碼上歡樂
相關內容    簡體    繁體

Jenkinsfile中定義的podTemplate中的容器執行kubectl命令權限不夠問題解決

本文轉載自   查看原文   2020-04-20 15:23   2173    Jenkins/ Troubleshooting/ Kubernetes

信息說明

    筆者k8s環境是v1.16版本,Jenkins以pod形式在kube-ops的命名空間中運行,在通過動態Jenkins slave實現CI/CD時,通過Jenkinsfile自定義pod模板信息,在Jenkins slave中執行kubectl命令時,出現權限不夠的報錯。

    經過筆者多次調試,出現不同的權限報錯信息,如下:

### 1

+ kubectl get pods

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kube-ops:default" cannot list resource "pods" in API group "" in the namespace "kube-ops"

### 2

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kube-ops:default" cannot list resource "pods" in API group "" in the namespace "kube-ops"

問題解決

    筆者之前在Jenkins的系統配置里添加過kubernets的pod模板信息,能正常執行kubectl命令,但是將其整合到自定義的Jenkinsfile文件中,便出現此報錯。

    個人根據原有的頁面pod配置和Jenkinsfile中的pod配置對比,發現前者比后者多了項 serverAccout 的配置,故我試着在Jenkinsfile的podTemplate中添加 serverAccout,如圖:

  

    因為在不同的kubernets集群中,jenkins的rbac權限可能不同,故有些人加了 serviceAccount: 'jenkins' 也沒解決問題,究其原因是 jenkins 的rbac權限配置未達到執行kubectl命令的要求,故提供下述yaml文件,並在k8s中應用即可。

# cat rbac-jenkins.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  namespace: kube-ops

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get","list","watch"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: jenkins
  namespace: kube-ops
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: jenkins
subjects:
  - kind: ServiceAccount
    name: jenkins
    namespace: kube-ops

# kubectl apply -f rbac-jenkins.yaml

 

# 添加完成后觸發構建,顯示正常,如圖:

參考文檔

https://github.com/jenkinsci/kubernetes-plugin/blob/master/README.md

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 kubectl在pod容器中執行命令 JavaC命令不能被執行尷尬問題解決 linux中執行命令權限不夠怎樣處理 QNAP WEBDAV 權限問題解決 java執行cmd命令,返回結果中文亂碼問題解決 Docker 容器中“TERM environment variable not set.”問題解決 關於浮動寬度不夠掉盒子的問題解決方法 zabbix安裝中問題解決 Jeeplus框架中問題解決 寶塔面板權限不足問題解決
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM