預設情況下,當您在叢集中提交工作流程時,工作流程運行在argo命名空間下。如果您需要向特定命名空間提交工作流程,實現不同任務之間的資源和許可權的隔離,您需要為Default或相應的ServiceAccount進行相應授權。
您可以編輯授權檔案,為命名空間的ServiceAccount完成授權,完成後即可向指定的命名空間提交工作流程。
建立一個名為test的樣本命名空間。
kubectl create ns test編輯建立授權檔案role-rolebinding.yaml。
說明本樣本預設為Default ServiceAccount授予許可權。若您的工作流程中指定了其他ServiceAccount,請為相應的ServiceAccount授權。
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. name: agent rules: - apiGroups: - argoproj.io resources: - workflowtasksets verbs: - list - watch - apiGroups: - argoproj.io resources: - workflowtasksets/status verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use artifact GC. name: artifactgc rules: - apiGroups: - argoproj.io resources: - workflowartifactgctasks verbs: - list - watch - apiGroups: - argoproj.io resources: - workflowartifactgctasks/status verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | Recommended minimum permissions for the `emissary` executor. name: executor rules: - apiGroups: - argoproj.io resources: - workflowtaskresults verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: submit-workflow-template rules: - apiGroups: - argoproj.io resources: - workfloweventbindings verbs: - list - apiGroups: - argoproj.io resources: - workflowtemplates verbs: - get - apiGroups: - argoproj.io resources: - workflows verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | This is an example of the permissions you would need if you wanted to use a resource template to create and manage other workflows. The same pattern would be suitable for other resurces, e.g. a service name: workflow-manager rules: - apiGroups: - argoproj.io resources: - workflows verbs: - create - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: agent-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: agent subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: artifactgc-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: artifactgc subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: executor-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: executor subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: workflow-manager subjects: - kind: ServiceAccount name: default部署YAML,完成授權。
kubectl apply -f role-rolebinding.yaml -n test預期輸出:
role.rbac.authorization.k8s.io/agent created role.rbac.authorization.k8s.io/artifactgc created role.rbac.authorization.k8s.io/executor created role.rbac.authorization.k8s.io/submit-workflow-template created role.rbac.authorization.k8s.io/workflow-manager created rolebinding.rbac.authorization.k8s.io/agent-default created rolebinding.rbac.authorization.k8s.io/artifactgc-default created rolebinding.rbac.authorization.k8s.io/executor-default created rolebinding.rbac.authorization.k8s.io/workflow-manager-default created使用以下內容,建立樣本應用。本樣本名為helloworld-workflow.yaml。
apiVersion: argoproj.io/v1alpha1 kind: Workflow # new type of k8s spec. metadata: generateName: hello-world- # name of the workflow spec. spec: entrypoint: main # invoke the main template. templates: - name: main # name of the template. container: image: mirrors-ssl.aliyuncs.com/busybox:latest command: [ echo ] args: [ "hello world" ]執行如下命令,向test空間提交工作流程。
argo submit helloworld-workflow.yaml -n test