devops 1.1.1 "sync role failed" 的解决方法

stoneshi-yunify

现象
ks-controller-manager pod 中看到很多如下错误：

E0409 13:48:39.942729       1 role_controller.go:94] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:operator\" is invalid: rules[21].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" namespace="devcm59v" role="operator"
E0409 13:48:39.942761       1 role_controller.go:69] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:operator\" is invalid: rules[21].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" Role="devcm59v/operator"
E0409 13:48:39.942806       1 controller.go:316] "Reconciler error" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:operator\" is invalid: rules[21].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" controller="role" controllerGroup="iam.kubesphere.io" controllerKind="Role" Role="devcm59v/operator" namespace="devcm59v" name="operator" reconcileID="cc888601-f5a6-4fe4-bb5e-3fee45df7f04"
E0409 13:48:40.585937       1 role_controller.go:94] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:admin\" is invalid: rules[1].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" namespace="devcm59v" role="admin"
E0409 13:48:40.585988       1 role_controller.go:69] "sync role failed" err="Role.rbac.authorization.k8s.io \"kubesphere:iam:admin\" is invalid: rules[1].nonResourceURLs: Invalid value: []string{\"jenkins/labelsdashboard/labelsData\"}: namespaced rules cannot apply to non-resource URLs" logger="controllers.role" Role="devcm59v/admin"

解决方法
在集群中执行 kubectl edit roletemplate devops-manage-pipelines , 将spec中的如下字段删除，然后保存。

  - nonResourceURLs:
    - jenkins/labelsdashboard/labelsData
    verbs:
    - get

之后重启 ks-controller-manager。

如果问题依旧，请将 kubectl edit roletemplate devops-manage-pipelines -o yaml 保存为 template.yaml, 然后将 template.yaml 中的以上 nonResourceURLs 部分删除，之后 kubectl delete -f template.yaml 再 kubectl apply -f template.yaml 重新创建。

此问题已在 devops v1.1.2 （for ks v4.1.3) 版本中修复，请及时升级 devops 扩展。