[已解決] v4.1.2 新增 Workspace Default Role

cici

kubesphere v.4.1.2

我想創建可以應用到所有workspace和devops都能使用的角色，請問有參考的文檔或是做法嗎

謝謝

sylvia

去看下rolebase，大概有这么一个配置，按照需求配置角色权限就行

cici

sylvia
您好，我稍微研究了一下也用下方程式看過原先的配置，但好像沒有看到 Workspace 預設的四個角色配置

me:~/kubesphere$ kubectl get roles -A
NAMESPACE                      NAME                                             CREATED AT
acc-testlp8xd                  kubesphere:iam:viewer                            2025-03-24T02:07:35Z
agents                         kubesphere:iam:admin                             2025-03-19T03:06:34Z
agents                         kubesphere:iam:operator                          2025-03-19T03:06:34Z
agents                         kubesphere:iam:viewer                            2025-03-19T03:06:34Z
argocd                         devops-agent-argocd-applicationset-controller    2025-03-18T07:24:46Z
argocd                         devops-agent-argocd-dex-server                   2025-03-18T07:24:46Z
argocd                         devops-agent-argocd-repo-server                  2025-03-18T07:24:46Z
argocd                         devops-agent-argocd-server                       2025-03-18T07:24:46Z
argocd                         kubesphere:iam:admin                             2025-03-17T03:29:07Z
argocd                         kubesphere:iam:operator                          2025-03-17T03:29:07Z
argocd                         kubesphere:iam:viewer                            2025-03-17T03:29:07Z
cert-manager                   cert-manager-webhook:dynamic-serving             2025-03-13T09:42:42Z
cijmt5t                        kubesphere:iam:viewer                            2025-03-19T09:15:08Z
civ5pxl                        kubesphere:iam:viewer                            2025-03-18T08:30:26Z
default                        kubesphere:iam:admin                             2025-03-17T03:29:07Z
default                        kubesphere:iam:operator                          2025-03-17T03:29:07Z
default                        kubesphere:iam:viewer                            2025-03-17T03:29:07Z
demog9xg7                      kubesphere:iam:viewer                            2025-03-25T01:47:01Z
demolpvrj                      kubesphere:iam:viewer                            2025-03-24T06:29:41Z
extension-gateway              kubesphere:gateway:helm-executor                 2025-03-18T09:46:45Z
extension-gateway              kubesphere:iam:admin                             2025-03-18T09:46:45Z
extension-gateway              kubesphere:iam:operator                          2025-03-18T09:46:45Z
extension-gateway              kubesphere:iam:viewer                            2025-03-18T09:46:45Z
extension-whizard-telemetry    kubesphere:iam:admin                             2025-03-18T01:07:55Z
extension-whizard-telemetry    kubesphere:iam:operator                          2025-03-18T01:07:55Z
extension-whizard-telemetry    kubesphere:iam:viewer                            2025-03-18T01:07:55Z
extension-whizard-telemetry    kubesphere:whizard-telemetry:helm-executor       2025-03-18T01:07:55Z
ingress-nginx                  ingress-nginx                                    2025-03-13T09:46:31Z
ingress-nginx                  ingress-nginx-admission                          2025-03-13T09:46:31Z
kube-node-lease                kubesphere:iam:admin                             2025-03-17T03:29:07Z
kube-node-lease                kubesphere:iam:operator                          2025-03-17T03:29:07Z
kube-node-lease                kubesphere:iam:viewer                            2025-03-17T03:29:07Z
kube-public                    kubeadm:bootstrap-signer-clusterinfo             2025-03-13T08:02:12Z
kube-public                    kubesphere:iam:admin                             2025-03-17T03:29:07Z
