定义的yaml资源有问题啊

              刚开始的时候。我修改了一下的资源cluster-configuration.yaml文件,把不用的功能都给false掉了,如下所示:

              #cat cluster-configuration.yaml

              ---
apiVersion: installer.kubesphere.io/v1alpha1
kind: ClusterConfiguration
metadata:
  name: ks-installer
  namespace: kubesphere-system
  labels:
    version: v3.3.1
spec:
  persistence:
    storageClass: ""        # If there is no default StorageClass in your cluster, you need to specify an existing StorageClass here.
  authentication:
    # adminPassword: ""     # Custom password of the admin user. If the parameter exists but the value is empty, a random password is generated. If the parameter does not exist, P@88w0rd is used.
    jwtSecret: ""           # Keep the jwtSecret consistent with the Host Cluster. Retrieve the jwtSecret by executing "kubectl -n kubesphere-system get cm kubesphere-config -o yaml | grep -v "apiVersion" | grep jwtSecret" on the Host Cluster.
  local_registry: ""        # Add your private registry address if it is needed.
  # dev_tag: ""               # Add your kubesphere image tag you want to install, by default it's same as ks-installer release version.
  etcd:
    monitoring: false       # Enable or disable etcd monitoring dashboard installation. You have to create a Secret for etcd before you enable it.
    endpointIps: localhost  # etcd cluster EndpointIps. It can be a bunch of IPs here.
    port: 2379              # etcd port.
    tlsEnable: true
  common:
    core:
      console:
        enableMultiLogin: true  # Enable or disable simultaneous logins. It allows different users to log in with the same account at the same time.
        port: 30880
        type: NodePort

