All Products
Search
Document Center

Container Service for Kubernetes:Kirim alur kerja ke namespace tertentu

Last Updated:Mar 27, 2026

Secara default, Argo Workflows mengirim semua alur kerja ke namespace argo. Untuk menjalankan alur kerja di namespace terpisah guna mengisolasi sumber daya dan izin, konfigurasikan Role-Based Access Control (RBAC) pada namespace target dan kirim alur kerja tersebut dengan flag -n.

Contoh kasus umum: jika satu tim menjalankan pipeline CI/CD dan tim lain menjalankan pekerjaan pemrosesan data, berikan masing-masing tim namespace-nya sendiri alih-alih berbagi namespace argo.

Prasyarat

Sebelum memulai, pastikan Anda telah:

  • menginstal dan mengonfigurasi kubectl dengan akses ke kluster ACK

  • Argo CLI (argo) telah terinstal.

Berikan izin RBAC ke namespace

Langkah 1: Buat namespace target

kubectl create ns test

Langkah 2: Buat file otorisasi

Buat file bernama role-rolebinding.yaml dengan konten berikut. File ini mendefinisikan lima Role dan empat RoleBinding, semuanya ditautkan ke akun layanan default.

Peringatan

Akun layanan default adalah akun bersama—beban kerja lain mungkin menambahkan izin yang tidak Anda maksudkan. Untuk beban kerja produksi, buat akun layanan khusus untuk alur kerja Anda alih-alih menggunakan default.

Jika versi Argo Workflows Anda v3.2 atau lebih lama, ganti workflowtasksets/status dengan patch workflowtasksets dalam aturan Role agent.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.

      If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
  name: agent
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets
    verbs:
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets/status
    verbs:
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is the minimum recommended permissions needed if you want to use artifact GC.
  name: artifactgc
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowartifactgctasks
    verbs:
        - list
        - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowartifactgctasks/status
    verbs:
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      Recommended minimum permissions for the `emissary` executor.
  name: executor
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtaskresults
    verbs:
      - create
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: submit-workflow-template
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workfloweventbindings
    verbs:
      - list
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtemplates
    verbs:
      - get
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    workflows.argoproj.io/description: |
      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
      other workflows. The same pattern would be suitable for other resurces, e.g. a service
  name: workflow-manager
rules:
  - apiGroups:
      - argoproj.io
    resources:
      - workflows
    verbs:
      - create
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: agent-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: agent
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: artifactgc-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: artifactgc
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: executor-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: executor
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: workflow-manager-default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: workflow-manager
subjects:
  - kind: ServiceAccount
    name: default

Langkah 3: Terapkan otorisasi

kubectl apply -f role-rolebinding.yaml -n test

Output yang diharapkan adalah:

role.rbac.authorization.k8s.io/agent created
role.rbac.authorization.k8s.io/artifactgc created
role.rbac.authorization.k8s.io/executor created
role.rbac.authorization.k8s.io/submit-workflow-template created
role.rbac.authorization.k8s.io/workflow-manager created
rolebinding.rbac.authorization.k8s.io/agent-default created
rolebinding.rbac.authorization.k8s.io/artifactgc-default created
rolebinding.rbac.authorization.k8s.io/executor-default created
rolebinding.rbac.authorization.k8s.io/workflow-manager-default created

Kirim alur kerja ke namespace

Langkah 4: Buat file alur kerja

Buat file bernama helloworld-workflow.yaml:

apiVersion: argoproj.io/v1alpha1
kind: Workflow                # Defines a new Kubernetes resource type for Argo Workflows.
metadata:
  generateName: hello-world-  # The prefix for the workflow name. Kubernetes will append a unique suffix.
spec:
  entrypoint: main            # Specifies the template to execute first.
  templates:
    - name: main              # The name of the template.
      container:
        image: mirrors-ssl.aliyuncs.com/busybox:latest
        command: [ echo ]
        args: [ "hello world" ]

Langkah 5: Kirim alur kerja

Kirim alur kerja ke namespace test:

argo submit helloworld-workflow.yaml -n test