嗨,我正在尝试编写一个简单的管道来删除一些使回购混乱的 ecr 图像。我想让詹金斯来做。我得到错误:
调用BatchDeleteImage操作时出现错误(AccessDeniedException):User: arn:aws:sts::~:assumed-role/~cluster-nodegr-NodeInstanceRole-~/i-~ is not authorized to perform: ecr:BatchDeleteImage on资源:arn:aws:ecr:~:~:repository/~ 因为没有基于身份的策略允许 ecr:BatchDeleteImage 操作
Jenkins 运行在 k8s 上。除了其他 yaml 之外,我还使用了类似的 yaml 来启动和运行:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
管道看起来像这样:
pipeline {
agent {
kubernetes {
inheritFrom 'jenkins-slave'
}
}
stage('test') {
steps {
sh '''aws ecr batch-delete-image \
--repository-name <repo-name> \
--image-ids imageDigest=<img digest>
'''
}
}
}
我试图添加这个:
- apiGroups: ["ecr"]
resources: ["*"]
verbs: ["batchDeleteImage"]
resourceNames:
- "*"
但没用。