    # apiserver:            # Enlarge the apiserver and controller manager's resource requests and limits for the large cluster
    #  resources: {}
    # controllerManager:
    #  resources: {}
    redis:
      enabled: false
      enableHA: false
      volumeSize: 2Gi # Redis PVC size.
    openldap:
      enabled: false
      volumeSize: 2Gi   # openldap PVC size.
    minio:
      volumeSize: 20Gi # Minio PVC size.
    monitoring:
      # type: external   # Whether to specify the external prometheus stack, and need to modify the endpoint at the next line.
      endpoint: http://prometheus-operated.kubesphere-monitoring-system.svc:9090 # Prometheus endpoint to get metrics data.
      GPUMonitoring:     # Enable or disable the GPU-related metrics. If you enable this switch but have no GPU resources, Kubesphere will set it to zero.
        enabled: false
    gpu:                 # Install GPUKinds. The default GPU kind is nvidia.com/gpu. Other GPU kinds can be added here according to your needs.
      kinds:
      - resourceName: "nvidia.com/gpu"
        resourceType: "GPU"
        default: false
    es:   # Storage backend for logging, events and auditing.
      # master:
      #   volumeSize: 4Gi  # The volume size of Elasticsearch master nodes.
      #   replicas: 1      # The total number of master nodes. Even numbers are not allowed.
      #   resources: {}
      # data:
      #   volumeSize: 20Gi  # The volume size of Elasticsearch data nodes.
      #   replicas: 1       # The total number of data nodes.
      #   resources: {}
      logMaxAge: 15             # Log retention time in built-in Elasticsearch. It is 7 days by default.
      elkPrefix: logstash      # The string making up index names. The index name will be formatted as ks-<elk_prefix>-log.
      basicAuth:
        enabled: false
        username: ""
        password: ""
      externalElasticsearchHost: ""
      externalElasticsearchPort: ""
  alerting:                # (CPU: 0.1 Core, Memory: 100 MiB) It enables users to customize alerting policies to send messages to receivers in time with different time intervals and alerting levels to choose from.
    enabled: false        # Enable or disable the KubeSphere Alerting System.
    # thanosruler:
    #   replicas: 1
    #   resources: {}
  auditing:                # Provide a security-relevant chronological set of records,recording the sequence of activities happening on the platform, initiated by different tenants.
    enabled: false         # Enable or disable the KubeSphere Auditing Log System.
    # operator:
    #   resources: {}
    # webhook:
    #   resources: {}
  devops:                  # (CPU: 0.47 Core, Memory: 8.6 G) Provide an out-of-the-box CI/CD system based on Jenkins, and automated workflow tools including Source-to-Image & Binary-to-Image.
    enabled: false             # Enable or disable the KubeSphere DevOps System.
    # resources: {}
    jenkinsMemoryLim: 8Gi      # Jenkins memory limit.
    jenkinsMemoryReq: 4Gi   # Jenkins memory request.
    jenkinsVolumeSize: 8Gi     # Jenkins volume size.
  events:                  # Provide a graphical web console for Kubernetes Events exporting, filtering and alerting in multi-tenant Kubernetes clusters.
    enabled: false         # Enable or disable the KubeSphere Events System.
    # operator:
    #   resources: {}
    # exporter:
    #   resources: {}
    # ruler:
    #   enabled: true
    #   replicas: 2
    #   resources: {}
  logging:                 # (CPU: 57 m, Memory: 2.76 G) Flexible logging functions are provided for log query, collection and management in a unified console. Additional log collectors can be added, such as Elasticsearch, Kafka and Fluentd.
    enabled: false       # Enable or disable the KubeSphere Logging System.
    logsidecar:
      enabled: false
      replicas: 2
      # resources: {}
  metrics_server:                    # (CPU: 56 m, Memory: 44.35 MiB) It enables HPA (Horizontal Pod Autoscaler).
    enabled: false                  # Enable or disable metrics-server.
  monitoring:
    storageClass: ""                 # If there is an independent StorageClass you need for Prometheus, you can specify it here. The default StorageClass is used by default.
    node_exporter:
      port: 9100
      # resources: {}
    # kube_rbac_proxy:
    #   resources: {}
    # kube_state_metrics:
    #   resources: {}
    # prometheus:
    #   replicas: 1  # Prometheus replicas are responsible for monitoring different segments of data source and providing high availability.
    #   volumeSize: 20Gi  # Prometheus PVC size.
    #   resources: {}
    #   operator:
    #     resources: {}
    # alertmanager:
    #   replicas: 1          # AlertManager Replicas.
    #   resources: {}
    # notification_manager:
    #   resources: {}
    #   operator:
    #     resources: {}
    #   proxy:
    #     resources: {}
    gpu:                           # GPU monitoring-related plug-in installation.
      nvidia_dcgm_exporter:        # Ensure that gpu resources on your hosts can be used normally, otherwise this plug-in will not work properly.
        enabled: false             # Check whether the labels on the GPU hosts contain "nvidia.com/gpu.present=true" to ensure that the DCGM pod is scheduled to these nodes.
        # resources: {}
  multicluster:
    clusterRole: member  # host | member | none  # You can install a solo cluster, or specify it as the Host or Member Cluster.
#    hostClusterName: pro-host
  network:
    networkpolicy: # Network policies allow network isolation within the same cluster, which means firewalls can be set up between certain instances (Pods).
      # Make sure that the CNI network plugin used by the cluster supports NetworkPolicy. There are a number of CNI network plugins that support NetworkPolicy, including Calico, Cilium, Kube-router, Romana and Weave Net.
      enabled: false # Enable or disable network policies.
    ippool: # Use Pod IP Pools to manage the Pod network address space. Pods to be created can be assigned IP addresses from a Pod IP Pool.
      type: none # Specify "calico" for this field if Calico is used as your CNI plugin. "none" means that Pod IP Pools are disabled.
    topology: # Use Service Topology to view Service-to-Service communication based on Weave Scope.
      type: none # Specify "weave-scope" for this field to enable Service Topology. "none" means that Service Topology is disabled.
  openpitrix: # An App Store that is accessible to all platform tenants. You can use it to manage apps across their entire lifecycle.
    store:
      enabled: false # Enable or disable the KubeSphere App Store.
  servicemesh:         # (0.3 Core, 300 MiB) Provide fine-grained traffic management, observability and tracing, and visualized traffic topology.
    enabled: false     # Base component (pilot). Enable or disable KubeSphere Service Mesh (Istio-based).
    istio:  # Customizing the istio installation configuration, refer to https://istio.io/latest/docs/setup/additional-setup/customize-installation/
      components:
        ingressGateways:
        - name: istio-ingressgateway
          enabled: false
        cni:
          enabled: false
  edgeruntime:          # Add edge nodes to your cluster and deploy workloads on edge nodes.
    enabled: false
    kubeedge:        # kubeedge configurations
      enabled: false
      cloudCore:
        cloudHub:
          advertiseAddress: # At least a public IP address or an IP address which can be accessed by edge nodes must be provided.
            - ""            # Note that once KubeEdge is enabled, CloudCore will malfunction if the address is not provided.
        service:
          cloudhubNodePort: "30000"
          cloudhubQuicNodePort: "30001"
          cloudhubHttpsNodePort: "30002"
          cloudstreamNodePort: "30003"
          tunnelNodePort: "30004"
        # resources: {}
        # hostNetWork: false
      iptables-manager:
        enabled: true 
        mode: "external"
        # resources: {}
      # edgeService:
      #   resources: {}
  gatekeeper:        # Provide admission policy and rule management, A validating (mutating TBA) webhook that enforces CRD-based policies executed by Open Policy Agent.
    enabled: false   # Enable or disable Gatekeeper.
    # controller_manager:
    #   resources: {}
    # audit:
    #   resources: {}
  terminal:
    # image: 'alpine:3.15' # There must be an nsenter program in the image
    timeout: 600         # Container timeout, if set to 0, no timeout will be used. The unit is seconds

              #cat kubesphere-installer.yaml(该资源未变更)

              ---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clusterconfigurations.installer.kubesphere.io
spec:
  group: installer.kubesphere.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              x-kubernetes-preserve-unknown-fields: true
            status:
              type: object
              x-kubernetes-preserve-unknown-fields: true
  scope: Namespaced
  names:
    plural: clusterconfigurations
    singular: clusterconfiguration
    kind: ClusterConfiguration
    shortNames:
      - cc

