xx

drone/drone-runner-rbac.yaml

@@ -26,3 +26,35 @@ roleRef:
   kind: Role
   name: drone
 
+---
+# Grant the pipeline SA cross-namespace permissions to manage Deployments and Services
+# and to read/create Namespaces when needed.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: drone-deployer
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get","list","watch","create"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get","list","watch","create","update","patch"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get","list","watch","create","update","patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: drone-deployer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: drone-deployer
+subjects:
+- kind: ServiceAccount
+  name: drone-pipeline
+  namespace: default
+

drone/install-drone.sh

@@ -6,6 +6,9 @@ echo "创建Drone数据目录..."
 sudo mkdir -p /opt/drone/data 
 sudo chown -R 1000:1000 /opt/drone
 
+kubectl create ns dev; 
+kubectl create ns test; 
+kubectl create ns prod
 # 应用所有yaml文件
 kubectl apply -f drone-pipeline-serviceaccount.yaml
 kubectl apply -f drone-runner-rbac.yaml

installk3s.sh

@@ -5,6 +5,8 @@ curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIR
 sudo chmod 644 /etc/rancher/k3s/k3s.yaml
 sudo chown th:th /etc/rancher/k3s/k3s.yaml
 
+
+
 4:导入镜像
 # 1. 先用 Docker 导入镜像
 docker load -i k3s-airgap-images-amd64.tar.gz
@@ -14,4 +16,5 @@ docker images
 # 3. 重启 k3s 让它重新拉取镜像
 sudo systemctl restart k3s
 # 验证结果
-kubectl get pods -A
+kubectl get pods -A
+