第 5 章集群扩展

5.1.1. 支持的扩展
复制链接

目前，Operator Lifecycle Manager (OLM) v1 支持安装满足以下所有条件的集群扩展：

扩展必须使用 OLM (Classic) 中引入的 registry+v1 捆绑包格式。
扩展必须通过 AllNamespaces 安装模式支持安装。
- OpenShift Container Platform 4.19 中包含了对 SingleNamespace 和 OwnNamespace 安装模式的支持，作为技术预览功能。
扩展不能使用 Webhook。
扩展不能使用以下基于文件的目录属性声明依赖项：
- olm.gvk.required
- olm.package.required
- olm.constraint

OLM v1 检查您要安装的扩展是否满足这些限制。如果要安装的扩展不符合这些限制，会在集群扩展条件中输出错误消息。

重要

Operator Lifecycle Manager (OLM) v1 不支持 OLM 中引入的 OperatorConditions API (Classic)。

如果扩展依赖于 OperatorConditions API 管理更新，扩展可能无法正确安装。大多数依赖此 API 的扩展都会在启动时失败，但在协调过程中可能会失败。

作为临时解决方案，您可以将扩展固定到特定的版本。当您想更新扩展时，请查阅扩展文档来查找何时安全将扩展固定到新版本。

表 5.1. 常见软件包查询
查询	Request（请求）
目录中的可用软件包	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .schema == "olm.package")'` Copy to Clipboard Toggle word wrap
支持 `AllNamespaces` 安装模式且不使用 Webhook 的软件包	`$ opm render <catalog_registry_url>:<tag> \ \| jq -cs '[.[] \| select(.schema == "olm.bundle" and (.properties[] \ \| select(.type == "olm.csv.metadata").value.installModes[] \ \| select(.type == "AllNamespaces" and .supported == true)) \ and .spec.webhookdefinitions == null) \ \| .package] \| unique[]'` Copy to Clipboard Toggle word wrap
软件包元数据	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .schema == "olm.package") \ \| select( .name == "<package_name>")'` Copy to Clipboard Toggle word wrap
软件包中的目录 Blob	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .package == "<package_name>")'` Copy to Clipboard Toggle word wrap

表 5.2. 常见频道查询
查询	Request（请求）
软件包中的频道	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .schema == "olm.channel" ) \ \| select( .package == "<package_name>") \| .name'` Copy to Clipboard Toggle word wrap
频道中的版本	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .package == "<package_name>" ) \ \| select( .schema == "olm.channel" ) \ \| select( .name == "<channel_name>" ) .entries \ \| .[] \| .name'` Copy to Clipboard Toggle word wrap
频道中的最新版本升级路径	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .schema == "olm.channel" ) \ \| select ( .name == "<channel_name>") \ \| select( .package == "<package_name>")'` Copy to Clipboard Toggle word wrap

表 5.3. 常见捆绑包查询
查询	Request（请求）
软件包中的捆绑包	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .schema == "olm.bundle" ) \ \| select( .package == "<package_name>") \| .name'` Copy to Clipboard Toggle word wrap
捆绑包依赖项可用的 API	`$ opm render <catalog_registry_url>:<tag> \ \| jq -s '.[] \| select( .schema == "olm.bundle" ) \ \| select ( .name == "<bundle_name>") \ \| select( .package == "<package_name>")'` Copy to Clipboard Toggle word wrap

以下流程使用 Red Hat OpenShift Pipelines Operator 的 openshift-pipelines-operator-rh.clusterserviceversion.yaml 文件作为示例。示例包括安装和管理 OpenShift Pipelines Operator 所需的 RBAC 摘录。有关完整的清单，请参阅"Red Hat OpenShift Pipelines Operator 的集群角色示例"。

重要

为简化以下步骤并改进可读性，以下示例清单使用范围到集群的权限。您可以进一步限制某些权限，方法是将它们限定到扩展名的命名空间，而不是集群。

先决条件

使用具有 cluster-admin 权限的账户访问 OpenShift Container Platform 集群。
您已在要安装的扩展的镜像引用中下载了清单。

流程

创建新集群角色清单，如下例所示：

示例 <extension>-cluster-role.yaml 文件

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <extension>-installer-clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <extension>-installer-clusterrole

Copy to Clipboard

Toggle word wrap

编辑集群角色清单使其包含在扩展上更新终结器的权限，如下例所示：

示例 <extension>-cluster-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
- apiGroups:
  - olm.operatorframework.io
  resources:
  - clusterextensions/finalizers
  verbs:
  - update
  # Scoped to the name of the ClusterExtension
  resourceNames:
  - <metadata_name>

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
- apiGroups:
  - olm.operatorframework.io
  resources:
  - clusterextensions/finalizers
  verbs:
  - update
  # Scoped to the name of the ClusterExtension
  resourceNames:
  - <metadata_name>

1

Copy to Clipboard

Toggle word wrap

1: 指定来自扩展的自定义资源(CR)的 metadata.name 字段的值。

在扩展的 CSV 文件中的 rules.resources 字段中搜索 clusterrole 和 clusterrolebindings 值。

将 API 组、资源、操作动词和资源名称复制到您的清单中，如下例所示：

集群角色清单示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - create 
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames: 
  - "*"
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - "*"
# ...

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - create

1


  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:

2


  - "*"
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - "*"
# ...

Copy to Clipboard

Toggle word wrap

1: 您不能将 create, list, 和 watch 权限限制到特定资源 (resourceNames 字段)。您需要将这些权限限定为它们的资源 ( resources 字段)。
2: 有些资源名称使用以下格式生成：<package_name>.<hash>。安装扩展后，为扩展的控制器查找集群角色和集群角色绑定的资源名称。将此示例中的通配符字符替换为生成的名称，并遵循最小特权的原则。

在扩展的 CSV 文件中的 rules.resources 字段中搜索 customresourcedefinitions 值。

将 API 组、资源、操作动词和资源名称复制到您的清单中，如下例所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Custom resource definitions of the extension
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - manualapprovalgates.operator.tekton.dev
  - openshiftpipelinesascodes.operator.tekton.dev
  - tektonaddons.operator.tekton.dev
  - tektonchains.operator.tekton.dev
  - tektonconfigs.operator.tekton.dev
  - tektonhubs.operator.tekton.dev
  - tektoninstallersets.operator.tekton.dev
  - tektonpipelines.operator.tekton.dev
  - tektonresults.operator.tekton.dev
  - tektontriggers.operator.tekton.dev
# ...

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Custom resource definitions of the extension
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - manualapprovalgates.operator.tekton.dev
  - openshiftpipelinesascodes.operator.tekton.dev
  - tektonaddons.operator.tekton.dev
  - tektonchains.operator.tekton.dev
  - tektonconfigs.operator.tekton.dev
  - tektonhubs.operator.tekton.dev
  - tektoninstallersets.operator.tekton.dev
  - tektonpipelines.operator.tekton.dev
  - tektonresults.operator.tekton.dev
  - tektontriggers.operator.tekton.dev
# ...

Copy to Clipboard

Toggle word wrap

在 rules.resources spec 中搜索带有 permissions 和 clusterPermissions 值的小节。

将 API 组、资源、操作动词和资源名称复制到您的清单中，如下例所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Excerpt from install.spec.clusterPermissions
- apiGroups:
  - ''
  resources:
  - nodes
  - pods
  - services
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - pods/log
  - limitranges
  verbs:
  - create
  - list
  - watch
  - delete
  - deletecollection
  - patch
  - get
  - update
- apiGroups:
  - extensions
  - apps
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - create
  - list
  - watch
  - delete
  - patch
  - get
  - update
 # ...

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Excerpt from install.spec.clusterPermissions
- apiGroups:
  - ''
  resources:
  - nodes
  - pods
  - services
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - pods/log
  - limitranges
  verbs:
  - create
  - list
  - watch
  - delete
  - deletecollection
  - patch
  - get
  - update
- apiGroups:
  - extensions
  - apps
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - create
  - list
  - watch
  - delete
  - patch
  - get
  - update
 # ...

Copy to Clipboard

Toggle word wrap

在 install.spec.deployments 小节中搜索资源的 CSV 文件。

将 API 组、资源、操作动词和资源名称复制到您的清单中，如下例所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Excerpt from install.spec.deployments
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - update
  - patch
  - delete
  # scoped to the extension controller deployment name
  resourceNames:
  - openshift-pipelines-operator
  - tekton-operator-webhook
# ...

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Excerpt from install.spec.deployments
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - update
  - patch
  - delete
  # scoped to the extension controller deployment name
  resourceNames:
  - openshift-pipelines-operator
  - tekton-operator-webhook
# ...

Copy to Clipboard

Toggle word wrap

在扩展的 CSV 文件中的 rules.resources 字段中搜索 services 和 configmaps 值。

将 API 组、资源、操作动词和资源名称复制到您的清单中，如下例所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Services
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the service name
  resourceNames:
  - openshift-pipelines-operator-monitor
  - tekton-operator
  - tekton-operator-webhook
# configmaps
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the configmap name
  resourceNames:
  - config-logging
  - tekton-config-defaults
  - tekton-config-observability
  - tekton-operator-controller-config-leader-election
  - tekton-operator-info
  - tekton-operator-webhook-config-leader-election
- apiGroups:
  - operator.tekton.dev
  resources:
  - tekton-config-read-role
  - tekton-result-read-role
  verbs:
  - get
  - watch
  - list

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
# ...
# Services
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the service name
  resourceNames:
  - openshift-pipelines-operator-monitor
  - tekton-operator
  - tekton-operator-webhook
# configmaps
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the configmap name
  resourceNames:
  - config-logging
  - tekton-config-defaults
  - tekton-config-observability
  - tekton-operator-controller-config-leader-election
  - tekton-operator-info
  - tekton-operator-webhook-config-leader-election
- apiGroups:
  - operator.tekton.dev
  resources:
  - tekton-config-read-role
  - tekton-result-read-role
  verbs:
  - get
  - watch
  - list

Copy to Clipboard

Toggle word wrap

运行以下命令，将集群角色清单添加到集群中：

oc apply -f <extension>-installer-clusterrole.yaml

$ oc apply -f <extension>-installer-clusterrole.yaml

Copy to Clipboard

Toggle word wrap

示例命令

oc apply -f pipelines-installer-clusterrole.yaml

$ oc apply -f pipelines-installer-clusterrole.yaml

Copy to Clipboard

Toggle word wrap

5.1.3.6. Red Hat OpenShift Pipelines Operator 的集群角色示例
复制链接

如需 OpenShift Pipelines Operator 的完整集群角色清单，请参阅以下示例。

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
- apiGroups:
  - olm.operatorframework.io
  resources:
  - clusterextensions/finalizers
  verbs:
  - update
  # Scoped to the name of the ClusterExtension
  resourceNames:
  - pipes # the value from <metadata.name> from the extension's custom resource (CR)
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - "*"
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - "*"
# Extension's custom resource definitions
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - manualapprovalgates.operator.tekton.dev
  - openshiftpipelinesascodes.operator.tekton.dev
  - tektonaddons.operator.tekton.dev
  - tektonchains.operator.tekton.dev
  - tektonconfigs.operator.tekton.dev
  - tektonhubs.operator.tekton.dev
  - tektoninstallersets.operator.tekton.dev
  - tektonpipelines.operator.tekton.dev
  - tektonresults.operator.tekton.dev
  - tektontriggers.operator.tekton.dev
- apiGroups:
  - ''
  resources:
  - nodes
  - pods
  - services
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - pods/log
  - limitranges
  verbs:
  - create
  - list
  - watch
  - delete
  - deletecollection
  - patch
  - get
  - update
- apiGroups:
  - extensions
  - apps
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - create
  - list
  - watch
  - delete
  - patch
  - get
  - update
- apiGroups:
  - ''
  resources:
  - namespaces
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  - deployments/finalizers
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - get
  - create
  - delete
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  - roles
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
  - bind
  - escalate
- apiGroups:
  - ''
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
  - impersonate
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - rolebindings
  verbs:
  - get
  - update
  - delete
  - patch
  - create
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - get
  - create
  - update
  - delete
  - list
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - build.knative.dev
  resources:
  - builds
  - buildtemplates
  - clusterbuildtemplates
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - operator.tekton.dev
  resources:
  - '*'
  - tektonaddons
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - tekton.dev
  - triggers.tekton.dev
  - operator.tekton.dev
  - pipelinesascode.tekton.dev
  resources:
  - '*'
  verbs:
  - add
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - dashboard.tekton.dev
  resources:
  - '*'
  - tektonaddons
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  verbs:
  - use
  - get
  - list
  - create
  - update
  - delete
- apiGroups:
  - events.k8s.io
  resources:
  - events
  verbs:
  - create
- apiGroups:
  - route.openshift.io
  resources:
  - routes
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - console.openshift.io
  resources:
  - consoleyamlsamples
  - consoleclidownloads
  - consolequickstarts
  - consolelinks
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - delete
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - ''
  resources:
  - namespaces/finalizers
  verbs:
  - update
- apiGroups:
  - resolution.tekton.dev
  resources:
  - resolutionrequests
  - resolutionrequests/status
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
  - patch
- apiGroups:
  - console.openshift.io
  resources:
  - consoleplugins
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
  - patch
# Deployments specified in install.spec.deployments
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - update
  - patch
  - delete
  # scoped to the extension controller deployment name
  resourceNames:
  - openshift-pipelines-operator
  - tekton-operator-webhook
# Service accounts in the CSV
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - update
  - patch
  - delete
  # scoped to the extension controller's deployment service account
  resourceNames:
  - openshift-pipelines-operator
# Services
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the service name
  resourceNames:
  - openshift-pipelines-operator-monitor
  - tekton-operator
  - tekton-operator-webhook
# configmaps
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the configmap name
  resourceNames:
  - config-logging
  - tekton-config-defaults
  - tekton-config-observability
  - tekton-operator-controller-config-leader-election
  - tekton-operator-info
  - tekton-operator-webhook-config-leader-election
- apiGroups:
  - operator.tekton.dev
  resources:
  - tekton-config-read-role
  - tekton-result-read-role
  verbs:
  - get
  - watch
  - list
---

