KubeSphere+DevOps部署遇到的坑 User “system:serviceaccount:kubesphere-devops-worker:default“ cannot get res

kubernetes v1.21.5kubesphere v3.2.1 KubeSphere+DevOps构建和部署 Maven 项目流程（官方推荐）：

构建和部署 Maven 项目

如图，主要问题是出现在流水线第五步：将镜像自动部署到k8s集群

报错如上图：

+ envsubst
+ kubectl apply -f -
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "ttc-dev-v1", Namespace: "ttc"
from server for: "STDIN": deployments.apps "ttc-dev-v1" is forbidden: User "system:serviceaccount:kubesphere-devops-worker:default" cannot get resource "deployments" in API group "apps" in the namespace "ttc"
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=services", GroupVersionKind: "/v1, Kind=Service"
Name: "ttc-dev", Namespace: "ttc"
from server for: "STDIN": services "ttc-dev" is forbidden: User "system:serviceaccount:kubesphere-devops-worker:default" cannot get resource "services" in API group "" in the namespace "ttc"
script returned exit code 1

解决思路：

1. 登录admin账户 创建两个账户ttc和ttc-dev，分别分配platform-admin角色和platform-regular角色

2.创建一个新的空间ttc，并分配账户ttc

3.登录ttc账户，进去ttc空间，邀请ttc-dev账户

以上步骤都有详细说明：创建企业空间、项目、用户和平台角色

4.登录ttc-dev账户，创建流水线项目ttc-dev

5.编辑流水线Jenkinsfile

6.创建deploy.yaml  该文件是自动部署到k8s集群的配置文件，在流水线第五步中配置

报这个错，我觉得主要是Jenkinsfile和Deploy.yaml写错了，下面是我跑通的代码段，都贴出来了，记录一下。

# 下面的代码块是部署项目中的工作负载
kind: Deployment
apiVersion: apps/v1
metadata:
  name: ttc-dev-v1    #这个是ttc空间中，项目中的工作负载的名称
  namespace: ttc-dev  #这个为ttc空间中-->项目中的名称  这块一定不能错
  labels:
    app: ttc-dev
    version: v1
  annotations:
    deployment.kubernetes.io/revision: '1'
    kubesphere.io/creator: admin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ttc-dev
      version: v1
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ttc-dev
        version: v1
    spec:
      volumes:
        - name: host-time
          hostPath:
            path: /etc/localtime
            type: ''
      containers:
        - name: container-xmbuab
          image: 'registry.cn-hangzhou.aliyuncs.com/houchengwei/ttc-dev:SNAPSHOT-$BUILD_NUMBER'
          ports:
            - name: http-9999
              containerPort: 9999
              protocol: TCP
          resources:
            limits:
              cpu: '1'
              memory: 512Mi
          volumeMounts:
            - name: host-time
              readOnly: true
              mountPath: /etc/localtime
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: default
      serviceAccount: default
      securityContext: {}
      imagePullSecrets:
        - name: ali-docker-hub
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

#下面的代码块是部署项目中的服务
---  
kind: Service
apiVersion: v1
metadata:
  name: ttc-dev
  namespace: ttc-dev
  labels:
    app: ttc-dev
    version: v1
  annotations:
    kubesphere.io/creator: admin
    kubesphere.io/serviceType: statelessservice
spec:
  ports:
    - name: http-9999
      protocol: TCP
      port: 9999
      targetPort: 9999
      nodePort: 30878
  selector:
    app: ttc-dev
  clusterIP: 10.233.25.139
  clusterIPs:
    - 10.233.25.139
  type: NodePort
  sessionAffinity: None
  externalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack

pipeline {
  agent {
    node {
      label 'maven'
    }

  }
  stages {
    stage('拉取代码') {
      steps {
        container('maven') {
          git(url: 'https://gitee.com/houchengwei/ttc.git', credentialsId: 'gitee', branch: 'dev', changelog: true, poll: false)
        }

      }
    }

    stage('项目编译') {
      steps {
        container('maven') {
          sh 'mvn clean package -Dmaven.test.skip=true'
          sh 'ls'
        }

      }
    }

    stage('构建镜像') {
      steps {
        container('maven') {
          sh '''ls
cd target
ls'''
          sh 'docker build -t ttc:latest -f Dockerfile ./'
        }

      }
    }

    stage('推送镜像') {
      steps {
        container('maven') {
          withCredentials([usernamePassword(credentialsId : 'ali-docker-hub' ,passwordVariable : 'DOCKER_PWD_VAR' ,usernameVariable : 'DOCKER_USER_VAR' ,)]) {
            sh 'echo "$DOCKER_PWD_VAR" | docker login $REGISTRY -u "$DOCKER_USER_VAR" --password-stdin'
            sh 'docker tag ttc:latest registry.cn-hangzhou.aliyuncs.com/houchengwei/ttc-dev:SNAPSHOT-$BUILD_NUMBER'
            sh 'docker push registry.cn-hangzhou.aliyuncs.com/houchengwei/ttc-dev:SNAPSHOT-$BUILD_NUMBER'
          }

        }

      }
    }

    stage('deploy to dev') {
      steps {
        container('maven') {
          withCredentials([kubeconfigFile(credentialsId : 'demo-kubeconfig' ,variable : 'KUBECONFIG' )]) {
            sh 'envsubst < deploy.yaml | kubectl apply -f -'
          }

        }

      }
    }

  }
  environment {
    DOCKER_CREDENTIAL_ID = 'dockerhub-id'
    GITHUB_CREDENTIAL_ID = 'github-id'
    KUBECONFIG_CREDENTIAL_ID = 'demo-kubeconfig'
    REGISTRY = 'registry.cn-hangzhou.aliyuncs.com'
    DOCKERHUB_NAMESPACE = 'houchengwei'
    GITHUB_ACCOUNT = 'kubesphere'
    APP_NAME = 'ttc'
  }
  parameters {
    string(name: 'TAG_NAME', defaultValue: '', description: '')
  }
}