Question

我有一个舵图，可用于向集群添加用户列表，但是我想修改我的default服务帐户以包括图像拉密钥。掌舵似乎没有任何修补程序功能。

安装后挂钩是否是我能做的最好的事情？

Answer 1

我有同样的问题。我所做的是：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default
  namespace: YOUR_NAMESPACE
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default
  namespace: YOUR_NAMESPACE
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default
subjects:
- kind: ServiceAccount
  name: default
  namespace: YOUR_NAMESPACE

然后：

apiVersion: batch/v1
kind: Job
metadata:
  name: create-image-pull-secret
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: k8s
        image: google/cloud-sdk
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh","-c", "kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"YOUR_SECRET_NAME\"}]}'"]

请注意，我使用了pre-install钩子。我这样做是因为我需要imagePullSecret用于处理我的子依赖项。另外，patch命令允许使用尚不存在的秘密名称。

Answer 2

如果我正确理解了您，更改掌舵背后的默认服务（实际上是其服务器端：分er）的方式就是纯粹的Kubernetes，只需按照以下命令修补与掌舵相关的Deployment资源对象：

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"<YOUR_SVC_ACCOUNT>"}}}}'

Answer 3

在@tproenca所说的之后，我遇到了类似的问题，并通过使用以下内容制作了名为patch.yml的模板文件来解决了该问题：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
  name: default
  namespace: {{ .Release.Name }}
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
  name: default
  namespace: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default
subjects:
- kind: ServiceAccount
  name: default
  namespace: {{ .Release.Name }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: patch-sa
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: sa
        image: google/cloud-sdk
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh", "-c", "kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"secret-key\"}]}'"]

这样，首次安装时，您无需手动将角色/角色绑定资源添加到名称空间中，因为helm会自动为您删除它们。

掌舵补丁默认服务帐号

3 个答案: