kubesphere v.4.1.2
我想創建可以應用到所有workspace和devops都能使用的角色,請問有參考的文檔或是做法嗎
謝謝
[已解決] v4.1.2 新增 Workspace Default Role
去看下rolebase,大概有这么一个配置,按照需求配置角色权限就行
sylvia
您好,我稍微研究了一下也用下方程式看過原先的配置,但好像沒有看到 Workspace 預設的四個角色配置
me:~/kubesphere$ kubectl get roles -A
NAMESPACE NAME CREATED AT
acc-testlp8xd kubesphere:iam:viewer 2025-03-24T02:07:35Z
agents kubesphere:iam:admin 2025-03-19T03:06:34Z
agents kubesphere:iam:operator 2025-03-19T03:06:34Z
agents kubesphere:iam:viewer 2025-03-19T03:06:34Z
argocd devops-agent-argocd-applicationset-controller 2025-03-18T07:24:46Z
argocd devops-agent-argocd-dex-server 2025-03-18T07:24:46Z
argocd devops-agent-argocd-repo-server 2025-03-18T07:24:46Z
argocd devops-agent-argocd-server 2025-03-18T07:24:46Z
argocd kubesphere:iam:admin 2025-03-17T03:29:07Z
argocd kubesphere:iam:operator 2025-03-17T03:29:07Z
argocd kubesphere:iam:viewer 2025-03-17T03:29:07Z
cert-manager cert-manager-webhook:dynamic-serving 2025-03-13T09:42:42Z
cijmt5t kubesphere:iam:viewer 2025-03-19T09:15:08Z
civ5pxl kubesphere:iam:viewer 2025-03-18T08:30:26Z
default kubesphere:iam:admin 2025-03-17T03:29:07Z
default kubesphere:iam:operator 2025-03-17T03:29:07Z
default kubesphere:iam:viewer 2025-03-17T03:29:07Z
demog9xg7 kubesphere:iam:viewer 2025-03-25T01:47:01Z
demolpvrj kubesphere:iam:viewer 2025-03-24T06:29:41Z
extension-gateway kubesphere:gateway:helm-executor 2025-03-18T09:46:45Z
extension-gateway kubesphere:iam:admin 2025-03-18T09:46:45Z
extension-gateway kubesphere:iam:operator 2025-03-18T09:46:45Z
extension-gateway kubesphere:iam:viewer 2025-03-18T09:46:45Z
extension-whizard-telemetry kubesphere:iam:admin 2025-03-18T01:07:55Z
extension-whizard-telemetry kubesphere:iam:operator 2025-03-18T01:07:55Z
extension-whizard-telemetry kubesphere:iam:viewer 2025-03-18T01:07:55Z
extension-whizard-telemetry kubesphere:whizard-telemetry:helm-executor 2025-03-18T01:07:55Z
ingress-nginx ingress-nginx 2025-03-13T09:46:31Z
ingress-nginx ingress-nginx-admission 2025-03-13T09:46:31Z
kube-node-lease kubesphere:iam:admin 2025-03-17T03:29:07Z
kube-node-lease kubesphere:iam:operator 2025-03-17T03:29:07Z
kube-node-lease kubesphere:iam:viewer 2025-03-17T03:29:07Z
kube-public kubeadm:bootstrap-signer-clusterinfo 2025-03-13T08:02:12Z
kube-public kubesphere:iam:admin 2025-03-17T03:29:07Z
kube-public kubesphere:iam:operator 2025-03-17T03:29:07Z
kube-public kubesphere:iam:viewer 2025-03-17T03:29:07Z
kube-public system:controller:bootstrap-signer 2025-03-13T08:02:11Z
kube-system cert-manager-cainjector:leaderelection 2025-03-13T09:42:42Z
kube-system cert-manager:leaderelection 2025-03-13T09:42:42Z
kube-system extension-apiserver-authentication-reader 2025-03-13T08:02:11Z
kube-system kube-proxy 2025-03-13T08:02:12Z
kube-system kubeadm:kubeadm-certs 2025-03-13T08:02:22Z
kube-system kubeadm:kubelet-config 2025-03-13T08:02:11Z
kube-system kubeadm:nodes-kubeadm-config 2025-03-13T08:02:11Z
kube-system kubesphere:iam:admin 2025-03-17T03:29:07Z
kube-system kubesphere:iam:operator 2025-03-17T03:29:07Z
kube-system kubesphere:iam:viewer 2025-03-17T03:29:07Z
kube-system system::leader-locking-kube-controller-manager 2025-03-13T08:02:11Z
kube-system system::leader-locking-kube-scheduler 2025-03-13T08:02:11Z
kube-system system:controller:bootstrap-signer 2025-03-13T08:02:11Z
kube-system system:controller:cloud-provider 2025-03-13T08:02:11Z
kube-system system:controller:token-cleaner 2025-03-13T08:02:11Z
kubekey-system kubesphere:iam:admin 2025-03-17T03:29:07Z
kubekey-system kubesphere:iam:operator 2025-03-17T03:29:07Z
kubekey-system kubesphere:iam:viewer 2025-03-17T03:29:07Z
kubesphere-controls-system kubesphere:iam:admin 2025-03-17T03:29:07Z
kubesphere-controls-system kubesphere:iam:operator 2025-03-17T03:29:07Z
kubesphere-controls-system kubesphere:iam:viewer 2025-03-17T03:29:07Z
kubesphere-devops-system devops-agent-argocd-application-controller 2025-03-18T07:24:46Z
kubesphere-devops-system kubesphere:devops:helm-executor 2025-03-14T09:20:18Z
kubesphere-devops-worker kubesphere:iam:admin 2025-03-17T03:29:07Z
kubesphere-devops-worker kubesphere:iam:operator 2025-03-17T03:29:07Z
kubesphere-devops-worker kubesphere:iam:viewer 2025-03-17T03:29:07Z
kubesphere-monitoring-system kubesphere:iam:admin 2025-03-18T01:08:17Z
kubesphere-monitoring-system kubesphere:iam:operator 2025-03-18T01:08:17Z
kubesphere-monitoring-system kubesphere:iam:viewer 2025-03-18T01:08:17Z
kubesphere-monitoring-system kubesphere:whizard-monitoring:helm-executor 2025-03-18T01:08:17Z
kubesphere-system kubesphere:iam:admin 2025-03-17T03:29:07Z
kubesphere-system kubesphere:iam:operator 2025-03-17T03:29:07Z
kubesphere-system kubesphere:iam:viewer 2025-03-17T03:29:07Z
testhvck8 kubesphere:iam:viewer 2025-03-24T06:31:18Z有人可以幫忙嗎?
