Home > database >  delete all pods in ns from cronjob
delete all pods in ns from cronjob

Time:02-17

I want to have a cron job inside specific ns which will be able to delete all the namespace pod, I tried like following

apiVersion: batch/v1
kind: CronJob
metadata:
  name: restart
  namespace: foo
spec:
  concurrencyPolicy: Forbid
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      backoffLimit: 2
      activeDeadlineSeconds: 600
      template:
        spec:
          restartPolicy: Never
          containers:
            - name: kubectl
              image: bitnami/kubectl:1.22.3
              command:
                - 'kubectl'
                - 'delete'
                - '--all'
                - 'pods'
                - '--namespace=foo'

and I get an error, any idea how to solve it? this is pods of a deamonset (which are in ns foo) that I want to delete from this namespace foo , any idea?

This is the error:

`Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:foo:default" cannot list resource "pods" in API group "" in the namespace "foo ││ Stream closed EOF for foo/restart-27415740--1-495xg (kubectl)

CodePudding user response:

Your pod is using credentials of service account you are running it as. If you haven't specified service account name - it will use default one, or system:serviceaccount:foo:default in your case

It's generally a bad idea to give any additional rights to default sa, and by default it doesn't have any special privileges, so you need to create an additional service account, grant it rights to delete pods and then configure your cronjob to use it.

Let's create sa named pod-exterminator, since it will exterminate pods:

kubectl create sa pod-exterminator

We need to create Role, which grants deletion rights

kubectl create role pod-exterminator --verb=delete,list --resource=pods

We are granting list rights too, because without it --all switch won't work and you'll have to specify all pod names by yourself

And then a RoleBinding, to grant our sa these rights (foo is your namepsace name):

 kubectl create rolebinding --serviceaccount foo:pod-exterminator \
 --role pod-exterminator pod-exterminator

Now you can specify serivceAccountName in your CronJob spec:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: restart
  namespace: foo
spec:
  concurrencyPolicy: Forbid
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      backoffLimit: 2
      activeDeadlineSeconds: 600
      template:
        spec:
          serviceAccountName: pod-exterminator
          restartPolicy: Never
          containers:
            - name: kubectl
              image: bitnami/kubectl:1.22.3
              command:
                - 'kubectl'
                - 'delete'
                - '--all'
                - 'pods'
                - '--namespace=foo'

See also:

Page link:https//www.codepudding.com/database/303316.html

Prev:Kubernetes annotations are not applied
Next:How can I use '--extra-vars' for replicas in Ansible playbooks?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding