java - 从另一个kubernetes作业触发Kubernetes

Question

我正在从基本Pod运行kubernetes作业(job-1)。它适用于基本用例。对于第二个用例，我想从已经运行的作业中触发另一个kubernetes作业(job-2):job-1。运行job-2时，出现服务帐户错误，如下所示:

Error occurred while starting container for Prowler due to exception : Failure executing: POST at: https://172.20.0.1/apis/batch/v1/namespaces/my-namespace/jobs. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. jobs.batch is forbidden: User "system:serviceaccount:my-namespace:default" cannot create resource "jobs" in API group "batch" in the namespace "my-namespace".

我已创建具有所需权限的服务帐户，如下所示:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-sa-service-role-binding
subjects:
  - kind: ServiceAccount
    name: my-sa
    namespace: my-namespace
roleRef:
  kind: Role
  name: my-namespace
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-sa-service-role
rules:
  - apiGroups: [""]
    resources: ["secrets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["batch", "extensions"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa

我将“my-sa”作为服务帐户名传递，但仍然引用默认服务帐户。
我正在使用fabric8io kubernetes客户端来触发作业，下面是我的代码:

          final Job job = new JobBuilder()
            .withApiVersion("batch/v1")
            .withNewMetadata()
            .withName("demo")
            .withLabels(Collections.singletonMap("label1", "maximum-length-of-63-characters"))
            .withAnnotations(Collections.singletonMap("annotation1", "some-annotation"))
            .endMetadata()
            .withNewSpec().withParallelism(1)
            .withNewTemplate()
            .withNewSpec().withServiceAccount("my-sa")
            .addNewContainer()
            .withName("prowler")
            .withImage("demo-image")
            .withEnv(env)
            .endContainer()
            .withRestartPolicy("Never")
            .endSpec()
            .endTemplate()
            .endSpec()
            .build();

Answer 1

如果您详细看到该错误消息，则会发现您的客户端未使用您创建的服务帐户(my-sa)。它使用 namespace 中的默认服务帐户代替:

"system:serviceaccount:my-namespace:default" cannot create resource "jobs"

可以安全地假设默认服务帐户将没有创建作业的特权。
值得一看的是fabric8io的官方文档，以了解如何使用自定义服务帐户进行身份验证。从我在文档中可以找到的地方，应该通过将对应于服务帐户的 secret 装入Pod中，然后配置您的应用程序代码或可能设置特定的环境变量来进行处理。