---
apiVersion: v1
kind: Namespace
metadata:
  name: kubesphere-system

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ks-installer
  namespace: kubesphere-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ks-installer
rules:
- apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - extensions
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - apiregistration.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - tenant.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - certificates.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - devops.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - monitoring.coreos.com
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - logging.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - jaegertracing.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - storage.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - policy
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - autoscaling
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - networking.istio.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - config.istio.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - iam.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - notification.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - auditing.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - events.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - core.kubefed.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - installer.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - storage.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - security.istio.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - monitoring.kiali.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - kiali.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - networking.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - edgeruntime.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - types.kubefed.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - monitoring.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - application.kubesphere.io
  resources:
  - '*'
  verbs:
  - '*'


---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ks-installer
subjects:
- kind: ServiceAccount
  name: ks-installer
  namespace: kubesphere-system
roleRef:
  kind: ClusterRole
  name: ks-installer
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ks-installer
  namespace: kubesphere-system
  labels:
    app: ks-installer
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ks-installer
  template:
    metadata:
      labels:
        app: ks-installer
    spec:
      serviceAccountName: ks-installer
      containers:
      - name: installer
        #image: registry.cn-beijing.aliyuncs.com/devops-op/ks-installer:v3.3.1
        #image: registry.cn-beijing.aliyuncs.com/devops-op/ks-installer:v3.3.1
        image: registry.cn-beijing.aliyuncs.com/devops-op/ks-installer:v3.3.1
        imagePullPolicy: "Always"
        resources:
          limits:
            cpu: "1"
            memory: 1Gi
          requests:
            cpu: 20m
            memory: 100Mi
        volumeMounts:
        - mountPath: /etc/localtime
          name: host-time
          readOnly: true
      volumes:
      - hostPath:
          path: /etc/localtime
          type: ""
        name: host-time

                  @bixiaoyu
                  参考这篇文档:获取下当前用户的 access_token
                  https://www.kubesphere.io/zh/docs/v3.3/reference/api-docs/#%E6%AD%A5%E9%AA%A4-2%E7%94%9F%E6%88%90%E4%BB%A4%E7%89%8C

                  使用获取的token测试下当前admin用户的权限接口数据,检查下返回数据中是否包含 role-template-manage-users
                  curl --location 'http://172.31.189.234:30881/kapis/iam.kubesphere.io/v1alpha2/users/admin/globalroles' \--header 'Authorization: Bearer ****'

