触发另一个 Kubernetes 作业中的 Kubernetes。

huangapple go评论79阅读模式
英文:

Trigger Kubernetes from from another kubernetes job

问题

以下是翻译好的内容:

我正在从基本 pod 上运行 Kubernetes 作业 (job-1)。它适用于基本用例。对于第二个用例,我希望从已经运行的 job: job-1 触发另一个 Kubernetes 作业 (job-2)。在运行作业 job-2 时,我遇到了以下所示的服务账号错误:

由于异常,Prowler 的容器启动时发生错误:执行失败:POST 到:https://172.20.0.1/apis/batch/v1/namespaces/my-namespace/jobs。消息:Forbidden!Configured service account doesn't have access。Service account may have been revoked。jobs.batch 被禁止:用户 "system:serviceaccount:my-namespace:default" 不能在命名空间 "my-namespace" 中的 API 组 "batch" 中创建资源 "jobs"。

我已经创建了具有所需权限的服务账号,如下所示:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-sa-service-role-binding
subjects:
  - kind: ServiceAccount
    name: my-sa
    namespace: my-namespace
roleRef:
  kind: Role
  name: my-sa-service-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-sa-service-role
rules:
  - apiGroups: [""] 
    resources: ["secrets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["batch", "extensions"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa

我将 "my-sa" 作为服务账号名称进行了传递,但仍然引用默认服务账号。

我使用 fabric8io Kubernetes 客户端触发作业,以下是我的代码:

          final Job job = new JobBuilder()
            .withApiVersion("batch/v1")
            .withNewMetadata()
            .withName("demo")
            .withLabels(Collections.singletonMap("label1", "maximum-length-of-63-characters"))
            .withAnnotations(Collections.singletonMap("annotation1", "some-annotation"))
            .endMetadata()
            .withNewSpec().withParallelism(1)
            .withNewTemplate()
            .withNewSpec().withServiceAccount("my-sa")
            .addNewContainer()
            .withName("prowler")
            .withImage("demo-image")
            .withEnv(env)
            .endContainer()
            .withRestartPolicy("Never")
            .endSpec()
            .endTemplate()
            .endSpec()
            .build();
英文:

I am running on kubernetes job (job-1) from base pod. It works for basic use case. For second use case, I want trigger another kubernetes job(job-2) from already running job: job-1. While running job-2 I get service account error as given below:

Error occurred while starting container for Prowler due to exception : Failure executing: POST at: https://172.20.0.1/apis/batch/v1/namespaces/my-namespace/jobs. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. jobs.batch is forbidden: User "system:serviceaccount:my-namespace:default" cannot create resource "jobs" in API group "batch" in the namespace "my-namespace".

I have created service account with required permissions as given below:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-sa-service-role-binding
subjects:
  - kind: ServiceAccount
    name: my-sa
    namespace: my-namespace
roleRef:
  kind: Role
  name: my-namespace
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-sa-service-role
rules:
  - apiGroups: [""]
    resources: ["secrets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["batch", "extensions"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa

I am passing "my-sa" as service account name but still, it refers to default service account.

I am using fabric8io kubernetes client to trigger the job and below is my code:

          final Job job = new JobBuilder()
            .withApiVersion("batch/v1")
            .withNewMetadata()
            .withName("demo")
            .withLabels(Collections.singletonMap("label1", "maximum-length-of-63-characters"))
            .withAnnotations(Collections.singletonMap("annotation1", "some-annotation"))
            .endMetadata()
            .withNewSpec().withParallelism(1)
            .withNewTemplate()
            .withNewSpec().withServiceAccount("my-sa")
            .addNewContainer()
            .withName("prowler")
            .withImage("demo-image")
            .withEnv(env)
            .endContainer()
            .withRestartPolicy("Never")
            .endSpec()
            .endTemplate()
            .endSpec()
            .build();

答案1

得分: 1

如果您详细查看错误消息,您会发现您的客户端未使用您创建的服务帐户(my-sa),而是在命名空间中使用了default服务帐户:

"system:serviceaccount:my-namespace:default" 无法创建资源"jobs"。

可以肯定地假设,默认服务帐户将没有足够的权限来创建作业。

值得一提的是,可以查阅fabric8io的官方文档,以了解如何使用自定义服务帐户进行身份验证。根据我在文档中找到的信息,这主要通过将与服务帐户对应的密钥挂载到 Pod 中来处理,然后配置您的应用程序代码,或者可能设置特定的环境变量。

英文:

If you see the error message in detail, you'll find that your client is not using the service account you created (my-sa). Its using the default service account in the namespace instead:

"system:serviceaccount:my-namespace:default" cannot create resource "jobs"

And it should be safe to assume, that the default service account will not be having the privileges to create jobs.

It should be worthwhile to look into the official documentation of fabric8io, to see how you can authenticate with a custom service-account. From what I could find in the docs, it should be mostly handled by mounting the secret, corresponding to the service-account into the pod, then configuring your application code or probably setting up an specific environment variable.

huangapple
  • 本文由 发表于 2020年10月20日 15:31:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/64440491.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定