kube-public                    kubesphere:iam:operator                          2025-03-17T03:29:07Z
kube-public                    kubesphere:iam:viewer                            2025-03-17T03:29:07Z
kube-public                    system:controller:bootstrap-signer               2025-03-13T08:02:11Z
kube-system                    cert-manager-cainjector:leaderelection           2025-03-13T09:42:42Z
kube-system                    cert-manager:leaderelection                      2025-03-13T09:42:42Z
kube-system                    extension-apiserver-authentication-reader        2025-03-13T08:02:11Z
kube-system                    kube-proxy                                       2025-03-13T08:02:12Z
kube-system                    kubeadm:kubeadm-certs                            2025-03-13T08:02:22Z
kube-system                    kubeadm:kubelet-config                           2025-03-13T08:02:11Z
kube-system                    kubeadm:nodes-kubeadm-config                     2025-03-13T08:02:11Z
kube-system                    kubesphere:iam:admin                             2025-03-17T03:29:07Z
kube-system                    kubesphere:iam:operator                          2025-03-17T03:29:07Z
kube-system                    kubesphere:iam:viewer                            2025-03-17T03:29:07Z
kube-system                    system::leader-locking-kube-controller-manager   2025-03-13T08:02:11Z
kube-system                    system::leader-locking-kube-scheduler            2025-03-13T08:02:11Z
kube-system                    system:controller:bootstrap-signer               2025-03-13T08:02:11Z
kube-system                    system:controller:cloud-provider                 2025-03-13T08:02:11Z
kube-system                    system:controller:token-cleaner                  2025-03-13T08:02:11Z
kubekey-system                 kubesphere:iam:admin                             2025-03-17T03:29:07Z
kubekey-system                 kubesphere:iam:operator                          2025-03-17T03:29:07Z
kubekey-system                 kubesphere:iam:viewer                            2025-03-17T03:29:07Z
kubesphere-controls-system     kubesphere:iam:admin                             2025-03-17T03:29:07Z
kubesphere-controls-system     kubesphere:iam:operator                          2025-03-17T03:29:07Z
kubesphere-controls-system     kubesphere:iam:viewer                            2025-03-17T03:29:07Z
kubesphere-devops-system       devops-agent-argocd-application-controller       2025-03-18T07:24:46Z
kubesphere-devops-system       kubesphere:devops:helm-executor                  2025-03-14T09:20:18Z
kubesphere-devops-worker       kubesphere:iam:admin                             2025-03-17T03:29:07Z
kubesphere-devops-worker       kubesphere:iam:operator                          2025-03-17T03:29:07Z
kubesphere-devops-worker       kubesphere:iam:viewer                            2025-03-17T03:29:07Z
kubesphere-monitoring-system   kubesphere:iam:admin                             2025-03-18T01:08:17Z
kubesphere-monitoring-system   kubesphere:iam:operator                          2025-03-18T01:08:17Z
kubesphere-monitoring-system   kubesphere:iam:viewer                            2025-03-18T01:08:17Z
kubesphere-monitoring-system   kubesphere:whizard-monitoring:helm-executor      2025-03-18T01:08:17Z
kubesphere-system              kubesphere:iam:admin                             2025-03-17T03:29:07Z
kubesphere-system              kubesphere:iam:operator                          2025-03-17T03:29:07Z
kubesphere-system              kubesphere:iam:viewer                            2025-03-17T03:29:07Z
testhvck8                      kubesphere:iam:viewer                            2025-03-24T06:31:18Z

