4.x devops插件流水线 kubectl apply -f - 权限问题如何解决

wang88

+ envsubst

+ kubectl apply -f -

Error from server (Forbidden): error when retrieving current configuration of:

Resource: “apps/v1, Resource=deployments”, GroupVersionKind: “apps/v1, Kind=Deployment”

Name: “ttc-dev-v1”, Namespace: “ttc”

from server for: “STDIN”: deployments.apps “ttc-dev-v1” is forbidden: User “system:serviceaccount:kubesphere-devops-worker:default” cannot get resource “deployments” in API group “apps” in the namespace “ttc”

kubesphere 3.x 执行下面脚本可以，4.x执行不行，不知道怎么配置，有大佬给指点一下吗，相关资料也没找到，不知道怎么配置权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubesphere-devops-worker-installer-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ks-installer
subjects:
- kind: ServiceAccount
name: default
namespace: kubesphere-devops-worker

hongming

wang88

4.x 没有 ks-installer 这个 ClusterRole 了，你按需创建一个进行替换吧，也可以用已经存在的 ClusterRole

jialinz

hongming 我也遇到了同样的问题4.X版本，大佬集体如何解决？

stoneshi-yunify

jialinz 按照1楼说的，创建一个 clusterrolebinding，将 default sa 绑定到特定的clusterrole. 比如， cluster-admin，那么这个sa 就会有集群管理员的权限。

wang88

jialinz

1. 检查现有权限

首先，检查当前服务账户的权限，确认是否缺少必要的权限

kubectl auth can-i get deployments --as=system:serviceaccount:kubesphere-devops-worker:default -n paas

如果返回 no，说明权限不足。

2. 创建或更新 Role 和 RoleBinding

您需要为服务账户创建或更新一个 Role（角色），并将其绑定到服务账户。以下是一个示例 Role 和 RoleBinding 的配置

创建 Role

创建一个 Role，授予对 deployments 的访问权限：

vi deployment-reader.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: paas
  name: deployment-reader
rules:
- apiGroups: ["apps"]
  resources: 
    - '*'
  verbs: 
    - '*'

kubectl apply -f deployment-reader.yaml

创建 RoleBinding

将 Role 绑定到服务账户：

vi deployment-reader-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployment-reader-binding
  namespace: paas
subjects:
- kind: ServiceAccount
  name: default
  namespace: kubesphere-devops-worker
roleRef:
  kind: Role
  name: deployment-reader
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f deployment-reader-binding.yaml

3. 验证权限

再次检查权限是否生效：

kubectl auth can-i get deployments --as=system:serviceaccount:kubesphere-devops-worker:default -n paas

jialinz

我按照你的操作还是不行报错如下 + kubectl apply -f -
Error from server (Forbidden): error when retrieving current configuration of:
Resource: “apps/v1, Resource=deployments”, GroupVersionKind: “apps/v1, Kind=Deployment”
Name: “icc-pm”, Namespace: “icc-projects-online”
from server for: “STDIN”: deployments.apps “icc-pm” is forbidden: User “system:serviceaccount:kubesphere-devops-worker:default” cannot get resource “deployments” in API group “apps” in the namespace “icc-projects-online”
script returned exit code 1

wang88

jialinz icc-projects-online 我的命名空间是“paas”你按照我的脚本，改成你的命名空间