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-installer-clusterrole
rules:
- apiGroups:
  - olm.operatorframework.io
  resources:
  - clusterextensions/finalizers
  verbs:
  - update
  # Scoped to the name of the ClusterExtension
  resourceNames:
  - pipes # the value from <metadata.name> from the extension's custom resource (CR)
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - "*"
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - "*"
# Extension's custom resource definitions
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - update
  - patch
  - delete
  resourceNames:
  - manualapprovalgates.operator.tekton.dev
  - openshiftpipelinesascodes.operator.tekton.dev
  - tektonaddons.operator.tekton.dev
  - tektonchains.operator.tekton.dev
  - tektonconfigs.operator.tekton.dev
  - tektonhubs.operator.tekton.dev
  - tektoninstallersets.operator.tekton.dev
  - tektonpipelines.operator.tekton.dev
  - tektonresults.operator.tekton.dev
  - tektontriggers.operator.tekton.dev
- apiGroups:
  - ''
  resources:
  - nodes
  - pods
  - services
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - pods/log
  - limitranges
  verbs:
  - create
  - list
  - watch
  - delete
  - deletecollection
  - patch
  - get
  - update
- apiGroups:
  - extensions
  - apps
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - create
  - list
  - watch
  - delete
  - patch
  - get
  - update
- apiGroups:
  - ''
  resources:
  - namespaces
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  - deployments/finalizers
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - get
  - create
  - delete
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  - roles
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
  - bind
  - escalate
- apiGroups:
  - ''
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
  - impersonate
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - rolebindings
  verbs:
  - get
  - update
  - delete
  - patch
  - create
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - get
  - create
  - update
  - delete
  - list
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - build.knative.dev
  resources:
  - builds
  - buildtemplates
  - clusterbuildtemplates
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - operator.tekton.dev
  resources:
  - '*'
  - tektonaddons
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - tekton.dev
  - triggers.tekton.dev
  - operator.tekton.dev
  - pipelinesascode.tekton.dev
  resources:
  - '*'
  verbs:
  - add
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - dashboard.tekton.dev
  resources:
  - '*'
  - tektonaddons
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  verbs:
  - use
  - get
  - list
  - create
  - update
  - delete
- apiGroups:
  - events.k8s.io
  resources:
  - events
  verbs:
  - create
- apiGroups:
  - route.openshift.io
  resources:
  - routes
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - console.openshift.io
  resources:
  - consoleyamlsamples
  - consoleclidownloads
  - consolequickstarts
  - consolelinks
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - delete
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - delete
  - deletecollection
  - create
  - patch
  - get
  - list
  - update
  - watch
- apiGroups:
  - ''
  resources:
  - namespaces/finalizers
  verbs:
  - update
- apiGroups:
  - resolution.tekton.dev
  resources:
  - resolutionrequests
  - resolutionrequests/status
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
  - patch
- apiGroups:
  - console.openshift.io
  resources:
  - consoleplugins
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
  - patch
# Deployments specified in install.spec.deployments
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - update
  - patch
  - delete
  # scoped to the extension controller deployment name
  resourceNames:
  - openshift-pipelines-operator
  - tekton-operator-webhook
# Service accounts in the CSV
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - update
  - patch
  - delete
  # scoped to the extension controller's deployment service account
  resourceNames:
  - openshift-pipelines-operator
# Services
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the service name
  resourceNames:
  - openshift-pipelines-operator-monitor
  - tekton-operator
  - tekton-operator-webhook
# configmaps
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  # scoped to the configmap name
  resourceNames:
  - config-logging
  - tekton-config-defaults
  - tekton-config-observability
  - tekton-operator-controller-config-leader-election
  - tekton-operator-info
  - tekton-operator-webhook-config-leader-election
- apiGroups:
  - operator.tekton.dev
  resources:
  - tekton-config-read-role
  - tekton-result-read-role
  verbs:
  - get
  - watch
  - list
---

Copy to Clipboard

Toggle word wrap

5.1.3.7. 为扩展创建集群角色绑定
复制链接

创建服务帐户和集群角色后，您必须将集群角色绑定到带有集群角色绑定清单的服务帐户。

先决条件

使用具有 cluster-admin 权限的账户访问 OpenShift Container Platform 集群。
您已为要安装的扩展创建并应用以下资源：
- Namespace
- 服务帐户
- 集群角色

流程

创建集群角色绑定将集群角色绑定绑定到服务帐户，如下例所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <extension>-installer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: <extension>-installer-clusterrole
subjects:
- kind: ServiceAccount
  name: <extension>-installer
  namespace: <namespace>

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <extension>-installer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: <extension>-installer-clusterrole
subjects:
- kind: ServiceAccount
  name: <extension>-installer
  namespace: <namespace>

Copy to Clipboard

Toggle word wrap

例 5.10. pipelines-cluster-role-binding.yaml 文件示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pipelines-installer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pipelines-installer-clusterrole
subjects:
- kind: ServiceAccount
  name: pipelines-installer
  namespace: pipelines

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pipelines-installer-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pipelines-installer-clusterrole
subjects:
- kind: ServiceAccount
  name: pipelines-installer
  namespace: pipelines

Copy to Clipboard

Toggle word wrap

运行以下命令来应用集群角色绑定：
```
oc apply -f pipelines-cluster-role-binding.yaml
```
```
$ oc apply -f pipelines-cluster-role-binding.yaml
```
Copy to Clipboard Toggle word wrap

5.1.4. 在所有命名空间中安装集群扩展
复制链接

您可以通过创建自定义资源 (CR) 并将其应用到集群来从目录安装扩展。Operator Lifecycle Manager (OLM) v1 支持安装集群扩展，包括 registry+v1 捆绑包格式的 OLM (Classic) Operator，它们仅限于集群。如需更多信息，请参阅支持的扩展。

注意

对于 OpenShift Container Platform 4.19，适用于 OLM v1 的流程都是基于 CLI 的。另外，管理员也可以使用普通方法（如 Import YAML 和 Search 页面）在 web 控制台中创建和查看相关对象。但是，现有的 OperatorHub 和 Installed Operators 页还不会显示 OLM v1 组件。

先决条件

您已创建了服务帐户，并分配了足够的基于角色的访问控制 (RBAC) 来安装、更新和管理您要安装的扩展。如需更多信息，请参阅"集群扩展权限"。

流程

创建一个类似以下示例的 CR：

apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
  metadata:
    name: <clusterextension_name>
  spec:
    namespace: <installed_namespace> 
    serviceAccount:
      name: <service_account_installer_name> 
    source:
      sourceType: Catalog
      catalog:
        packageName: <package_name>
        channels:
          - <channel_name> 
        version: <version_or_version_range> 
        upgradeConstraintPolicy: CatalogProvided

apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
  metadata:
    name: <clusterextension_name>
  spec:
    namespace: <installed_namespace>

1


    serviceAccount:
      name: <service_account_installer_name>

2


    source:
      sourceType: Catalog
      catalog:
        packageName: <package_name>
        channels:
          - <channel_name>

3


        version: <version_or_version_range>

4


        upgradeConstraintPolicy: CatalogProvided

5

Copy to Clipboard

Toggle word wrap

1: 指定您要安装捆绑包的命名空间，如 pipelines 或 my-extension。扩展仍然是集群范围的，可能包含在不同命名空间中安装的资源。
2: 指定您为安装、更新和管理扩展创建的服务帐户的名称。
3: 可选：将频道名称指定为数组，如 pipelines-1.14 或 latest。
4: 可选：指定您要安装的软件包的版本或版本范围，如 1.14.0、1.14.x 或 >=1.16。如需更多信息，请参阅"示例自定义资源(CR)指定目标版本"和"支持版本范围"。
5: 可选：指定升级约束策略。如果未指定，则默认设置为 CatalogProvided。只有在新版本满足软件包作者设置的升级限制时，CatalogProvided 设置才会更新。要强制更新或回滚，请将字段设置为 SelfCertified。如需更多信息，请参阅"设置更新或回滚"。

pipelines-operator.yaml CR 示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      version: "1.14.x"

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      version: "1.14.x"

Copy to Clipboard

Toggle word wrap

运行以下命令，将 CR 应用到集群：

oc apply -f pipeline-operator.yaml

$ oc apply -f pipeline-operator.yaml

Copy to Clipboard

Toggle word wrap

输出示例

clusterextension.olm.operatorframework.io/pipelines-operator created

clusterextension.olm.operatorframework.io/pipelines-operator created

Copy to Clipboard

Toggle word wrap

验证

运行以下命令，以 YAML 格式查看 Operator 或扩展 CR：

oc get clusterextension pipelines-operator -o yaml

$ oc get clusterextension pipelines-operator -o yaml

Copy to Clipboard

Toggle word wrap

例 5.11. 输出示例

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"1.14.x"},"sourceType":"Catalog"}}}
    creationTimestamp: "2025-02-18T21:48:13Z"
    finalizers:
    - olm.operatorframework.io/cleanup-unpack-cache
    - olm.operatorframework.io/cleanup-contentmanager-cache
    generation: 1
    name: pipelines-operator
    resourceVersion: "72725"
    uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
  spec:
    namespace: pipelines
    serviceAccount:
      name: pipelines-installer
    source:
      catalog:
        packageName: openshift-pipelines-operator-rh
        upgradeConstraintPolicy: CatalogProvided
        version: 1.14.x
      sourceType: Catalog
  status:
    conditions:
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: Deprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: PackageDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: ChannelDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: BundleDeprecated
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:f7b19ce26be742c4aaa458d37bc5ad373b5b29b20aaa7d308349687d3cbd8838
        successfully
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Installed
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: desired state reached
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Progressing
    install:
      bundle:
        name: openshift-pipelines-operator-rh.v1.14.5
        version: 1.14.5
kind: List
metadata:
  resourceVersion: ""

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"1.14.x"},"sourceType":"Catalog"}}}
    creationTimestamp: "2025-02-18T21:48:13Z"
    finalizers:
    - olm.operatorframework.io/cleanup-unpack-cache
    - olm.operatorframework.io/cleanup-contentmanager-cache
    generation: 1
    name: pipelines-operator
    resourceVersion: "72725"
    uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
  spec:
    namespace: pipelines
    serviceAccount:
      name: pipelines-installer
    source:
      catalog:
        packageName: openshift-pipelines-operator-rh
        upgradeConstraintPolicy: CatalogProvided
        version: 1.14.x
      sourceType: Catalog
  status:
    conditions:
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: Deprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: PackageDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: ChannelDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: BundleDeprecated
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:f7b19ce26be742c4aaa458d37bc5ad373b5b29b20aaa7d308349687d3cbd8838
        successfully
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Installed
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: desired state reached
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Progressing
    install:
      bundle:
        name: openshift-pipelines-operator-rh.v1.14.5
        version: 1.14.5
kind: List
metadata:
  resourceVersion: ""

Copy to Clipboard

Toggle word wrap

其中：

spec.channel

显示扩展 CR 中定义的频道。

spec.version

显示扩展 CR 中定义的版本或版本范围。

status.conditions

显示扩展状态和健康的信息。

type: Deprecated

显示以下一个或多个是否已弃用：

type: PackageDeprecated: 显示解析的软件包是否已弃用。
type: ChannelDeprecated: 显示解析的频道是否已弃用。
type: BundleDeprecated: 显示解析捆绑包是否已弃用。

status 字段中的 False 值表示 reason: Deprecated 条件已弃用。status 字段中的 True 值表示 reason: Deprecated 条件已被弃用。

installedBundle.name

显示安装的捆绑包的名称。

installedBundle.version

显示安装的捆绑包的版本。

5.1.5. 在特定命名空间中部署集群扩展（技术预览）
复制链接

安装模式是 Operator Lifecycle Manager (OLM) Classic 的多租户功能。OLM v1 不支持多租户，并使用 AllNamespaces 安装模式将集群扩展部署到集群。

