默认情况下,当您在集群中提交工作流时,工作流运行在argo命名空间下。如果您需要向特定命名空间提交工作流,实现不同任务之间的资源和权限的隔离,您需要为Default或相应的ServiceAccount进行相应授权。
您可以编辑授权文件,为命名空间的ServiceAccount完成授权,完成后即可向指定的命名空间提交工作流。
创建一个名为test的示例命名空间。
kubectl create ns test编辑创建授权文件role-rolebinding.yaml。
说明本示例默认为Default ServiceAccount授予权限。若您的工作流中指定了其他ServiceAccount,请为相应的ServiceAccount授权。
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates. If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`. name: agent rules: - apiGroups: - argoproj.io resources: - workflowtasksets verbs: - list - watch - apiGroups: - argoproj.io resources: - workflowtasksets/status verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | This is the minimum recommended permissions needed if you want to use artifact GC. name: artifactgc rules: - apiGroups: - argoproj.io resources: - workflowartifactgctasks verbs: - list - watch - apiGroups: - argoproj.io resources: - workflowartifactgctasks/status verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | Recommended minimum permissions for the `emissary` executor. name: executor rules: - apiGroups: - argoproj.io resources: - workflowtaskresults verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: submit-workflow-template rules: - apiGroups: - argoproj.io resources: - workfloweventbindings verbs: - list - apiGroups: - argoproj.io resources: - workflowtemplates verbs: - get - apiGroups: - argoproj.io resources: - workflows verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: workflows.argoproj.io/description: | This is an example of the permissions you would need if you wanted to use a resource template to create and manage other workflows. The same pattern would be suitable for other resurces, e.g. a service name: workflow-manager rules: - apiGroups: - argoproj.io resources: - workflows verbs: - create - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: agent-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: agent subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: artifactgc-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: artifactgc subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: executor-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: executor subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: workflow-manager-default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: workflow-manager subjects: - kind: ServiceAccount name: default部署YAML,完成授权。
kubectl apply -f role-rolebinding.yaml -n test预期输出:
role.rbac.authorization.k8s.io/agent created role.rbac.authorization.k8s.io/artifactgc created role.rbac.authorization.k8s.io/executor created role.rbac.authorization.k8s.io/submit-workflow-template created role.rbac.authorization.k8s.io/workflow-manager created rolebinding.rbac.authorization.k8s.io/agent-default created rolebinding.rbac.authorization.k8s.io/artifactgc-default created rolebinding.rbac.authorization.k8s.io/executor-default created rolebinding.rbac.authorization.k8s.io/workflow-manager-default created使用以下内容,创建示例应用。本示例名为helloworld-workflow.yaml。
apiVersion: argoproj.io/v1alpha1 kind: Workflow # new type of k8s spec. metadata: generateName: hello-world- # name of the workflow spec. spec: entrypoint: main # invoke the main template. templates: - name: main # name of the template. container: image: mirrors-ssl.aliyuncs.com/busybox:latest command: [ echo ] args: [ "hello world" ]执行如下命令,向test空间提交工作流。
argo submit helloworld-workflow.yaml -n test