我喜欢给每个gitlab命名空间项目(微服务)一个 ServiceMonitor 从 monitoring.coreos.com 由 普罗米修斯操作者.但当运行gitlab管道创建它时,出现了一个错误,即这个ressource不能由以下方式创建
servicemonitors.monitoring.coreos.com "service-monitor" is forbidden: User "system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "ABC_NAMESPACE"
所以我为一个mircroservice应用了一个Role & 一个RoleBinding来解决一个命名空间的问题,但是为所有的命名空间应用RoleBinding是非常好的,我可以给所有gitlab创建的命名空间一个role-binding来获得这个权限吗?
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: CluserRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: ServiceAccount
name: gitlab-project-id-dev-service-account
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
能否给所有gitlab创建的命名空间一个角色绑定来获得这个权限?
虽然只给gitlab创建的命名空间中的服务账户这个权限并不容易,但你可以使用下面的方法给集群中所有命名空间的所有服务账户分配这个权限。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
验证权限的方法是
kubectl auth can-i get servicemonitors --as=system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account -n ABC_NAMESPACE