我目前是了CRD裡面不同分類的Role,只有Global Role成功應用,但他是platform role
我要的是workspace default role
hongming
您好,我複製了workspace-self-provisioner yaml去修改新增一個role,但仍然沒有出現這個角色
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
annotations:
meta.helm.sh/release-name: ks-core
meta.helm.sh/release-namespace: kubesphere-system
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
iam.kubesphere.io/scope: workspace
name: workspace-devops-testing
resourceVersion: "761979"
uid: 273caef8-3407-4f15-b177-eb21413f0b22
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/aggregate-to-self-provisioner: ""
iam.kubesphere.io/scope: workspace
templateNames:
- workspace-create-projects
- workspace-view-workspace-settings
apiVersion: iam.kubesphere.io/v1beta1
kind: WorkspaceRole
metadata:
annotations:
iam.kubesphere.io/auto-aggregate: "true"
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings,
create projects."}'
name: self-provisioner
rules: []kubectl get rolebase
参考rolebase模板改,进行新增rolebase
5 天 后
我使用 BuiltinRole 新增了 workspace default role,但是它的權限我直接寫入沒有反應,請問我應該怎麼去修改權限呢 謝謝
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"iam.kubesphere.io/v1beta1","kind":"BuiltinRole","metadata":{"annotations":{"meta.helm.sh/release-name":"ks-core","meta.helm.sh/release-namespace":"kubesphere-system"},"labels":{"app.kubernetes.io/managed-by":"Helm","iam.kubesphere.io/scope":"workspace"},"name":"workspace-devops-member"},"role":{"aggregationRoleTemplates":{"roleSelector":{"matchLabels":{"iam.kubesphere.io/aggregate-to-devopsmem":"","iam.kubesphere.io/scope":"workspace"}},"templateNames":["workspace-view-projects","workspace-view-members","workspace-view-roles","workspace-view-groups","workspace-view-workspace-settings"]},"apiVersion":"iam.kubesphere.io/v1beta1","kind":"WorkspaceRole","metadata":{"annotations":{"iam.kubesphere.io/auto-aggregate":"true","kubesphere.io/creator":"system","kubesphere.io/description":"{\"zh\":
\"僅能新增DevOps Project\", \"en\": \"Only allow create CI
Project\"}"},"name":"devops-member"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","watch"]}]}}
meta.helm.sh/release-name: ks-core
meta.helm.sh/release-namespace: kubesphere-system
labels:
app.kubernetes.io/managed-by: Helm
iam.kubesphere.io/scope: workspace
name: workspace-devops-member
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/aggregate-to-devopsmem: ''
iam.kubesphere.io/scope: workspace
templateNames:
- workspace-view-projects
- workspace-view-members
- workspace-view-roles
- workspace-view-groups
- workspace-view-workspace-settings
apiVersion: iam.kubesphere.io/v1beta1
kind: WorkspaceRole
metadata:
annotations:
iam.kubesphere.io/auto-aggregate: 'true'
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "僅能新增DevOps Project", "en": "Only allow create CI Project"}'
name: devops-member
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch配置完builtinrole之後workspace default角色有出來,但是權限無法新增
!已解決!
提供方法給需要的人
[ Default 角色 - 以 Workspace 為範例]
1. 撰寫角色模板(可以複製 Cluster - CRD - BuiltinRole 類似的角色 yaml 來修改)
2. kubectl apply -f xxx.yaml
3. 到 Cluster - CRD - BuiltinRole 確認是否新增成功,可以新增 Workspace 看看 default workspace 角色有沒有
4. 開始新增該角色權限:Cluster - CRD - RoleTemplate 找到 workspace 開頭的,在你要的權限模板 yaml 加入 iam.kubesphere.io/aggregate-to-[這裡是你的ws-role-name]: '' (這裡 role name 是一開始撰寫的 role yaml 裡面 kind: workspacerole 那邊的 name)
5. 完成後到 Workspace 確認權限有沒有被加進去就成功了
cici 更改标题为「[已解決] v4.1.2 新增 Workspace Default Role」