                    smartcat999 如下

                    #curl --location 'http://10.10.203.236:31957/kapis/iam.kubesphere.io/v1alpha2/users/admin/globalroles' \--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzYyNDEwOTEsImlzcyI6Imt1YmVzcGhlcmUiLCJzdWIiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJhY2Nlc3NfdG9rZW4iLCJ1c2VybmFtZSI6ImFkbWluIn0.Pu4Od8zOC_OfcybYaCu4ECbog_m-5rWPMhQSeqoyJWM'
                    [
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-workspaces",
   "uid": "54c923b5-6b8d-4f87-bd1b-06d69096d28b",
   "resourceVersion": "597769",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true",
    "kubefed.io/managed": "true"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"workspaces\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"workspaces\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"Workspaces View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\",\"kubefed.io/managed\":\"true\"},\"name\":\"role-template-view-workspaces\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"abnormalworkloads\",\"quotas\",\"workloads\",\"volumesnapshots\",\"dashboards\",\"configmaps\",\"endpoints\",\"events\",\"limitranges\",\"namespaces\",\"persistentvolumeclaims\",\"pods\",\"podtemplates\",\"replicationcontrollers\",\"resourcequotas\",\"secrets\",\"serviceaccounts\",\"services\",\"applications\",\"controllerrevisions\",\"deployments\",\"replicasets\",\"statefulsets\",\"daemonsets\",\"meshpolicies\",\"cronjobs\",\"jobs\",\"devopsprojects\",\"devops\",\"pipelines\",\"pipelines/runs\",\"pipelines/pipelineruns\",\"pipelines/branches\",\"pipelines/checkScriptCompile\",\"pipelines/consolelog\",\"pipelines/scan\",\"pipelines/sonarstatus\",\"pipelineruns\",\"pipelineruns/nodedetails\",\"checkCron\",\"credentials\",\"credentials/usage\",\"s2ibinaries\",\"s2ibinaries/file\",\"s2ibuilders\",\"s2ibuildertemplates\",\"s2iruns\",\"horizontalpodautoscalers\",\"events\",\"ingresses\",\"router\",\"filters\",\"pods\",\"pods/log\",\"pods/containers\",\"namespacenetworkpolicies\",\"workspacenetworkpolicies\",\"networkpolicies\",\"podsecuritypolicies\",\"rolebindings\",\"roles\",\"members\",\"servicepolicies\",\"federatedconfigmaps\",\"federateddeployments\",\"federatedingresses\",\"federatedjobs\",\"federatedlimitranges\",\"federatednamespaces\",\"federatedpersistentvolumeclaims\",\"federatedreplicasets\",\"federatedsecrets\",\"federatedserviceaccounts\",\"federatedservices\",\"federatedservicestatuses\",\"federatedstatefulsets\",\"federatedworkspaces\",\"workspaces\",\"workspacetemplates\",\"workspaceroles\",\"workspacemembers\",\"workspacemembers/namespaces\",\"workspacemembers/devops\",\"workspacerolebindings\",\"repos\",\"repos/action\",\"repos/events\",\"apps\",\"apps/versions\",\"categories\",\"apps/audits\",\"clusters/applications\",\"workloads\",\"groups\",\"groupbindings\",\"applications/sync\"],\"verbs\":[\"get\",\"list\",\"watch\"]},{\"apiGroups\":[\"monitoring.kubesphere.io\",\"monitoring.coreos.com\",\"metering.kubesphere.io\",\"servicemesh.kubesphere.io\",\"alerting.kubesphere.io\",\"network.kubesphere.io\",\"resources.kubesphere.io\"],\"resources\":[\"*\"],\"verbs\":[\"list\",\"get\",\"watch\"]},{\"apiGroups\":[\"*\"],\"resources\":[\"clusters\",\"cluster\"],\"verbs\":[\"list\"]}]}\n",
    "kubesphere.io/alias-name": "Workspaces View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {},
        "f:kubefed.io/managed": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "abnormalworkloads",
     "quotas",
     "workloads",
     "volumesnapshots",
     "dashboards",
     "configmaps",
     "endpoints",
     "events",
     "limitranges",
     "namespaces",
     "persistentvolumeclaims",
     "pods",
     "podtemplates",
     "replicationcontrollers",
     "resourcequotas",
     "secrets",
     "serviceaccounts",
     "services",
     "applications",
     "controllerrevisions",
     "deployments",
     "replicasets",
     "statefulsets",
     "daemonsets",
     "meshpolicies",
     "cronjobs",
     "jobs",
     "devopsprojects",
     "devops",
     "pipelines",
     "pipelines/runs",
     "pipelines/pipelineruns",
     "pipelines/branches",
     "pipelines/checkScriptCompile",
     "pipelines/consolelog",
     "pipelines/scan",
     "pipelines/sonarstatus",
     "pipelineruns",
     "pipelineruns/nodedetails",
     "checkCron",
     "credentials",
     "credentials/usage",
     "s2ibinaries",
     "s2ibinaries/file",
     "s2ibuilders",
     "s2ibuildertemplates",
     "s2iruns",
     "horizontalpodautoscalers",
     "events",
     "ingresses",
     "router",
     "filters",
     "pods",
     "pods/log",
     "pods/containers",
     "namespacenetworkpolicies",
     "workspacenetworkpolicies",
     "networkpolicies",
     "podsecuritypolicies",
     "rolebindings",
     "roles",
     "members",
     "servicepolicies",
     "federatedconfigmaps",
     "federateddeployments",
     "federatedingresses",
     "federatedjobs",
     "federatedlimitranges",
     "federatednamespaces",
     "federatedpersistentvolumeclaims",
     "federatedreplicasets",
     "federatedsecrets",
     "federatedserviceaccounts",
     "federatedservices",
     "federatedservicestatuses",
     "federatedstatefulsets",
     "federatedworkspaces",
     "workspaces",
     "workspacetemplates",
     "workspaceroles",
     "workspacemembers",
     "workspacemembers/namespaces",
     "workspacemembers/devops",
     "workspacerolebindings",
     "repos",
     "repos/action",
     "repos/events",
     "apps",
     "apps/versions",
     "categories",
     "apps/audits",
     "clusters/applications",
     "workloads",
     "groups",
     "groupbindings",
