1.8. 配置事件监听程序为多个命名空间提供服务
如果要创建一个基本的 CI/CD 管道,您可以跳过此部分。但是,如果您的部署策略涉及多个命名空间,您可以将事件监听程序配置为为多个命名空间提供服务。
为了提高 EvenListener
对象的可重用性,集群管理员可将它们配置为为多个命名空间的多租户事件监听程序进行配置和部署。
流程
为事件监听程序配置集群范围的获取权限。
设置在
ClusterRoleBinding
和EventListener
对象中使用的服务帐户名称。例如,el-sa
。ServiceAccount.yaml
示例apiVersion: v1 kind: ServiceAccount metadata: name: el-sa ---
在
ClusterRole.yaml
文件的rules
部分,为每个事件监听器部署设置适当的权限,以便正常工作集群范围的。ClusterRole.yaml
示例kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: el-sel-clusterrole rules: - apiGroups: ["triggers.tekton.dev"] resources: ["eventlisteners", "clustertriggerbindings", "clusterinterceptors", "triggerbindings", "triggertemplates", "triggers"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["impersonate"] ...
使用适当的服务帐户名称和集群角色名称配置集群角色绑定。
ClusterRoleBinding.yaml
示例apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: el-mul-clusterrolebinding subjects: - kind: ServiceAccount name: el-sa namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: el-sel-clusterrole ...
在事件监听器的
spec
参数中,添加服务帐户名称,如el-sa
。使用事件监听程序要服务的命名空间名称填充namespaceSelector
参数。EventListener.yaml
示例apiVersion: triggers.tekton.dev/v1beta1 kind: EventListener metadata: name: namespace-selector-listener spec: taskRunTemplate: serviceAccountName: el-sa namespaceSelector: matchNames: - default - foo ...
创建具有必要权限的服务帐户,如
foo-trigger-sa
。使用它来绑定触发器。ServiceAccount.yaml
示例apiVersion: v1 kind: ServiceAccount metadata: name: foo-trigger-sa namespace: foo ...
RoleBinding.yaml
示例apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: triggercr-rolebinding namespace: foo subjects: - kind: ServiceAccount name: foo-trigger-sa namespace: foo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tekton-triggers-eventlistener-roles ...
使用适当的触发器模板、触发器绑定和服务帐户名称创建触发器。
Trigger.yaml
示例apiVersion: triggers.tekton.dev/v1beta1 kind: Trigger metadata: name: trigger namespace: foo spec: taskRunTemplate: serviceAccountName: foo-trigger-sa interceptors: - ref: name: "github" params: - name: "secretRef" value: secretName: github-secret secretKey: secretToken - name: "eventTypes" value: ["push"] bindings: - ref: vote-app template: ref: vote-app ...