Argo Workflow 中的 RBAC

崔秀龙崔秀龙
2 min read

众所周知,Argo Workflow 的整个工作机制,都是深度依赖于 Kubernetes 的。要让 Argo Workflow 顺畅运行,完成任务,RBAC 是不可缺少的一环。接下来的内容大概算是个笔记,记录了最初接触 Argo Workflow 时,可能会面对的一些 RBAC 相关问题以及其解决方法。

第一关:Console

这里我们选择官方 Release 页面中的标准部署方式,部署最新的 v3.5.11 版本。

$ kubectl create namespace argo
namespace/argo created
$ kubectl ns argo
Context "orbstack" modified.
Active namespace is "argo".
$ kubectl apply -n argo -f https://github.com/argoproj/argo-workflows/releases/download/v3.5.11/install.yaml

customresourcedefinition.apiextensions.k8s.io/clusterworkflowtemplates.argoproj.io created
customresourcedefinition.apiextensions.k8s.io/cronworkflows.argoproj.io created
customresourcedefinition.apiextensions.k8s.io/workflowartifactgctasks.argoproj.io created
...

等所有 Pod 启动成功之后,就可以用端口转发方式访问 Console 了:

$ kubectl port-forward argo-server-67f8d8f6d4-s48jx 8888:2746
Forwarding from 127.0.0.1:8888 -> 2746
Forwarding from [::1]:8888 -> 2746

浏览器打开 http://localhost:8888 就可以看到 Argo Workflow 的 Console 了。首先欢迎我们的是登录页面。这上面一个明晃晃的输入框,要求输入 Token,官方文档明确给出了解决方法

$ kubectl create role jenkins --verb=list,update --resource=workflows.argoproj.io
...
$ kubectl create sa jenkins
...

然后接下来创建对应的 Rolebinding,为 SA 授权,最后创建 Secret,用于承载 SA 的 Token。

这里要吐槽,Argo 你这浓眉大眼的家伙,跟 Jenkins 是啥关系?

步骤还是有点烦,这里总结成一个 RBAC 文件:

piVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: argo-operator
rules:
- apiGroups:
  - argoproj.io
  resources:
  - workflows
  verbs:
  - list
  - update
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-operator
  namespace: argo
---
apiVersion: v1
kind: Secret
type: kuhbernetes.io/service-account-token
metadata:
  name: argo-operator.service-account-token
  annotations:
    kubernetes.io/service-account.name: argo-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argo-operator-binding
  namespace: argo
subjects:
- kind: ServiceAccount
  name: argo-operator
  namespace: argo
roleRef:
  kind: ClusterRole
  name: argo-operator
  apiGroup: rbac.authorization.k8s.io

完成创建和授权之后,获取 Token:

$ ARGO_TOKEN="Bearer $(kubectl get secret argo-operator.service-account-token -o=jsonpath='{.data.token}' | base64 --decode)"
$ echo $ARGO_TOKEN
Bearer eyJhbGciOiJSUzI1NiIsI...

将上述 Token 输入到浏览器中登录,就进入了 Argo Workflow 的控制台了。然后你会发现更多的无权访问。逐个调整之后,上面的 ClusterRole 授权对象需要增加如下内容:

  • workflowtemplates

  • clusterworkflowtemplates

  • cronworkflows

  • eventsources

  • sensors

  • workfloweventbindings

  • workflowtaskresults

如果要在 Console 上进行提交,那么 verbs 也需要进行扩充,例如 *

第二关:Hello world

控制台的 Workflows 菜单中,有一个 Submit New Workflow 按钮,点击之后出现的页面里,在链接 Edit using full workflow options 中提供了一个工作流的示例,直接提交运行,大概会出现这样的错误信息:Error (exit code 1): pods "fantastic-rhino" is forbidden: User "system:serviceaccount:argo:default" cannot patch resource "pods" in API group "" in the namespace "argo",看来又缺权限了,再来一套 RBAC:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: argo-executor
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - 'patch'
  - 'watch'
  - 'list'
  - 'get'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-executor
  namespace: argo
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: argo-executor.service-account-token
  annotations:
    kubernetes.io/service-account.name: argo-executor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argo-executor-binding
  namespace: argo
subjects:
- kind: ServiceAccount
  name: argo-executor
  namespace: argo
roleRef:
  kind: ClusterRole
  name: argo-executor
  apiGroup: rbac.authorization.k8s.io

提交之后,

0
Subscribe to my newsletter

Read articles from 崔秀龙 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

argoArgo Workflow

Written by

崔秀龙
崔秀龙