     "applications/sync"
    ]
   },
   {
    "verbs": [
     "list",
     "get",
     "watch"
    ],
    "apiGroups": [
     "monitoring.kubesphere.io",
     "monitoring.coreos.com",
     "metering.kubesphere.io",
     "servicemesh.kubesphere.io",
     "alerting.kubesphere.io",
     "network.kubesphere.io",
     "resources.kubesphere.io"
    ],
    "resources": [
     "*"
    ]
   },
   {
    "verbs": [
     "list"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "clusters",
     "cluster"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-users",
   "uid": "23096520-2183-413b-828a-e236d20832f8",
   "resourceVersion": "597772",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"users\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"users\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"Users View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-view-users\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"users\",\"users/loginrecords\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}\n",
    "kubesphere.io/alias-name": "Users View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "users",
     "users/loginrecords"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-roles",
   "uid": "489fd1fa-4370-4c39-8daa-5f5a51aecd45",
   "resourceVersion": "597774",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/dependencies": "[\"role-template-view-users\"]",
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"roles\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/dependencies\":\"[\\\"role-template-view-users\\\"]\",\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"roles\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"Roles View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-view-roles\"},\"rules\":[{\"apiGroups\":[\"iam.kubesphere.io\"],\"resources\":[\"globalroles\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}\n",
    "kubesphere.io/alias-name": "Roles View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/dependencies": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "iam.kubesphere.io"
    ],
    "resources": [
     "globalroles"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-roles",
   "uid": "489fd1fa-4370-4c39-8daa-5f5a51aecd45",
   "resourceVersion": "597774",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/dependencies": "[\"role-template-view-users\"]",
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"roles\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/dependencies\":\"[\\\"role-template-view-users\\\"]\",\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"roles\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"Roles View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-view-roles\"},\"rules\":[{\"apiGroups\":[\"iam.kubesphere.io\"],\"resources\":[\"globalroles\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}\n",
    "kubesphere.io/alias-name": "Roles View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/dependencies": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "iam.kubesphere.io"
    ],
    "resources": [
     "globalroles"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-roles",
   "uid": "489fd1fa-4370-4c39-8daa-5f5a51aecd45",
   "resourceVersion": "597774",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/dependencies": "[\"role-template-view-users\"]",
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"roles\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/dependencies\":\"[\\\"role-template-view-users\\\"]\",\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"roles\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"Roles View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-view-roles\"},\"rules\":[{\"apiGroups\":[\"iam.kubesphere.io\"],\"resources\":[\"globalroles\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}\n",
    "kubesphere.io/alias-name": "Roles View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/dependencies": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "iam.kubesphere.io"
    ],
    "resources": [
     "globalroles"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-clusters",
   "uid": "6e0b9f0e-dce3-44b7-87f8-f3d694813252",
   "resourceVersion": "597767",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Clusters Management",
    "iam.kubesphere.io/role-template-rules": "{\"clusters\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Clusters Management\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"clusters\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"Clusters View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-view-clusters\"},\"rules\":[{\"apiGroups\":[\"\",\"apiextensions.k8s.io\",\"app.k8s.io\",\"apps\",\"autoscaling\",\"batch\",\"config.istio.io\",\"devops.kubesphere.io\",\"devops.kubesphere.io\",\"events.k8s.io\",\"events.kubesphere.io\",\"extensions\",\"istio.kubesphere.io\",\"jaegertracing.io\",\"logging.kubesphere.io\",\"metrics.k8s.io\",\"monitoring.coreos.com\",\"monitoring.kubesphere.io\",\"metering.kubesphere.io\",\"network.kubesphere.io\",\"networking.istio.io\",\"networking.k8s.io\",\"node.k8s.io\",\"rbac.istio.io\",\"scheduling.k8s.io\",\"security.istio.io\",\"servicemesh.kubesphere.io\",\"snapshot.storage.k8s.io\",\"storage.k8s.io\",\"storage.k8s.io\",\"storage.kubesphere.io\",\"resources.kubesphere.io\",\"notification.kubesphere.io\",\"alerting.kubesphere.io\",\"cluster.kubesphere.io\",\"types.kubefed.io\",\"gateway.kubesphere.io\"],\"resources\":[\"*\"],\"verbs\":[\"get\",\"list\",\"watch\"]},{\"apiGroups\":[\"tenant.kubesphere.io\"],\"resources\":[\"workspaces\",\"workspacetemplates\"],\"verbs\":[\"get\",\"list\",\"watch\"]},{\"apiGroups\":[\"iam.kubesphere.io\"],\"resources\":[\"clustermembers\",\"clusterroles\"],\"verbs\":[\"get\",\"list\",\"watch\"]},{\"nonResourceURLs\":[\"*\"],\"verbs\":[\"GET\"]}]}\n",
