Secara default, alur kerja dikirim ke namespace argo. Untuk mengirim alur kerja ke namespace berbeda—demi isolasi sumber daya dan kontrol akses antar tim atau proyek—berikan terlebih dahulu izin Role-Based Access Control (RBAC) yang diperlukan kepada ServiceAccount di namespace tersebut.
Prasyarat
Sebelum memulai, pastikan Anda telah memiliki:
Instalasi Argo Workflows yang aktif di kluster Anda
Akses
kubectldengan izin untuk membuat namespace dan resource RBACCLI
argoyang telah terinstal
Berikan izin dan kirim alur kerja
Langkah 1: Buat namespace target
kubectl create ns testLangkah 2: Buat file otorisasi RBAC
Buat file bernama role-rolebinding.yaml dengan konten berikut.
Contoh ini memberikan izin kepada ServiceAccountdefault. Jika alur kerja Anda menentukan ServiceAccount berbeda, berikan izin kepada ServiceAccount tersebut. RoleBinding bersifat namespace-scoped, sehingga izin hanya berlaku dalam namespace tempat RoleBinding tersebut dibuat—oleh karena itu, Anda menerapkan file ini ke namespacetestpada Langkah 3.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
name: agent
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtasksets
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtasksets/status
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use artifact GC.
name: artifactgc
rules:
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks/status
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
Recommended minimum permissions for the `emissary` executor.
name: executor
rules:
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: submit-workflow-template
rules:
- apiGroups:
- argoproj.io
resources:
- workfloweventbindings
verbs:
- list
- apiGroups:
- argoproj.io
resources:
- workflowtemplates
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is an example of the permissions you would need if you wanted to use a resource template to create and manage
other workflows. The same pattern would be suitable for other resurces, e.g. a service
name: workflow-manager
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: agent-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: agent
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: artifactgc-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: artifactgc
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: executor-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: executor
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workflow-manager-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: workflow-manager
subjects:
- kind: ServiceAccount
name: defaultFile ini mendefinisikan lima Role dan empat RoleBinding. Mulailah dengan role executor—izin minimum yang diperlukan agar alur kerja dapat berjalan. Tambahkan role lainnya hanya jika Anda menggunakan fitur-fitur tersebut:
| Role | Diperlukan untuk | Sumber Daya |
|---|---|---|
executor | Minimum untuk pelaksana emissary | workflowtaskresults (create, patch) |
agent | Templat HTTP dan templat plugin | workflowtasksets (list, watch); workflowtasksets/status (patch) |
artifactgc | Pengumpulan sampah artefak | workflowartifactgctasks (list, watch); workflowartifactgctasks/status (patch) |
submit-workflow-template | Mengirim alur kerja dari WorkflowTemplates | workfloweventbindings (list); workflowtemplates (get); workflows (create) |
workflow-manager | Membuat dan mengelola alur kerja dari templat resource | workflows (create, get) |
Langkah 3: Terapkan file otorisasi
Terapkan file tersebut ke namespace test untuk membuat Role dan RoleBinding di sana:
kubectl apply -f role-rolebinding.yaml -n testOutput yang diharapkan adalah:
role.rbac.authorization.k8s.io/agent created
role.rbac.authorization.k8s.io/artifactgc created
role.rbac.authorization.k8s.io/executor created
role.rbac.authorization.k8s.io/submit-workflow-template created
role.rbac.authorization.k8s.io/workflow-manager created
rolebinding.rbac.authorization.k8s.io/agent-default created
rolebinding.rbac.authorization.k8s.io/artifactgc-default created
rolebinding.rbac.authorization.k8s.io/executor-default created
rolebinding.rbac.authorization.k8s.io/workflow-manager-default createdLangkah 4: Buat definisi alur kerja
Buat file bernama helloworld-workflow.yaml:
apiVersion: argoproj.io/v1alpha1
kind: Workflow # new type of k8s spec.
metadata:
generateName: hello-world- # name of the workflow spec.
spec:
entrypoint: main # invoke the main template.
templates:
- name: main # name of the template.
container:
image: mirrors-ssl.aliyuncs.com/busybox:latest
command: [ echo ]
args: [ "hello world" ]Langkah 5: Kirim alur kerja ke namespace target
argo submit helloworld-workflow.yaml -n testAlur kerja berjalan di namespace test menggunakan izin yang diberikan pada Langkah 3.