但是，一些现有集群扩展不支持 AllNamespaces 安装模式。您可以使用 OwnNamespace 或 SingleNamespace 安装模式作为 registry+v1 Operator 捆绑包的技术预览功能在特定命名空间中部署扩展。

不支持 MultiNamespace 安装模式。因此，您无法在集群中多次安装同一 Operator。

重要

支持在特定命名空间中部署集群扩展只是一个技术预览功能。技术预览功能不受红帽产品服务等级协议（SLA）支持，且功能可能并不完整。红帽不推荐在生产环境中使用它们。这些技术预览功能可以使用户提早试用新的功能，并有机会在开发阶段提供反馈意见。

有关红帽技术预览功能支持范围的更多信息，请参阅技术预览功能支持范围。

如需更多信息，请参阅"支持扩展"。

先决条件

使用具有 cluster-admin 权限的账户访问 OpenShift Container Platform 集群
在集群中启用 TechPreviewNoUpgrade 功能集
支持 OwnNamespace 或 SingleNamespace 安装模式的 Operator

流程

创建自定义资源(CR)，类似以下示例：

示例 <cluster-extension-cr>.yaml 文件

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: <clusterextension_name>
  annotations:
    olm.operatorframework.io/watch-namespace: <namespace>
spec:
  namespace: <installed_namespace>
  serviceAccount:
    name: <service_account_installer_name>
  source:
    sourceType: Catalog
    catalog:
      packageName: <package_name>
      channels:
        - <channel_name>
      version: <version_or_version_range>
      upgradeConstraintPolicy: CatalogProvided

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: <clusterextension_name>
  annotations:
    olm.operatorframework.io/watch-namespace: <namespace>
spec:
  namespace: <installed_namespace>
  serviceAccount:
    name: <service_account_installer_name>
  source:
    sourceType: Catalog
    catalog:
      packageName: <package_name>
      channels:
        - <channel_name>
      version: <version_or_version_range>
      upgradeConstraintPolicy: CatalogProvided

Copy to Clipboard

Toggle word wrap

其中：

namespace

指定您要部署集群扩展的命名空间。

如果 namespace 参数为空，或者注解不存在，则使用 AllNamespaces 安装模式部署扩展。
如果 namespace 参数的值与 spec.namespace 字段中的 installed_namespace 参数相同，则使用 OwnNamespace 安装模式部署扩展。
如果 namespace 参数指定与 installed_namespace 参数不同的命名空间，则使用 SingleNamespace 安装模式部署扩展。

运行以下命令，将 CR 应用到集群：
```
oc apply -f <cluster_extension_cr>.yaml
```
```
$ oc apply -f <cluster_extension_cr>.yaml
```
Copy to Clipboard Toggle word wrap

5.1.6. 集群扩展的 preflight 权限检查（技术预览）
复制链接

当您尝试安装扩展时，Operator Controller 会执行安装过程的空运行。此空运行验证指定的服务帐户是否可以执行安装扩展所需的所有操作。这包括在捆绑包中创建所有 Kubernetes 对象，以及捆绑包定义的角色和绑定的基于角色的访问控制(RBAC)规则。

重要

对集群扩展的 preflight 权限检查只是一个技术预览功能。技术预览功能不受红帽产品服务等级协议（SLA）支持，且功能可能并不完整。红帽不推荐在生产环境中使用它们。这些技术预览功能可以使用户提早试用新的功能，并有机会在开发阶段提供反馈意见。

有关红帽技术预览功能支持范围的更多信息，请参阅技术预览功能支持范围。

如果服务帐户缺少任何所需的 RBAC 规则，preflight 检查会在实际安装进行前失败。如果 preflight 检查失败，Operator Controller 会在扩展的状态条件和 Operator Controller 日志中报告错误。

要继续安装，请更新角色和绑定，为服务帐户授予缺少的权限并应用更改。如果没有错误，Operator Controller 会协调更新的权限并完成安装。

5.1.6.1. preflight 权限检查的报告示例
复制链接

以下报告表示服务帐户需要以下缺少的权限：

用于对整个集群核心 API 组中的 services 资源执行 list 和 watch 操作的 RBAC 规则
用于对 pipelines 命名空间的 apps API 组中的 deployments 资源执行 create 操作的 RBAC 规则。

您可以在集群扩展的状态条件中，从 preflight 权限检查报告。oc describe clusterextension 命令打印有关集群扩展的信息，包括状态条件。

示例命令

oc describe clusterextension <extension_name>

$ oc describe clusterextension <extension_name>

Copy to Clipboard

Toggle word wrap

报告示例

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
...
Conditions:
  Type:    Progressing
  Status:  False
  Reason:  Retrying
  Message: pre-authorization failed: service account requires the following permissions to manage cluster extension:
           Namespace:"" APIGroups:[] Resources:[services] Verbs:[list,watch]
           Namespace:"pipelines" APIGroups:["apps"] Resources:[deployments] Verbs:[create]

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
...
Conditions:
  Type:    Progressing
  Status:  False
  Reason:  Retrying
  Message: pre-authorization failed: service account requires the following permissions to manage cluster extension:
           Namespace:"" APIGroups:[] Resources:[services] Verbs:[list,watch]
           Namespace:"pipelines" APIGroups:["apps"] Resources:[deployments] Verbs:[create]

Copy to Clipboard

Toggle word wrap

Namespace

在命名空间级别指定所需的 RBAC 规则范围，如 pipelines 命名空间。空命名空间值 "" 表示您必须将权限范围到集群。

APIGroups

指定所需权限应用到的 API 组的名称。API 组中的空值（[]）表示权限应用到核心 API 组。例如，服务、secret 和配置映射都是核心资源。

如果资源属于命名 API 组，报告列出了方括号之间的名称。例如，APIGroups:[apps] 值表示扩展需要 RBAC 规则对 apps API 组中的资源执行操作。

Resources

指定需要权限的资源类型。例如，服务、secret 和自定义资源定义是常见的资源类型。

Verbs

指定服务帐户执行操作（或 verbs）所需的权限。如果报告列出了几个操作动词，则所有列出的操作动词都需要 RBAC 规则。

5.1.6.2. 常见权限错误
复制链接

缺少操作动词: 服务帐户没有执行所需操作的权限。要解决这个问题，请更新或创建角色和绑定来授予所需的权限。角色和角色绑定定义命名空间的资源权限。集群角色和集群角色绑定定义集群的资源权限。
权限升级: 服务帐户没有足够的权限来创建扩展所需的角色或集群角色。当发生这种情况时，preflight 检查会报告缺少动词，以防止特权升级。要解决这个问题，请为服务帐户授予足够的权限，使其可以创建角色。
缺少角色引用: 扩展引用 Operator Controller 无法找到的角色或集群角色。当发生这种情况时，preflight 检查会列出缺少的角色，并报告 授权评估错误。要解决这个问题，请创建或更新角色和集群角色，以确保所有角色引用都存在。

