我正在尝试通过 CronJob 自动更新 ECR 凭证并将令牌存储在机密中。每当我运行 CronJob 时,我都会在生成的作业日志中收到以下错误
2023-09-14T20:11:20.326837046Z error: failed to create secret secrets is forbidden: User "system:serviceaccount:cfh:default" cannot create resource "secrets" in API group "" in the namespace "cfh"
有趣的是,这似乎并没有在删除步骤中失败。我想知道这个问题是否与kubectl create secret docker-registry
拥有除标准秘密动词之外的不同角色权限有关,因为它属于 类型docker-registry
,但我不确定。
我的 CronJob YAML 如下所示:
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-registry-helper
creationTimestamp: '2023-09-11T00:06:03Z'
generation: 25
namespace: cfh
fields:
- ecr-registry-helper
- 0 */10 * * *
- 'False'
- 0
- 11m
- 3d20h
- ecr-registry-helper
- omarxs/awskctl:v1.0
- <none>
spec:
concurrencyPolicy: Allow
failedJobsHistoryLimit: 1
jobTemplate:
metadata:
creationTimestamp: null
namespace: cfh
spec:
template:
metadata:
creationTimestamp: null
spec:
containers:
- command:
- /bin/bash
- '-c'
- >-
ECR_TOKEN=`aws ecr get-login-password --region ${AWS_REGION}`
NAMESPACE_NAME=cfh
kubectl delete secret --ignore-not-found regcred -n
$NAMESPACE_NAME
echo "deleted secret"
kubectl create secret docker-registry regcred
--docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
--docker-username=AWS --docker-password="${ECR_TOKEN}" -n $NAMESPACE_NAME
echo "Secret was successfully updated at $(date)"
envFrom:
- secretRef:
name: ecr-registry-helper-secrets
- configMapRef:
name: ecr-registry-helper-cm
image: omarxs/awskctl:v1.0
imagePullPolicy: IfNotPresent
name: ecr-registry-helper
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
_init: false
__active: true
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
schedulerName: default-scheduler
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
schedule: 0 */10 * * *
successfulJobsHistoryLimit: 2
suspend: false
__clone: true
以及我的 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
creationTimestamp: '2023-09-10T22:14:31Z'
namespace: cfh
fields:
- default
- 0
- 3d21h
automountServiceAccountToken: false
__clone: true
角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: '2023-09-11T00:06:03Z'
name: role-full-access-to-secrets
namespace: cfh
rules:
- apiGroups:
- ''
resourceNames:
- regcred
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
和 RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: '2023-09-11T00:06:03Z'
name: default-role-binding
namespace: cfh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-full-access-to-secrets
subjects:
- kind: ServiceAccount
name: default
namespace: cfh
答案1
感谢@veera-nagireddy 帮助我解决这个问题(请参阅他对原始帖子的评论以了解更多背景信息)
问题是,尽管承担了 的角色,但CronJob
本身却没有在命名空间中创建/更新机密的权限。为了解决这个问题,我还必须创建一个& ,授予更改命名空间中机密的权限。cfh
ServiceAccount
ClusterRole
ClusterRoleBinding
ServiceAccount
cfh
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: '2023-09-16T02:39:55Z'
name: ecr-registry-helper-cluster-role
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- delete
- update
集群角色绑定(ClusterRoleBinding):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: '2023-09-16T02:42:42Z'
name: ecr-registry-helper-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ecr-registry-helper-cluster-role
subjects:
- kind: ServiceAccount
name: default
namespace: cfh
创建这两个资源后,我就能成功创建秘密了。