Secara default, Argo Workflows mengirim semua alur kerja ke namespace argo. Untuk menjalankan alur kerja di namespace terpisah guna mengisolasi sumber daya dan izin, konfigurasikan Role-Based Access Control (RBAC) pada namespace target dan kirim alur kerja tersebut dengan flag -n.
Contoh kasus umum: jika satu tim menjalankan pipeline CI/CD dan tim lain menjalankan pekerjaan pemrosesan data, berikan masing-masing tim namespace-nya sendiri alih-alih berbagi namespace argo.
Prasyarat
Sebelum memulai, pastikan Anda telah:
menginstal dan mengonfigurasi kubectl dengan akses ke kluster ACK
Argo CLI (
argo) telah terinstal.
Berikan izin RBAC ke namespace
Langkah 1: Buat namespace target
kubectl create ns testLangkah 2: Buat file otorisasi
Buat file bernama role-rolebinding.yaml dengan konten berikut. File ini mendefinisikan lima Role dan empat RoleBinding, semuanya ditautkan ke akun layanan default.
Akun layanan default adalah akun bersama—beban kerja lain mungkin menambahkan izin yang tidak Anda maksudkan. Untuk beban kerja produksi, buat akun layanan khusus untuk alur kerja Anda alih-alih menggunakan default.
Jika versi Argo Workflows Anda v3.2 atau lebih lama, gantiworkflowtasksets/statusdenganpatch workflowtasksetsdalam aturan Roleagent.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
name: agent
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtasksets
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtasksets/status
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use artifact GC.
name: artifactgc
rules:
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks/status
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
Recommended minimum permissions for the `emissary` executor.
name: executor
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: submit-workflow-template
rules:
- apiGroups:
- argoproj.io
resources:
- workfloweventbindings
verbs:
- list
- apiGroups:
- argoproj.io
resources:
- workflowtemplates
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is an example of the permissions you would need if you wanted to use a resource template to create and manage
other workflows. The same pattern would be suitable for other resurces, e.g. a service
name: workflow-manager
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: agent-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: agent
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: artifactgc-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: artifactgc
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: executor-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: executor
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workflow-manager-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: workflow-manager
subjects:
- kind: ServiceAccount
name: defaultLangkah 3: Terapkan otorisasi
kubectl apply -f role-rolebinding.yaml -n testOutput yang diharapkan adalah:
role.rbac.authorization.k8s.io/agent created
role.rbac.authorization.k8s.io/artifactgc created
role.rbac.authorization.k8s.io/executor created
role.rbac.authorization.k8s.io/submit-workflow-template created
role.rbac.authorization.k8s.io/workflow-manager created
rolebinding.rbac.authorization.k8s.io/agent-default created
rolebinding.rbac.authorization.k8s.io/artifactgc-default created
rolebinding.rbac.authorization.k8s.io/executor-default created
rolebinding.rbac.authorization.k8s.io/workflow-manager-default createdKirim alur kerja ke namespace
Langkah 4: Buat file alur kerja
Buat file bernama helloworld-workflow.yaml:
apiVersion: argoproj.io/v1alpha1
kind: Workflow # Defines a new Kubernetes resource type for Argo Workflows.
metadata:
generateName: hello-world- # The prefix for the workflow name. Kubernetes will append a unique suffix.
spec:
entrypoint: main # Specifies the template to execute first.
templates:
- name: main # The name of the template.
container:
image: mirrors-ssl.aliyuncs.com/busybox:latest
command: [ echo ]
args: [ "hello world" ]Langkah 5: Kirim alur kerja
Kirim alur kerja ke namespace test:
argo submit helloworld-workflow.yaml -n test