5.1.7. 更新集群扩展
复制链接

您可以通过手动编辑自定义资源 (CR) 并应用更改来更新集群扩展或 Operator。

先决条件

已安装 Operator 或扩展。
已安装 jq CLI 工具。
已安装 opm CLI 工具。

流程

通过完成以下步骤，检查目录文件本地副本中的频道和版本信息：

运行以下命令，从所选软件包中获取频道列表：

opm render <catalog_registry_url>:<tag> \
  | jq -s '.[] | select( .schema == "olm.channel" ) \
  | jq -s '.[] | select( .schema == "olm.channel" ) \
  | select( .package == "openshift-pipelines-operator-rh") | .name'
  | select( .package == "openshift-pipelines-operator-rh") | .name'

$ opm render <catalog_registry_url>:<tag> \
  | jq -s '.[] | select( .schema == "olm.channel" ) \
  | select( .package == "openshift-pipelines-operator-rh") | .name'

Copy to Clipboard

Toggle word wrap

例 5.12. 示例命令

opm render registry.redhat.io/redhat/redhat-operator-index:v4.19 \
  | jq -s '.[] | select( .schema == "olm.channel" ) \
  | select( .package == "openshift-pipelines-operator-rh") | .name'

$ opm render registry.redhat.io/redhat/redhat-operator-index:v4.19 \
  | jq -s '.[] | select( .schema == "olm.channel" ) \
  | select( .package == "openshift-pipelines-operator-rh") | .name'

Copy to Clipboard

Toggle word wrap

例 5.13. 输出示例

"latest"
"pipelines-1.14"
"pipelines-1.15"
"pipelines-1.16"
"pipelines-1.17"

"latest"
"pipelines-1.14"
"pipelines-1.15"
"pipelines-1.16"
"pipelines-1.17"

Copy to Clipboard

Toggle word wrap

运行以下命令，获取频道中发布的版本列表：

opm render <catalog_registry_url>:<tag> \
  | jq -s '.[] | select( .package == "<package_name>" ) \
  | jq -s '.[] | select( .package == "<package_name>" ) \
  | select( .schema == "olm.channel" ) \
  | select( .schema == "olm.channel" ) \
  | select( .name == "<channel_name>" ) | .entries \
  | select( .name == "<channel_name>" ) | .entries \
  | .[] | .name'
  | .[] | .name'

$ opm render <catalog_registry_url>:<tag> \
  | jq -s '.[] | select( .package == "<package_name>" ) \
  | select( .schema == "olm.channel" ) \
  | select( .name == "<channel_name>" ) | .entries \
  | .[] | .name'

Copy to Clipboard

Toggle word wrap

例 5.14. 示例命令

opm render registry.redhat.io/redhat/redhat-operator-index:v4.19 \
  | jq -s '.[] | select( .package == "openshift-pipelines-operator-rh" ) \
  | select( .schema == "olm.channel" ) | select( .name == "latest" ) \
  | .entries | .[] | .name'

$ opm render registry.redhat.io/redhat/redhat-operator-index:v4.19 \
  | jq -s '.[] | select( .package == "openshift-pipelines-operator-rh" ) \
  | select( .schema == "olm.channel" ) | select( .name == "latest" ) \
  | .entries | .[] | .name'

Copy to Clipboard

Toggle word wrap

例 5.15. 输出示例

"openshift-pipelines-operator-rh.v1.15.0"
"openshift-pipelines-operator-rh.v1.16.0"
"openshift-pipelines-operator-rh.v1.17.0"
"openshift-pipelines-operator-rh.v1.17.1"

"openshift-pipelines-operator-rh.v1.15.0"
"openshift-pipelines-operator-rh.v1.16.0"
"openshift-pipelines-operator-rh.v1.17.0"
"openshift-pipelines-operator-rh.v1.17.1"

Copy to Clipboard

Toggle word wrap

运行以下命令，查找在 Operator 或扩展 CR 中指定哪个版本或频道：

oc get clusterextension <operator_name> -o yaml

$ oc get clusterextension <operator_name> -o yaml

Copy to Clipboard

Toggle word wrap

示例命令

oc get clusterextension pipelines-operator -o yaml

$ oc get clusterextension pipelines-operator -o yaml

Copy to Clipboard

Toggle word wrap

例 5.16. 输出示例

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"1.14.x"},"sourceType":"Catalog"}}}
    creationTimestamp: "2025-02-18T21:48:13Z"
    finalizers:
    - olm.operatorframework.io/cleanup-unpack-cache
    - olm.operatorframework.io/cleanup-contentmanager-cache
    generation: 1
    name: pipelines-operator
    resourceVersion: "72725"
    uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
  spec:
    namespace: pipelines
    serviceAccount:
      name: pipelines-installer
    source:
      catalog:
        packageName: openshift-pipelines-operator-rh
        upgradeConstraintPolicy: CatalogProvided
        version: 1.14.x
      sourceType: Catalog
  status:
    conditions:
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: Deprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: PackageDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: ChannelDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: BundleDeprecated
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:f7b19ce26be742c4aaa458d37bc5ad373b5b29b20aaa7d308349687d3cbd8838
        successfully
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Installed
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: desired state reached
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Progressing
    install:
      bundle:
        name: openshift-pipelines-operator-rh.v1.14.5
        version: 1.14.5
kind: List
metadata:
  resourceVersion: ""

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1
  kind: ClusterExtension
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"1.14.x"},"sourceType":"Catalog"}}}
    creationTimestamp: "2025-02-18T21:48:13Z"
    finalizers:
    - olm.operatorframework.io/cleanup-unpack-cache
    - olm.operatorframework.io/cleanup-contentmanager-cache
    generation: 1
    name: pipelines-operator
    resourceVersion: "72725"
    uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
  spec:
    namespace: pipelines
    serviceAccount:
      name: pipelines-installer
    source:
      catalog:
        packageName: openshift-pipelines-operator-rh
        upgradeConstraintPolicy: CatalogProvided
        version: 1.14.x
      sourceType: Catalog
  status:
    conditions:
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: Deprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: PackageDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: ChannelDeprecated
    - lastTransitionTime: "2025-02-18T21:48:13Z"
      message: ""
      observedGeneration: 1
      reason: Deprecated
      status: "False"
      type: BundleDeprecated
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:f7b19ce26be742c4aaa458d37bc5ad373b5b29b20aaa7d308349687d3cbd8838
        successfully
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Installed
    - lastTransitionTime: "2025-02-18T21:48:16Z"
      message: desired state reached
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: Progressing
    install:
      bundle:
        name: openshift-pipelines-operator-rh.v1.14.5
        version: 1.14.5
kind: List
metadata:
  resourceVersion: ""