    "kubesphere.io/alias-name": "Clusters View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "",
     "apiextensions.k8s.io",
     "app.k8s.io",
     "apps",
     "autoscaling",
     "batch",
     "config.istio.io",
     "devops.kubesphere.io",
     "devops.kubesphere.io",
     "events.k8s.io",
     "events.kubesphere.io",
     "extensions",
     "istio.kubesphere.io",
     "jaegertracing.io",
     "logging.kubesphere.io",
     "metrics.k8s.io",
     "monitoring.coreos.com",
     "monitoring.kubesphere.io",
     "metering.kubesphere.io",
     "network.kubesphere.io",
     "networking.istio.io",
     "networking.k8s.io",
     "node.k8s.io",
     "rbac.istio.io",
     "scheduling.k8s.io",
     "security.istio.io",
     "servicemesh.kubesphere.io",
     "snapshot.storage.k8s.io",
     "storage.k8s.io",
     "storage.k8s.io",
     "storage.kubesphere.io",
     "resources.kubesphere.io",
     "notification.kubesphere.io",
     "alerting.kubesphere.io",
     "cluster.kubesphere.io",
     "types.kubefed.io",
     "gateway.kubesphere.io"
    ],
    "resources": [
     "*"
    ]
   },
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "tenant.kubesphere.io"
    ],
    "resources": [
     "workspaces",
     "workspacetemplates"
    ]
   },
   {
    "verbs": [
     "get",
     "list",
     "watch"
    ],
    "apiGroups": [
     "iam.kubesphere.io"
    ],
    "resources": [
     "clustermembers",
     "clusterroles"
    ]
   },
   {
    "verbs": [
     "GET"
    ],
    "nonResourceURLs": [
     "*"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-view-app-templates",
   "uid": "47cae02b-c659-4ef1-bb3e-1ac961089327",
   "resourceVersion": "597776",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Apps Management",
    "iam.kubesphere.io/role-template-rules": "{\"app-templates\": \"view\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Apps Management\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"app-templates\\\": \\\"view\\\"}\",\"kubesphere.io/alias-name\":\"App Templates View\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-view-app-templates\"},\"rules\":[{\"apiGroups\":[\"openpitrix.io\"],\"resources\":[\"apps\",\"apps/versions\",\"categories\"],\"verbs\":[\"get\",\"list\"]}]}\n",
    "kubesphere.io/alias-name": "App Templates View"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "get",
     "list"
    ],
    "apiGroups": [
     "openpitrix.io"
    ],
    "resources": [
     "apps",
     "apps/versions",
     "categories"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-manage-workspaces",
   "uid": "455266fd-1e2a-4f1f-b6db-a51335a06e85",
   "resourceVersion": "597770",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "false"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"workspaces\": \"manage\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"workspaces\\\": \\\"manage\\\"}\",\"kubesphere.io/alias-name\":\"Workspaces Management\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"false\"},\"name\":\"role-template-manage-workspaces\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"abnormalworkloads\",\"quotas\",\"workloads\",\"volumesnapshots\",\"dashboards\",\"configmaps\",\"endpoints\",\"events\",\"limitranges\",\"namespaces\",\"persistentvolumeclaims\",\"podtemplates\",\"replicationcontrollers\",\"resourcequotas\",\"secrets\",\"serviceaccounts\",\"services\",\"applications\",\"controllerrevisions\",\"deployments\",\"replicasets\",\"statefulsets\",\"daemonsets\",\"meshpolicies\",\"cronjobs\",\"jobs\",\"devopsprojects\",\"devops\",\"pipelines\",\"pipelines/runs\",\"pipelines/pipelineruns\",\"pipelines/branches\",\"pipelines/checkScriptCompile\",\"pipelines/consolelog\",\"pipelines/scan\",\"pipelines/sonarstatus\",\"pipelineruns\",\"pipelineruns/nodedetails\",\"checkCron\",\"credentials\",\"credentials/usage\",\"s2ibinaries\",\"s2ibinaries/file\",\"s2ibuilders\",\"s2ibuildertemplates\",\"s2iruns\",\"horizontalpodautoscalers\",\"events\",\"ingresses\",\"router\",\"filters\",\"pods\",\"pods/log\",\"pods/exec\",\"pods/containers\",\"namespacenetworkpolicies\",\"workspacenetworkpolicies\",\"networkpolicies\",\"podsecuritypolicies\",\"rolebindings\",\"roles\",\"members\",\"servicepolicies\",\"federatedapplications\",\"federatedconfigmaps\",\"federateddeployments\",\"federatedingresses\",\"federatedjobs\",\"federatedlimitranges\",\"federatednamespaces\",\"federatedpersistentvolumeclaims\",\"federatedreplicasets\",\"federatedsecrets\",\"federatedserviceaccounts\",\"federatedservices\",\"federatedservicestatuses\",\"federatedstatefulsets\",\"federatedworkspaces\",\"workspaces\",\"workspacetemplates\",\"workspaceroles\",\"workspacemembers\",\"workspacemembers/namespaces\",\"workspacemembers/devops\",\"workspacerolebindings\",\"repos\",\"repos/action\",\"repos/events\",\"apps\",\"apps/versions\",\"categories\",\"apps/audits\",\"workloads\"],\"verbs\":[\"*\"]},{\"apiGroups\":[\"*\"],\"resources\":[\"clusters\"],\"verbs\":[\"list\"]},{\"apiGroups\":[\"monitoring.kubesphere.io\",\"monitoring.coreos.com\",\"metering.kubesphere.io\",\"servicemesh.kubesphere.io\",\"alerting.kubesphere.io\",\"network.kubesphere.io\",\"resources.kubesphere.io\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}\n",
    "kubesphere.io/alias-name": "Workspaces Management"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "abnormalworkloads",
     "quotas",
     "workloads",
     "volumesnapshots",
     "dashboards",
     "configmaps",
     "endpoints",