cici

有人可以幫忙嗎?
我目前是了CRD裡面不同分類的Role，只有Global Role成功應用，但他是platform role

我要的是workspace default role

hongming

cici

kubectl get builtinroles.iam.kubesphere.io

cici

hongming
您好，我複製了workspace-self-provisioner yaml去修改新增一個role，但仍然沒有出現這個角色

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
  annotations:
    meta.helm.sh/release-name: ks-core
    meta.helm.sh/release-namespace: kubesphere-system
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    iam.kubesphere.io/scope: workspace
  name: workspace-devops-testing
  resourceVersion: "761979"
  uid: 273caef8-3407-4f15-b177-eb21413f0b22
role:
  aggregationRoleTemplates:
    roleSelector:
      matchLabels:
        iam.kubesphere.io/aggregate-to-self-provisioner: ""
        iam.kubesphere.io/scope: workspace
    templateNames:
    - workspace-create-projects
    - workspace-view-workspace-settings
  apiVersion: iam.kubesphere.io/v1beta1
  kind: WorkspaceRole
  metadata:
    annotations:
      iam.kubesphere.io/auto-aggregate: "true"
      kubesphere.io/creator: system
      kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings,
        create projects."}'
    name: self-provisioner
  rules: []

sylvia

kubectl get rolebase

sylvia

参考rolebase模板改，进行新增rolebase

cici

sylvia

我使用 BuiltinRole 新增了 workspace default role，但是它的權限我直接寫入沒有反應，請問我應該怎麼去修改權限呢謝謝

apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"iam.kubesphere.io/v1beta1","kind":"BuiltinRole","metadata":{"annotations":{"meta.helm.sh/release-name":"ks-core","meta.helm.sh/release-namespace":"kubesphere-system"},"labels":{"app.kubernetes.io/managed-by":"Helm","iam.kubesphere.io/scope":"workspace"},"name":"workspace-devops-member"},"role":{"aggregationRoleTemplates":{"roleSelector":{"matchLabels":{"iam.kubesphere.io/aggregate-to-devopsmem":"","iam.kubesphere.io/scope":"workspace"}},"templateNames":["workspace-view-projects","workspace-view-members","workspace-view-roles","workspace-view-groups","workspace-view-workspace-settings"]},"apiVersion":"iam.kubesphere.io/v1beta1","kind":"WorkspaceRole","metadata":{"annotations":{"iam.kubesphere.io/auto-aggregate":"true","kubesphere.io/creator":"system","kubesphere.io/description":"{\"zh\":
      \"僅能新增DevOps Project\", \"en\": \"Only allow create CI
      Project\"}"},"name":"devops-member"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","watch"]}]}}
    meta.helm.sh/release-name: ks-core
    meta.helm.sh/release-namespace: kubesphere-system
  labels:
    app.kubernetes.io/managed-by: Helm
    iam.kubesphere.io/scope: workspace
  name: workspace-devops-member
role:
  aggregationRoleTemplates:
    roleSelector:
      matchLabels:
        iam.kubesphere.io/aggregate-to-devopsmem: ''
        iam.kubesphere.io/scope: workspace
    templateNames:
      - workspace-view-projects
      - workspace-view-members
      - workspace-view-roles
      - workspace-view-groups
      - workspace-view-workspace-settings
  apiVersion: iam.kubesphere.io/v1beta1
  kind: WorkspaceRole
  metadata:
    annotations:
      iam.kubesphere.io/auto-aggregate: 'true'
      kubesphere.io/creator: system
      kubesphere.io/description: '{"zh": "僅能新增DevOps Project", "en": "Only allow create CI Project"}'
    name: devops-member
  rules:
    - apiGroups:
        - '*'
      resources:
        - '*'
      verbs:
        - get
        - list
        - watch

cici

配置完builtinrole之後workspace default角色有出來，但是權限無法新增

cici

!已解決!

提供方法給需要的人

[ Default 角色 - 以 Workspace 為範例]

1. 撰寫角色模板(可以複製 Cluster - CRD - BuiltinRole 類似的角色 yaml 來修改)

2. kubectl apply -f xxx.yaml

3. 到 Cluster - CRD - BuiltinRole 確認是否新增成功，可以新增 Workspace 看看 default workspace 角色有沒有

4. 開始新增該角色權限：Cluster - CRD - RoleTemplate 找到 workspace 開頭的，在你要的權限模板 yaml 加入 iam.kubesphere.io/aggregate-to-[這裡是你的ws-role-name]: '' (這裡 role name 是一開始撰寫的 role yaml 裡面 kind: workspacerole 那邊的 name)

5. 完成後到 Workspace 確認權限有沒有被加進去就成功了