Роль OpenShift для создания квоты
Я пытаюсь создать квоту в создаваемом мной пространстве имен.
Вот мой код:
func newQuotaForUser(cr *userv1.User) *corev1.ResourceQuota {
labels := map[string]string{
"env": "sandbox",
"size": "personalsandbox",
}
hard := corev1.ResourceList{
"cpu": resource.MustParse("2"),
"memory": resource.MustParse("12Gi"),
"requests.storage": resource.MustParse("10Gi"),
}
return &corev1.ResourceQuota{
ObjectMeta: metav1.ObjectMeta{
Name: "personalsandbox",
Namespace: cr.Name + "-sbx",
Labels: labels,
},
Spec: corev1.ResourceQuotaSpec{
Hard: hard,
},
}
}
Когда я запускаю это локально и вхожу в minishift с помощью учетной записи администратора, я вижу, что квота создается. Однако я пытаюсь создать учетную запись службы с правильной ролью и привязкой ролей для создания квоты.
Вот мой role.yaml
которые, как я думал, предоставят учетной записи службы разрешения на создание квоты:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onboarding-manager
rules:
- apiGroups:
- ""
- user.openshift.io
attributeRestrictions: null
resources:
- groups
- identities
- useridentitymappings
- users
- users/finalizers
- quota
- resourcequotas
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- namespaces
- quota
- resourcequotas
verbs:
- get
- list
- create
- update
- watch
- delete
- apiGroups:
- authorization.openshift.io/v1
- rbac.authorization.k8s.io
resources:
- rolebindings
- quota
- resourcequotas
verbs:
- create
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onboarding-manager
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- quota
- resourcequotas
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
- quota
- resourcequotas
verbs:
- "*"
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- "get"
- "create"
- apiGroups:
- apps
resources:
- deployments/finalizers
resourceNames:
- onboarding-manager
verbs:
- "update"
Вот что я вижу в журналах:
Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"delete\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"deletecollection\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"patch\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"update\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourceaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"subjectaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"authorization.openshift.io\"], Resources:[\"resourceaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"authorization.openshift.io\"], Resources:[\"subjectaccessreviews\"], Verbs:[\"create\"]}] user=&{system:serviceaccount:onboarding-manager:onboarding-manager a602b37b-f371-11e9-99cd-fe91ac5e87c0 [system:serviceaccounts system:serviceaccounts:onboarding-manager system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:[\"\" \"user.openshift.io\"], Resources:[\"users\"], ResourceNames:[\"~\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"\" \"project.openshift.io\"], Resources:[\"projectrequests\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"\" \"authorization.openshift.io\"], Resources:[\"clusterroles\"], Verbs:[\"get\" \"list\"]} PolicyRule{APIGroups:[\"rbac.authorization.k8s.io\"]