向特定命名空间提交工作流

默认情况下,当您在集群中提交工作流时,工作流运行在argo命名空间下。如果您需要向特定命名空间提交工作流,实现不同任务之间的资源和权限的隔离,您需要为Default或相应的ServiceAccount进行相应授权。

您可以通过编辑授权文件,为特定命名空间的ServiceAccount完成授权,完成后即可向指定的命名空间提交工作流。

  1. 创建一个名为test的示例命名空间。

    kubectl create ns test
  2. 编辑创建授权文件role-rolebinding.yaml。

    说明

    本示例默认为Default ServiceAccount授予权限。若您的工作流中指定了其他ServiceAccount,请为相应的ServiceAccount授权。

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      annotations:
        workflows.argoproj.io/description: |
          This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
    
          If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
      name: agent
    rules:
      - apiGroups:
          - argoproj.io
        resources:
          - workflowtasksets
        verbs:
          - list
          - watch
      - apiGroups:
          - argoproj.io
        resources:
          - workflowtasksets/status
        verbs:
          - patch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      annotations:
        workflows.argoproj.io/description: |
          This is the minimum recommended permissions needed if you want to use artifact GC.
      name: artifactgc
    rules:
      - apiGroups:
          - argoproj.io
        resources:
          - workflowartifactgctasks
        verbs:
          - list
          - watch
      - apiGroups:
          - argoproj.io
        resources:
          - workflowartifactgctasks/status
        verbs:
          - patch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      annotations:
        workflows.argoproj.io/description: |
          Recommended minimum permissions for the `emissary` executor.
      name: executor
    rules:
      - apiGroups:
          - argoproj.io
        resources:
          - workflowtaskresults
        verbs:
          - create
          - patch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: submit-workflow-template
    rules:
      - apiGroups:
          - argoproj.io
        resources:
          - workfloweventbindings
        verbs:
          - list
      - apiGroups:
          - argoproj.io
        resources:
          - workflowtemplates
        verbs:
          - get
      - apiGroups:
          - argoproj.io
        resources:
          - workflows
        verbs:
          - create
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      annotations:
        workflows.argoproj.io/description: |
          This is an example of the permissions you would need if you wanted to use a resource template to create and manage
          other workflows. The same pattern would be suitable for other resurces, e.g. a service
      name: workflow-manager
    rules:
      - apiGroups:
          - argoproj.io
        resources:
          - workflows
        verbs:
          - create
          - get
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: agent-default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: agent
    subjects:
      - kind: ServiceAccount
        name: default
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: artifactgc-default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: artifactgc
    subjects:
      - kind: ServiceAccount
        name: default
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: executor-default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: executor
    subjects:
      - kind: ServiceAccount
        name: default
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: workflow-manager-default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: workflow-manager
    subjects:
      - kind: ServiceAccount
        name: default
  3. 部署YAML,完成授权。

    kubectl apply -f role-rolebinding.yaml -n test

    预期输出:

    role.rbac.authorization.k8s.io/agent created
    role.rbac.authorization.k8s.io/artifactgc created
    role.rbac.authorization.k8s.io/executor created
    role.rbac.authorization.k8s.io/submit-workflow-template created
    role.rbac.authorization.k8s.io/workflow-manager created
    rolebinding.rbac.authorization.k8s.io/agent-default created
    rolebinding.rbac.authorization.k8s.io/artifactgc-default created
    rolebinding.rbac.authorization.k8s.io/executor-default created
    rolebinding.rbac.authorization.k8s.io/workflow-manager-default created
  4. 使用以下内容,创建示例应用。本示例名为helloworld-workflow.yaml。

    apiVersion: argoproj.io/v1alpha1
    kind: Workflow                  # new type of k8s spec.
    metadata:
      generateName: hello-world-    # name of the workflow spec.
    spec:
      entrypoint: main          # invoke the main template.
      templates:
        - name: main              # name of the template.
          container:
            image: mirrors-ssl.aliyuncs.com/busybox:latest
            command: [ echo ]
            args: [ "hello world" ]
  5. 执行如下命令,向test空间提交工作流。

    argo submit helloworld-workflow.yaml -n test