现象
ks-controller-manager pod 中看到很多如下错误:
E0409 13:48:39.942729 1 role_controller.go:94] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:operator\" is invalid: rules[21].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" namespace="devcm59v" role="operator"
E0409 13:48:39.942761 1 role_controller.go:69] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:operator\" is invalid: rules[21].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" Role="devcm59v/operator"
E0409 13:48:39.942806 1 controller.go:316] "Reconciler error" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:operator\" is invalid: rules[21].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" controller="role" controllerGroup="iam.kubesphere.io" controllerKind="Role" Role="devcm59v/operator" namespace="devcm59v" name="operator" reconcileID="cc888601-f5a6-4fe4-bb5e-3fee45df7f04"
E0409 13:48:40.585937 1 role_controller.go:94] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:admin\" is invalid: rules[1].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" namespace="devcm59v" role="admin"
E0409 13:48:40.585988 1 role_controller.go:69] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:admin\" is invalid: rules[1].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" Role="devcm59v/admin"解决方法
在集群中执行 kubectl edit roletemplate devops-manage-pipelines , 将spec中的如下字段删除,然后保存即可。
- nonResourceURLs:
- jenkins/labelsdashboard/labelsData
verbs:
- get