Argo报错:
failed to save outputs: Failed to establish pod watch: unknown (get pods)
报错原因:
其实是因为Argo在默认安装好之后,workflow-controller默认使用的是"default" 账户去调用K8S api-server 查询pod信息的,但是"default" 账户的权限可能不够。
解决:
创建拥有create pod之类的权限的workflow账户给argo使用:
apiVersion: v1
kind: ServiceAccount
metadata:
name: workflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: workflow-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workflow-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: workflow-role
subjects:
- kind: ServiceAccount
name: workflow
你在apply上面的文件后,还需要在你的argo的任务yaml文件里增加spec.serviceAccountName:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
name: <wf-name>
spec:
serviceAccountName: workflow
entrypoint: <entrypoint-name>
templates:
...
参考:https://github.com/argoproj/argo/blob/master/docs/service-accounts.md
https://github.com/argoproj/argo/issues/2522
另外附上其他问题的解决办法:
暴露服务:
kubectl port-forward -n chaos-testing svc/chaos-dashboard 2333:2333
替换故障pod方法:
kubectl get pod chaos-daemon-kbnll -n chaos-testing -o yaml | kubectl replace --force -f -
启动linux chrome浏览器:
google-chrome-stable --no-sandbox
确认账号权限
kubectl auth can-i get podchaos --as=system:serviceaccount:default:workflow
网友评论