From 0d7a853a9d3e5814011bb6d2993b324caf343181 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E5=B0=8F=E4=BA=91?= <sunpengchina85@gmail.com>
Date: Wed, 10 Sep 2025 20:10:20 +0800
Subject: [PATCH] xx

---
 drone/drone-runner-rbac.yaml | 32 ++++++++++++++++++++++++++++++++
 drone/install-drone.sh       |  3 +++
 installk3s.sh                |  5 ++++-
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/drone/drone-runner-rbac.yaml b/drone/drone-runner-rbac.yaml
index 612edb3..0525b54 100644
--- a/drone/drone-runner-rbac.yaml
+++ b/drone/drone-runner-rbac.yaml
@@ -26,3 +26,35 @@ roleRef:
   kind: Role
   name: drone
 
+---
+# Grant the pipeline SA cross-namespace permissions to manage Deployments and Services
+# and to read/create Namespaces when needed.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: drone-deployer
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get","list","watch","create"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get","list","watch","create","update","patch"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get","list","watch","create","update","patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: drone-deployer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: drone-deployer
+subjects:
+- kind: ServiceAccount
+  name: drone-pipeline
+  namespace: default
+
diff --git a/drone/install-drone.sh b/drone/install-drone.sh
index 2ac0b89..a6a2d12 100755
--- a/drone/install-drone.sh
+++ b/drone/install-drone.sh
@@ -6,6 +6,9 @@ echo "创建Drone数据目录..."
 sudo mkdir -p /opt/drone/data 
 sudo chown -R 1000:1000 /opt/drone
 
+kubectl create ns dev; 
+kubectl create ns test; 
+kubectl create ns prod
 # 应用所有yaml文件
 kubectl apply -f drone-pipeline-serviceaccount.yaml
 kubectl apply -f drone-runner-rbac.yaml
diff --git a/installk3s.sh b/installk3s.sh
index a85bb3b..f6fb58d 100644
--- a/installk3s.sh
+++ b/installk3s.sh
@@ -5,6 +5,8 @@ curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIR
 sudo chmod 644 /etc/rancher/k3s/k3s.yaml
 sudo chown th:th /etc/rancher/k3s/k3s.yaml
 
+
+
 4:导入镜像
 # 1. 先用 Docker 导入镜像
 docker load -i k3s-airgap-images-amd64.tar.gz
@@ -14,4 +16,5 @@ docker images
 # 3. 重启 k3s 让它重新拉取镜像
 sudo systemctl restart k3s
 # 验证结果
-kubectl get pods -A
\ No newline at end of file
+kubectl get pods -A
+