Copy to Clipboard

Toggle word wrap

使用以下方法之一编辑 CR：

如果要将 Operator 或扩展固定到特定版本，如 1.15.0，请编辑类似以下示例的 CR：

pipelines-operator.yaml CR 示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      version: "1.15.0"

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      version: "1.15.0"

1

Copy to Clipboard

Toggle word wrap

1: 将版本从 1.14.x 更新至 1.15.0

如果要定义可接受的更新版本范围，请编辑类似以下示例的 CR：

指定了版本范围的 CR 示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      version: ">1.15, <1.17"

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      version: ">1.15, <1.17"

1

Copy to Clipboard

Toggle word wrap

1: 指定所需的版本范围，大于 1.15 版本，但小于 1.17。如需更多信息，请参阅"支持版本范围"和"Version 比较字符串"。

如果要更新到可以从频道解析的最新版本，请编辑类似以下示例的 CR：

带有指定频道的 CR 示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      channels:
        - latest

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      channels:
        - latest

1

Copy to Clipboard

Toggle word wrap

1: 安装可从指定频道解析的最新版本。对频道的更新会自动安装。输入值作为数组。

如果要指定频道和版本范围，请编辑类似以下示例的 CR：

带有指定频道和版本范围的 CR 示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      channels:
        - latest
      version: "<1.16"

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: pipelines-operator
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    sourceType: Catalog
    catalog:
      packageName: openshift-pipelines-operator-rh
      channels:
        - latest
      version: "<1.16"

Copy to Clipboard

Toggle word wrap

如需更多信息，请参阅"指定目标版本的示例自定义资源(CR) "。

运行以下命令，将更新应用到集群：

oc apply -f pipelines-operator.yaml

$ oc apply -f pipelines-operator.yaml

Copy to Clipboard

Toggle word wrap

输出示例

clusterextension.olm.operatorframework.io/pipelines-operator configured

clusterextension.olm.operatorframework.io/pipelines-operator configured

Copy to Clipboard

Toggle word wrap

验证

运行以下命令验证频道和版本更新是否已应用：

oc get clusterextension pipelines-operator -o yaml

$ oc get clusterextension pipelines-operator -o yaml

Copy to Clipboard

Toggle word wrap

例 5.17. 输出示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"\u003c1.16"},"sourceType":"Catalog"}}}
  creationTimestamp: "2025-02-18T21:48:13Z"
  finalizers:
  - olm.operatorframework.io/cleanup-unpack-cache
  - olm.operatorframework.io/cleanup-contentmanager-cache
  generation: 2
  name: pipes
  resourceVersion: "90693"
  uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    catalog:
      packageName: openshift-pipelines-operator-rh
      upgradeConstraintPolicy: CatalogProvided
      version: <1.16
    sourceType: Catalog
status:
  conditions:
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: Deprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: PackageDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: ChannelDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: BundleDeprecated
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8a593c1144709c9aeffbeb68d0b4b08368f528e7bb6f595884b2474bcfbcafcd
      successfully
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: Installed
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: desired state reached
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: Progressing
  install:
    bundle:
      name: openshift-pipelines-operator-rh.v1.15.2
      version: 1.15.2

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"\u003c1.16"},"sourceType":"Catalog"}}}
  creationTimestamp: "2025-02-18T21:48:13Z"
  finalizers:
  - olm.operatorframework.io/cleanup-unpack-cache
  - olm.operatorframework.io/cleanup-contentmanager-cache
  generation: 2
  name: pipes
  resourceVersion: "90693"
  uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    catalog:
      packageName: openshift-pipelines-operator-rh
      upgradeConstraintPolicy: CatalogProvided
      version: <1.16
    sourceType: Catalog
status:
  conditions:
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: Deprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: PackageDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: ChannelDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: BundleDeprecated
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8a593c1144709c9aeffbeb68d0b4b08368f528e7bb6f595884b2474bcfbcafcd
      successfully
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: Installed
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: desired state reached
    observedGeneration: 2
    reason: Succeeded
    status: "True"
    type: Progressing
  install:
    bundle:
      name: openshift-pipelines-operator-rh.v1.15.2
      version: 1.15.2

Copy to Clipboard

Toggle word wrap

故障排除

如果您指定已弃用或不存在的目标版本或频道，您可以运行以下命令来检查扩展的状态：

oc get clusterextension <operator_name> -o yaml

$ oc get clusterextension <operator_name> -o yaml

Copy to Clipboard

Toggle word wrap

例 5.18. 不存在版本的输出示例

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"9.x"},"sourceType":"Catalog"}}}
  creationTimestamp: "2025-02-18T21:48:13Z"
  finalizers:
  - olm.operatorframework.io/cleanup-unpack-cache
  - olm.operatorframework.io/cleanup-contentmanager-cache
  generation: 3
  name: pipes
  resourceVersion: "93334"
  uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    catalog:
      packageName: openshift-pipelines-operator-rh
      upgradeConstraintPolicy: CatalogProvided
      version: 9.x
    sourceType: Catalog
status:
  conditions:
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: Deprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: PackageDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: ChannelDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: BundleDeprecated
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8a593c1144709c9aeffbeb68d0b4b08368f528e7bb6f595884b2474bcfbcafcd
      successfully
    observedGeneration: 3
    reason: Succeeded
    status: "True"
    type: Installed
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: 'error upgrading from currently installed version "1.15.2": no bundles
      found for package "openshift-pipelines-operator-rh" matching version "9.x"'
    observedGeneration: 3
    reason: Retrying
    status: "True"
    type: Progressing
  install:
    bundle:
      name: openshift-pipelines-operator-rh.v1.15.2
      version: 1.15.2

apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"olm.operatorframework.io/v1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipes"},"spec":{"namespace":"pipelines","serviceAccount":{"name":"pipelines-installer"},"source":{"catalog":{"packageName":"openshift-pipelines-operator-rh","version":"9.x"},"sourceType":"Catalog"}}}
  creationTimestamp: "2025-02-18T21:48:13Z"
  finalizers:
  - olm.operatorframework.io/cleanup-unpack-cache
  - olm.operatorframework.io/cleanup-contentmanager-cache
  generation: 3
  name: pipes
  resourceVersion: "93334"
  uid: e18b13fb-a96d-436f-be75-a9a0f2b07993
spec:
  namespace: pipelines
  serviceAccount:
    name: pipelines-installer
  source:
    catalog:
      packageName: openshift-pipelines-operator-rh
      upgradeConstraintPolicy: CatalogProvided
      version: 9.x
    sourceType: Catalog
status:
  conditions:
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: Deprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: PackageDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: ChannelDeprecated
  - lastTransitionTime: "2025-02-18T21:48:13Z"
    message: ""
    observedGeneration: 2
    reason: Deprecated
    status: "False"
    type: BundleDeprecated
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: Installed bundle registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8a593c1144709c9aeffbeb68d0b4b08368f528e7bb6f595884b2474bcfbcafcd
      successfully
    observedGeneration: 3
    reason: Succeeded
    status: "True"
    type: Installed
  - lastTransitionTime: "2025-02-18T21:48:16Z"
    message: 'error upgrading from currently installed version "1.15.2": no bundles
      found for package "openshift-pipelines-operator-rh" matching version "9.x"'
    observedGeneration: 3
    reason: Retrying
    status: "True"
    type: Progressing
  install:
    bundle:
      name: openshift-pipelines-operator-rh.v1.15.2
      version: 1.15.2

Copy to Clipboard

Toggle word wrap

5.1.8. 删除 Operator
复制链接

您可以通过删除 ClusterExtension 自定义资源 (CR) 来删除 Operator 及其自定义资源定义 (CRD)。

先决条件

已安装目录。
已安装 Operator。

流程

运行以下命令来删除 Operator 及其 CRD：

oc delete clusterextension <operator_name>

$ oc delete clusterextension <operator_name>

Copy to Clipboard

Toggle word wrap

输出示例

clusterextension.olm.operatorframework.io "<operator_name>" deleted

clusterextension.olm.operatorframework.io "<operator_name>" deleted

Copy to Clipboard

Toggle word wrap

验证

运行以下命令验证您的 Operator 及其资源已被删除：
- 运行以下命令验证 Operator 已被删除：
  $ oc get clusterextensions
  Copy to Clipboard Toggle word wrap
  输出示例
  No resources found
  
  Copy to Clipboard Toggle word wrap
- 运行以下命令验证 Operator 的系统命名空间是否已删除：
  $ oc get ns <operator_name>-system
  Copy to Clipboard Toggle word wrap
  输出示例
  Error from server (NotFound): namespaces "<operator_name>-system" not found
  
  Copy to Clipboard Toggle word wrap

5.1. 管理集群扩展
复制链接

5.1.1. 支持的扩展
复制链接

5.1.2. 从目录查找 Operator
复制链接

5.1.2.1. 常见目录查询
复制链接

5.1.3. 集群扩展权限
复制链接

5.1.3.1. 创建命名空间
复制链接

5.1.3.2. 为扩展创建服务帐户
复制链接

5.1.3.3. 下载扩展的捆绑包清单
复制链接

5.1.3.4. 安装和管理集群扩展所需的权限
复制链接

5.1.3.5. 为扩展创建集群角色
复制链接

5.1.3.6. Red Hat OpenShift Pipelines Operator 的集群角色示例
复制链接

5.1.3.7. 为扩展创建集群角色绑定
复制链接

5.1.4. 在所有命名空间中安装集群扩展
复制链接

5.1.5. 在特定命名空间中部署集群扩展（技术预览）
复制链接

5.1.6. 集群扩展的 preflight 权限检查（技术预览）
复制链接

5.1.6.1. preflight 权限检查的报告示例
复制链接

5.1.6.2. 常见权限错误
复制链接

5.1.7. 更新集群扩展
复制链接

5.1.8. 删除 Operator
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

第 5 章 集群扩展

5.1. 管理集群扩展复制链接链接已复制到粘贴板!

5.1.1. 支持的扩展复制链接链接已复制到粘贴板!

5.1.2. 从目录查找 Operator复制链接链接已复制到粘贴板!

5.1.2.1. 常见目录查询复制链接链接已复制到粘贴板!

5.1.3. 集群扩展权限复制链接链接已复制到粘贴板!

5.1.3.1. 创建命名空间复制链接链接已复制到粘贴板!

5.1.3.2. 为扩展创建服务帐户复制链接链接已复制到粘贴板!

5.1.3.3. 下载扩展的捆绑包清单复制链接链接已复制到粘贴板!

5.1.3.4. 安装和管理集群扩展所需的权限复制链接链接已复制到粘贴板!

5.1.3.5. 为扩展创建集群角色复制链接链接已复制到粘贴板!

5.1.3.6. Red Hat OpenShift Pipelines Operator 的集群角色示例复制链接链接已复制到粘贴板!

5.1.3.7. 为扩展创建集群角色绑定复制链接链接已复制到粘贴板!

5.1.4. 在所有命名空间中安装集群扩展复制链接链接已复制到粘贴板!

5.1.5. 在特定命名空间中部署集群扩展（技术预览）复制链接链接已复制到粘贴板!

5.1.6. 集群扩展的 preflight 权限检查（技术预览）复制链接链接已复制到粘贴板!

5.1.6.1. preflight 权限检查的报告示例复制链接链接已复制到粘贴板!

5.1.6.2. 常见权限错误复制链接链接已复制到粘贴板!

5.1.7. 更新集群扩展复制链接链接已复制到粘贴板!

5.1.8. 删除 Operator复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

第 5 章集群扩展

5.1. 管理集群扩展
复制链接

5.1.1. 支持的扩展
复制链接

5.1.2. 从目录查找 Operator
复制链接

5.1.2.1. 常见目录查询
复制链接

5.1.3. 集群扩展权限
复制链接

5.1.3.1. 创建命名空间
复制链接

5.1.3.2. 为扩展创建服务帐户
复制链接

5.1.3.3. 下载扩展的捆绑包清单
复制链接

5.1.3.4. 安装和管理集群扩展所需的权限
复制链接

5.1.3.5. 为扩展创建集群角色
复制链接

5.1.3.6. Red Hat OpenShift Pipelines Operator 的集群角色示例
复制链接

5.1.3.7. 为扩展创建集群角色绑定
复制链接

5.1.4. 在所有命名空间中安装集群扩展
复制链接

5.1.5. 在特定命名空间中部署集群扩展（技术预览）
复制链接

5.1.6. 集群扩展的 preflight 权限检查（技术预览）
复制链接

5.1.6.1. preflight 权限检查的报告示例
复制链接

5.1.6.2. 常见权限错误
复制链接

5.1.7. 更新集群扩展
复制链接

5.1.8. 删除 Operator
复制链接