     "events",
     "limitranges",
     "namespaces",
     "persistentvolumeclaims",
     "podtemplates",
     "replicationcontrollers",
     "resourcequotas",
     "secrets",
     "serviceaccounts",
     "services",
     "applications",
     "controllerrevisions",
     "deployments",
     "replicasets",
     "statefulsets",
     "daemonsets",
     "meshpolicies",
     "cronjobs",
     "jobs",
     "devopsprojects",
     "devops",
     "pipelines",
     "pipelines/runs",
     "pipelines/pipelineruns",
     "pipelines/branches",
     "pipelines/checkScriptCompile",
     "pipelines/consolelog",
     "pipelines/scan",
     "pipelines/sonarstatus",
     "pipelineruns",
     "pipelineruns/nodedetails",
     "checkCron",
     "credentials",
     "credentials/usage",
     "s2ibinaries",
     "s2ibinaries/file",
     "s2ibuilders",
     "s2ibuildertemplates",
     "s2iruns",
     "horizontalpodautoscalers",
     "events",
     "ingresses",
     "router",
     "filters",
     "pods",
     "pods/log",
     "pods/exec",
     "pods/containers",
     "namespacenetworkpolicies",
     "workspacenetworkpolicies",
     "networkpolicies",
     "podsecuritypolicies",
     "rolebindings",
     "roles",
     "members",
     "servicepolicies",
     "federatedapplications",
     "federatedconfigmaps",
     "federateddeployments",
     "federatedingresses",
     "federatedjobs",
     "federatedlimitranges",
     "federatednamespaces",
     "federatedpersistentvolumeclaims",
     "federatedreplicasets",
     "federatedsecrets",
     "federatedserviceaccounts",
     "federatedservices",
     "federatedservicestatuses",
     "federatedstatefulsets",
     "federatedworkspaces",
     "workspaces",
     "workspacetemplates",
     "workspaceroles",
     "workspacemembers",
     "workspacemembers/namespaces",
     "workspacemembers/devops",
     "workspacerolebindings",
     "repos",
     "repos/action",
     "repos/events",
     "apps",
     "apps/versions",
     "categories",
     "apps/audits",
     "workloads"
    ]
   },
   {
    "verbs": [
     "list"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "clusters"
    ]
   },
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "monitoring.kubesphere.io",
     "monitoring.coreos.com",
     "metering.kubesphere.io",
     "servicemesh.kubesphere.io",
     "alerting.kubesphere.io",
     "network.kubesphere.io",
     "resources.kubesphere.io"
    ],
    "resources": [
     "*"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-manage-users",
   "uid": "ddb9516b-1481-4404-9df7-9fa510a7c006",
   "resourceVersion": "597773",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "false"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"users\": \"manage\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"users\\\": \\\"manage\\\"}\",\"kubesphere.io/alias-name\":\"Users Management\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"false\"},\"name\":\"role-template-manage-users\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"users\",\"users/password\",\"users/loginrecords\"],\"verbs\":[\"*\"]}]}\n",
    "kubesphere.io/alias-name": "Users Management"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "users",
     "users/password",
     "users/loginrecords"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-manage-roles",
   "uid": "b1c29ab3-fb3a-44d3-aa7e-5f4c2c76b4a8",
   "resourceVersion": "597775",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "false"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Access Control",
    "iam.kubesphere.io/role-template-rules": "{\"roles\": \"manage\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Access Control\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"roles\\\": \\\"manage\\\"}\",\"kubesphere.io/alias-name\":\"Roles Management\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"false\"},\"name\":\"role-template-manage-roles\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"globalroles\"],\"verbs\":[\"*\"]}]}\n",
    "kubesphere.io/alias-name": "Roles Management"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "*"
    ],
    "resources": [
     "globalroles"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-manage-platform-settings",
   "uid": "325e14f0-4bb2-4c77-844e-7c435f858a6f",
   "resourceVersion": "597778",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/module": "Platform Settings",
    "iam.kubesphere.io/role-template-rules": "{\"platform-settings\": \"manage\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/module\":\"Platform Settings\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"platform-settings\\\": \\\"manage\\\"}\",\"kubesphere.io/alias-name\":\"Platform Settings Management\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-manage-platform-settings\"},\"rules\":[{\"apiGroups\":[\"logging.kubesphere.io\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]},{\"apiGroups\":[\"notification.kubesphere.io\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}\n",
    "kubesphere.io/alias-name": "Platform Settings Management"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "logging.kubesphere.io"
    ],
    "resources": [
     "*"
    ]
   },
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "notification.kubesphere.io"
    ],
    "resources": [
     "*"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-manage-clusters",
   "uid": "0016944f-a2a4-4268-ac46-5534db345a67",
   "resourceVersion": "597768",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/dependencies": "[\"role-template-view-clusters\"]",
    "iam.kubesphere.io/module": "Clusters Management",
