我希望 kubernetes 中的部署有权从集群内自行重启。
我知道我可以创建一个服务帐户并将其绑定到 Pod,但我缺少允许该命令的最具体权限的名称(即不仅仅是允许
'*'
)
kubectl rollout restart deploy <deployment>
这就是我所拥有的,并且???这就是我所缺少的
apiVersion: v1
kind: ServiceAccount
metadata:
name: restart-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: restarter
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["list", "???"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: testrolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: restart-sa
namespace: default
roleRef:
kind: Role
name: restarter
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- image: nginx
name: nginx
serviceAccountName: restart-sa
我相信以下是重新启动部署所需的最低权限:
rules:
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
resourceNames: [$DEPLOYMENT]
verbs: ["get", "patch"]
如果您想要从集群内重新启动 kubernetes 部署本身的权限,您需要设置 rbac 授权的权限。
在 yaml 文件中,您错过了 Role:rules 下的一些特定权限,您需要按以下格式添加 动词:[“获取”、“观看”、“列表”]
确保在“spec:containers”下的部署 yaml 文件中添加“serviceAccountName: restart-sa”。如下所述:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
serviceAccountName: restart-sa
然后您可以使用以下命令重新启动部署:
$ kubectl 推出重新启动部署 [deployment_name]
推出重新启动。
最后我设法通过将replicasets 添加到 resources 列表来修复它
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: restarter
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "patch"]
希望这也能帮助你:)