Argo Workflows 部署

发布时间: 更新时间: 总字数:1022 阅读时间:3m 作者: IP上海 分享 网址

Argo Workflows 部署

安装

kubectl apply -f https://github.com/argoproj/argo-workflows/releases/download/v3.4.2/quick-start-mysql.yaml

服务情况

argo-servers 
root@ubuntu:~# kubectl -n argo get all
NAME                                      READY   STATUS    RESTARTS   AGE
pod/argo-server-64f8df864d-t4ntp          1/1     Running   0          3m40s
pod/httpbin-6979fdc65b-sxnt2              1/1     Running   0          3m40s
pod/minio-5c8f5fb598-p7nkz                1/1     Running   0          3m39s
pod/mysql-7c888c6864-vx5fk                1/1     Running   0          3m38s
pod/workflow-controller-6579dd99d-cvxwk   1/1     Running   0          3m37s

NAME                  TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
service/argo-server   NodePort    10.245.204.179   <none>        2746:30786/TCP      3m45s
service/httpbin       ClusterIP   10.245.101.188   <none>        9100/TCP            3m44s
service/minio         ClusterIP   10.245.103.33    <none>        9000/TCP,9001/TCP   3m43s
service/mysql         ClusterIP   10.245.50.143    <none>        3306/TCP            3m43s

NAME                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/argo-server           1/1     1            1           3m42s
deployment.apps/httpbin               1/1     1            1           3m42s
deployment.apps/minio                 1/1     1            1           3m41s
deployment.apps/mysql                 1/1     1            1           3m40s
deployment.apps/workflow-controller   1/1     1            1           3m39s

NAME                                            DESIRED   CURRENT   READY   AGE
replicaset.apps/argo-server-64f8df864d          1         1         1       3m42s
replicaset.apps/httpbin-6979fdc65b              1         1         1       3m42s
replicaset.apps/minio-5c8f5fb598                1         1         1       3m41s
replicaset.apps/mysql-7c888c6864                1         1         1       3m40s
replicaset.apps/workflow-controller-6579dd99d   1         1         1       3m39s

说明:

  • argo-server 是argo服务端
  • mino 是进行制品仓库,Argo minio 默认账号:admin/password
    • kubectl -n argo get secrets my-minio-cred -o yaml
  • mysql/postgres 是数据库
  • workflow-controller 是流程控制器

NodePort 暴露服务

kubectl -n argo patch svc argo-server -p '{"spec": {"type": "NodePort"}}'

安装 argo 客户端

  • 安装 argo cli 参考:https://github.com/argoproj/argo-workflows/releases/tag/v3.4.3
# Download the binary
curl -sLO https://github.com/argoproj/argo-workflows/releases/download/v3.4.3/argo-linux-amd64.gz

# Unzip
gunzip argo-linux-amd64.gz

# Make binary executable
chmod +x argo-linux-amd64

# Move binary to path
mv ./argo-linux-amd64 /usr/bin/argo

# Test installation
argo version
  • 命令
argo submit hello-world.yaml    # submit a workflow spec to Kubernetes
argo list                       # list current workflows
argo get hello-world-xxx        # get info about a specific workflow
argo logs hello-world-xxx       # print the logs from a workflow
argo delete hello-world-xxx     # delete workflow

获取 token

  • 获取认证 token 的方式,可以到 Web 登录框输入 Bearer Token 登录 argo workflows
# 方式一
$ argo auth token
Bearer dop_v1_xxx

# 方式二
$ kubectl -n argo exec -it argo-server-9cbd9b77c-5tkpm -- argo auth token
Bearer <jwt>

Argo Server 授权模式

argo server --auth-mode sso

DR

# Exporting example
kubectl get wf,cwf,cwft,wftmpl -A -o yaml > backup.yaml

# Importing example
kubectl apply -f backup.yaml

F&Q

failed to list resources

  • argocd workflow 错误日志:
W0825 10:33:57.896940       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.3/tools/cache/reflector.go:167: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:argo:argo-server" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0825 10:33:57.896988       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.3/tools/cache/reflector.go:167: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:argo:argo-server" cannot list resource "serviceaccounts" in API group "" at the cluster scope

$ kubectl -n argo get ClusterRole | grep "argo-server"
argo-server-clusterworkflowtemplate-role                               2022-08-23T08:16:59Z

$ kubectl get ClusterRoleBinding | grep "argo-server"
argo-server-clusterworkflowtemplate-role-binding       ClusterRole/argo-server-clusterworkflowtemplate-role                               26h

$ kubectl -n argo get pod argo-server-7cc5d64869-jtwmw -o yaml
...
spec:
  containers:
  - name: argo-server
    ...
  serviceAccount: argo-server
  serviceAccountName: argo-server
  ...

$ kubectl -n argo get rolebinding
NAME                       ROLE                            AGE
...
argo-server-binding        Role/argo-server-role           41h
...

$ kubectl -n argo get rolebinding argo-server-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"argo-server-binding","namespace":"argo"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"argo-server-role"},"subjects":[{"kind":"ServiceAccount","name":"argo-server","namespace":"argo"}]}
  creationTimestamp: "2022-08-23T08:17:02Z"
  name: argo-server-binding
  namespace: argo
  resourceVersion: "3262386"
  uid: fb39f2f4-ec52-4005-a65d-33bdb8b9b3eb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-server-role
subjects:
- kind: ServiceAccount
  name: argo-server
  namespace: argo

$ kubectl -n argo get role argo-server-role -o yaml
...
rules:
...
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
  - watch
...
  • 解决方式:该问题为启动参数的问题,修复方式如下
spec:
  containers:
  - args:
    - server
    - --namespaced
    - --auth-mode
    - server
    - --auth-mode
    - client
    image: quayioargoproj/argocli:v3.4.3
    imagePullPolicy: IfNotPresent
    name: argo-server
    ...
  • 没有权限问题
kubectl -n argo apply -f ../argo-workflows/admin-user-sa.yaml

$ curl https://argo.kb.cx:30443/api/v1/userinfo
{
	"issuer": "argo-server",
	"subject": "ChhDZ2cxTURReE5UTTNOUklHWjJsMGFIVmkSA2RleA",
	"groups": ["beehat:test"],
	"email": "6@166.xyz",
	"emailVerified": true,
	"serviceAccountName": "admin-user",
	"serviceAccountNamespace": "argo"
}
  • 绑定管理员权限
$ kubectl create clusterrolebinding argo-admin-login-user --clusterrole=cluster-admin --serviceaccount=argo:admin-user
clusterrolebinding.rbac.authorization.k8s.io/argo-admin-login-user created

  • 当前不支持casbin,支持的参考:https://github.com/argoproj/argo-workflows/issues/6490

  • Argo Workflows 依赖于 k8s 的原生的 RBAC 实现权限模块,参考

  • 验证权限

# 检测是否可以修改configmap
kubectl auth can-i update configmaps
kubectl auth can-i --help

配置configmap加载

参考

最近更新
相关文章
最新评论
Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数