    "iam.kubesphere.io/role-template-rules": "{\"clusters\": \"manage\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/dependencies\":\"[\\\"role-template-view-clusters\\\"]\",\"iam.kubesphere.io/module\":\"Clusters Management\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"clusters\\\": \\\"manage\\\"}\",\"kubesphere.io/alias-name\":\"Clusters Management\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-manage-clusters\"},\"rules\":[{\"apiGroups\":[\"\",\"apiextensions.k8s.io\",\"app.k8s.io\",\"apps\",\"autoscaling\",\"batch\",\"config.istio.io\",\"devops.kubesphere.io\",\"devops.kubesphere.io\",\"events.k8s.io\",\"events.kubesphere.io\",\"extensions\",\"istio.kubesphere.io\",\"jaegertracing.io\",\"logging.kubesphere.io\",\"metrics.k8s.io\",\"monitoring.coreos.com\",\"monitoring.kubesphere.io\",\"metering.kubesphere.io\",\"network.kubesphere.io\",\"networking.istio.io\",\"networking.k8s.io\",\"node.k8s.io\",\"rbac.istio.io\",\"scheduling.k8s.io\",\"security.istio.io\",\"servicemesh.kubesphere.io\",\"snapshot.storage.k8s.io\",\"storage.k8s.io\",\"storage.k8s.io\",\"storage.kubesphere.io\",\"resources.kubesphere.io\",\"notification.kubesphere.io\",\"alerting.kubesphere.io\",\"cluster.kubesphere.io\",\"types.kubefed.io\",\"gitops.kubesphere.io\",\"gateway.kubesphere.io\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]},{\"apiGroups\":[\"tenant.kubesphere.io\"],\"resources\":[\"workspaces\",\"workspacetemplates\"],\"verbs\":[\"update\",\"patch\"]},{\"apiGroups\":[\"iam.kubesphere.io\"],\"resources\":[\"clustermembers\",\"clusterroles\"],\"verbs\":[\"*\"]},{\"nonResourceURLs\":[\"*\"],\"verbs\":[\"GET\"]}]}\n",
    "kubesphere.io/alias-name": "Clusters Management"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/dependencies": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "",
     "apiextensions.k8s.io",
     "app.k8s.io",
     "apps",
     "autoscaling",
     "batch",
     "config.istio.io",
     "devops.kubesphere.io",
     "devops.kubesphere.io",
     "events.k8s.io",
     "events.kubesphere.io",
     "extensions",
     "istio.kubesphere.io",
     "jaegertracing.io",
     "logging.kubesphere.io",
     "metrics.k8s.io",
     "monitoring.coreos.com",
     "monitoring.kubesphere.io",
     "metering.kubesphere.io",
     "network.kubesphere.io",
     "networking.istio.io",
     "networking.k8s.io",
     "node.k8s.io",
     "rbac.istio.io",
     "scheduling.k8s.io",
     "security.istio.io",
     "servicemesh.kubesphere.io",
     "snapshot.storage.k8s.io",
     "storage.k8s.io",
     "storage.k8s.io",
     "storage.kubesphere.io",
     "resources.kubesphere.io",
     "notification.kubesphere.io",
     "alerting.kubesphere.io",
     "cluster.kubesphere.io",
     "types.kubefed.io",
     "gitops.kubesphere.io",
     "gateway.kubesphere.io"
    ],
    "resources": [
     "*"
    ]
   },
   {
    "verbs": [
     "update",
     "patch"
    ],
    "apiGroups": [
     "tenant.kubesphere.io"
    ],
    "resources": [
     "workspaces",
     "workspacetemplates"
    ]
   },
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "iam.kubesphere.io"
    ],
    "resources": [
     "clustermembers",
     "clusterroles"
    ]
   },
   {
    "verbs": [
     "GET"
    ],
    "nonResourceURLs": [
     "*"
    ]
   }
  ]
 },
 {
  "kind": "GlobalRole",
  "apiVersion": "iam.kubesphere.io/v1alpha2",
  "metadata": {
   "name": "role-template-manage-app-templates",
   "uid": "cae1fd8a-8368-4ed5-afbe-05f0befe7f21",
   "resourceVersion": "597777",
   "generation": 1,
   "creationTimestamp": "2025-01-06T03:49:07Z",
   "labels": {
    "iam.kubesphere.io/role-template": "true"
   },
   "annotations": {
    "iam.kubesphere.io/dependencies": "[\"role-template-view-app-templates\"]",
    "iam.kubesphere.io/module": "Apps Management",
    "iam.kubesphere.io/role-template-rules": "{\"app-templates\": \"manage\"}",
    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"iam.kubesphere.io/v1alpha2\",\"kind\":\"GlobalRole\",\"metadata\":{\"annotations\":{\"iam.kubesphere.io/dependencies\":\"[\\\"role-template-view-app-templates\\\"]\",\"iam.kubesphere.io/module\":\"Apps Management\",\"iam.kubesphere.io/role-template-rules\":\"{\\\"app-templates\\\": \\\"manage\\\"}\",\"kubesphere.io/alias-name\":\"App Templates Management\"},\"labels\":{\"iam.kubesphere.io/role-template\":\"true\"},\"name\":\"role-template-manage-app-templates\"},\"rules\":[{\"apiGroups\":[\"openpitrix.io\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}\n",
    "kubesphere.io/alias-name": "App Templates Management"
   },
   "managedFields": [
    {
     "manager": "kubectl-client-side-apply",
     "operation": "Update",
     "apiVersion": "iam.kubesphere.io/v1alpha2",
     "time": "2025-01-06T03:49:07Z",
     "fieldsType": "FieldsV1",
     "fieldsV1": {
      "f:metadata": {
       "f:annotations": {
        ".": {},
        "f:iam.kubesphere.io/dependencies": {},
        "f:iam.kubesphere.io/module": {},
        "f:iam.kubesphere.io/role-template-rules": {},
        "f:kubectl.kubernetes.io/last-applied-configuration": {},
        "f:kubesphere.io/alias-name": {}
       },
       "f:labels": {
        ".": {},
        "f:iam.kubesphere.io/role-template": {}
       }
      },
      "f:rules": {}
     }
    }
   ]
  },
  "rules": [
   {
    "verbs": [
     "*"
    ],
    "apiGroups": [
     "openpitrix.io"
    ],
    "resources": [
     "*"
    ]
   }
  ]
 }
]

                        bixiaoyu
                        这边检查了下v3.3.1的前端权限数据结构,根据上述接口生成的数据,用户的权限数据应该如下图

                            smartcat999 是这样的,老师,这个镜像仍然是咱们官网的镜像,无非是我拉到本地之后,考虑到网络问题,然后重新docker tag,然后推动到自己的阿里云仓库中,镜像还是一样的镜像

                                smartcat999 可以远程的,老师,您可以加我微信吗?或者我加您的