关于k8s:argo搭建

argo

github

https://github.com/argoproj/argo

装置启动
kubectl create namespace argo

kubectl apply -n argo -f https://raw.githubusercontent.com/argoproj/argo/stable/manifests/install.yaml

# This is an auto-generated file. DO NOT EDITapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:  name: clusterworkflowtemplates.argoproj.iospec:  group: argoproj.io  names:    kind: ClusterWorkflowTemplate    listKind: ClusterWorkflowTemplateList    plural: clusterworkflowtemplates    shortNames:    - clusterwftmpl    - cwft    singular: clusterworkflowtemplate  scope: Cluster  version: v1alpha1  versions:  - name: v1alpha1    served: true    storage: true---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:  name: cronworkflows.argoproj.iospec:  group: argoproj.io  names:    kind: CronWorkflow    listKind: CronWorkflowList    plural: cronworkflows    shortNames:    - cwf    - cronwf    singular: cronworkflow  scope: Namespaced  version: v1alpha1  versions:  - name: v1alpha1    served: true    storage: true---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:  name: workfloweventbindings.argoproj.iospec:  group: argoproj.io  names:    kind: WorkflowEventBinding    listKind: WorkflowEventBindingList    plural: workfloweventbindings    shortNames:    - wfeb    singular: workfloweventbinding  scope: Namespaced  version: v1alpha1  versions:  - name: v1alpha1    served: true    storage: true---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:  name: workflows.argoproj.iospec:  additionalPrinterColumns:  - JSONPath: .status.phase    description: Status of the workflow    name: Status    type: string  - JSONPath: .status.startedAt    description: When the workflow was started    format: date-time    name: Age    type: date  group: argoproj.io  names:    kind: Workflow    listKind: WorkflowList    plural: workflows    shortNames:    - wf    singular: workflow  scope: Namespaced  subresources: {}  version: v1alpha1  versions:  - name: v1alpha1    served: true    storage: true---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:  name: workflowtemplates.argoproj.iospec:  group: argoproj.io  names:    kind: WorkflowTemplate    listKind: WorkflowTemplateList    plural: workflowtemplates    shortNames:    - wftmpl    singular: workflowtemplate  scope: Namespaced  version: v1alpha1  versions:  - name: v1alpha1    served: true    storage: true---apiVersion: v1kind: ServiceAccountmetadata:  name: argo---apiVersion: v1kind: ServiceAccountmetadata:  name: argo-server---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: argo-rolerules:- apiGroups:  - ""  resources:  - secrets  verbs:  - get---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  labels:    rbac.authorization.k8s.io/aggregate-to-admin: "true"  name: argo-aggregate-to-adminrules:- apiGroups:  - argoproj.io  resources:  - workflows  - workflows/finalizers  - workfloweventbindings  - workfloweventbindings/finalizers  - workflowtemplates  - workflowtemplates/finalizers  - cronworkflows  - cronworkflows/finalizers  - clusterworkflowtemplates  - clusterworkflowtemplates/finalizers  verbs:  - create  - delete  - deletecollection  - get  - list  - patch  - update  - watch---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  labels:    rbac.authorization.k8s.io/aggregate-to-edit: "true"  name: argo-aggregate-to-editrules:- apiGroups:  - argoproj.io  resources:  - workflows  - workflows/finalizers  - workfloweventbindings  - workfloweventbindings/finalizers  - workflowtemplates  - workflowtemplates/finalizers  - cronworkflows  - cronworkflows/finalizers  - clusterworkflowtemplates  - clusterworkflowtemplates/finalizers  verbs:  - create  - delete  - deletecollection  - get  - list  - patch  - update  - watch---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  labels:    rbac.authorization.k8s.io/aggregate-to-view: "true"  name: argo-aggregate-to-viewrules:- apiGroups:  - argoproj.io  resources:  - workflows  - workflows/finalizers  - workfloweventbindings  - workfloweventbindings/finalizers  - workflowtemplates  - workflowtemplates/finalizers  - cronworkflows  - cronworkflows/finalizers  - clusterworkflowtemplates  - clusterworkflowtemplates/finalizers  verbs:  - get  - list  - watch---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: argo-cluster-rolerules:- apiGroups:  - ""  resources:  - pods  - pods/exec  verbs:  - create  - get  - list  - watch  - update  - patch  - delete- apiGroups:  - ""  resources:  - configmaps  verbs:  - get  - watch  - list- apiGroups:  - ""  resources:  - persistentvolumeclaims  verbs:  - create  - delete  - get- apiGroups:  - argoproj.io  resources:  - workflows  - workflows/finalizers  verbs:  - get  - list  - watch  - update  - patch  - delete  - create- apiGroups:  - argoproj.io  resources:  - workflowtemplates  - workflowtemplates/finalizers  - clusterworkflowtemplates  - clusterworkflowtemplates/finalizers  verbs:  - get  - list  - watch- apiGroups:  - ""  resources:  - serviceaccounts  verbs:  - get  - list- apiGroups:  - argoproj.io  resources:  - cronworkflows  - cronworkflows/finalizers  verbs:  - get  - list  - watch  - update  - patch  - delete- apiGroups:  - ""  resources:  - events  verbs:  - create  - patch- apiGroups:  - policy  resources:  - poddisruptionbudgets  verbs:  - create  - get  - delete---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: argo-server-cluster-rolerules:- apiGroups:  - ""  resources:  - configmaps  verbs:  - get  - watch  - list- apiGroups:  - ""  resources:  - secrets  verbs:  - get  - create- apiGroups:  - ""  resources:  - pods  - pods/exec  - pods/log  verbs:  - get  - list  - watch  - delete- apiGroups:  - ""  resources:  - events  verbs:  - watch  - create  - patch- apiGroups:  - ""  resources:  - serviceaccounts  verbs:  - get  - list- apiGroups:  - argoproj.io  resources:  - workflows  - workfloweventbindings  - workflowtemplates  - cronworkflows  - clusterworkflowtemplates  verbs:  - create  - get  - list  - watch  - update  - patch  - delete---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: argo-bindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: argo-rolesubjects:- kind: ServiceAccount  name: argo---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:  name: argo-bindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: argo-cluster-rolesubjects:- kind: ServiceAccount  name: argo  namespace: argo---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:  name: argo-server-bindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: argo-server-cluster-rolesubjects:- kind: ServiceAccount  name: argo-server  namespace: argo---apiVersion: v1kind: ConfigMapmetadata:  name: workflow-controller-configmap---apiVersion: v1kind: Servicemetadata:  name: argo-serverspec:  ports:  - name: web    port: 2746    targetPort: 2746  selector:    app: argo-server---apiVersion: v1kind: Servicemetadata:  name: workflow-controller-metricsspec:  ports:  - name: metrics    port: 9090    protocol: TCP    targetPort: 9090  selector:    app: workflow-controller---apiVersion: apps/v1kind: Deploymentmetadata:  name: argo-serverspec:  selector:    matchLabels:      app: argo-server  template:    metadata:      labels:        app: argo-server    spec:      containers:      - args:        - server        image: argoproj/argocli:v2.12.2        name: argo-server        ports:        - containerPort: 2746          name: web        readinessProbe:          httpGet:            path: /            port: 2746            scheme: HTTP          initialDelaySeconds: 10          periodSeconds: 20        volumeMounts:        - mountPath: /tmp          name: tmp      nodeSelector:        kubernetes.io/os: linux      securityContext:        runAsNonRoot: true      serviceAccountName: argo-server      volumes:      - emptyDir: {}        name: tmp---apiVersion: apps/v1kind: Deploymentmetadata:  name: workflow-controllerspec:  selector:    matchLabels:      app: workflow-controller  template:    metadata:      labels:        app: workflow-controller    spec:      containers:      - args:        - --configmap        - workflow-controller-configmap        - --executor-image        - argoproj/argoexec:v2.12.2        command:        - workflow-controller        image: argoproj/workflow-controller:v2.12.2        name: workflow-controller      nodeSelector:        kubernetes.io/os: linux      securityContext:        runAsNonRoot: true      serviceAccountName: argo

创立领有create pod之类的权限的workflow账户给argo应用
kubectl apply -f

apiVersion: v1kind: ServiceAccountmetadata:  name: workflow---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: workflow-rolerules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - watch  - patch- apiGroups:  - ""  resources:  - pods/log  verbs:  - get  - watch---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: workflow-bindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: workflow-rolesubjects:- kind: ServiceAccount  name: workflow

argo的工作yaml文件里减少spec.serviceAccountName

apiVersion: argoproj.io/v1alpha1kind: Workflowmetadata:  name: <wf-name>spec:  serviceAccountName: workflow  entrypoint: <entrypoint-name>  templates:    ...