Nānā. unuhi.: He polokalamu kōkua nā mea hoʻohana no nā Kubernetes, i hoʻolālā ʻia e hoʻokō i nā hana maʻamau i nā mea puʻupuʻu ke hiki mai kekahi mau hanana. Ua kākau mua mākou e pili ana i nā mea hana ma , kahi i kamaʻilio ai lākou e pili ana i nā manaʻo kumu a me nā loina o kā lākou hana. Akā inā ʻoi aku ka nānā ʻana o kēlā mea mai ka ʻaoʻao o ka hana ʻana i nā mea i hoʻomākaukau ʻia no nā Kubernetes, a laila ʻo ka unuhi ʻana o ka ʻatikala hou i manaʻo ʻia i kēia manawa ʻo ia ka hihiʻo o kahi mea hoʻomohala / DevOps ʻenekini i pīhoihoi i ka hoʻokō ʻana o kahi mea hana hou.
Ua hoʻoholo wau e kākau i kēia pou me kahi hiʻohiʻona ola maoli ma hope o kaʻu hoʻāʻo ʻana e ʻimi i nā palapala e pili ana i ka hana ʻana i mea hoʻohana no Kubernetes, i hele ma ke aʻo ʻana i ke code.
ʻO kēia ka laʻana e wehewehe ʻia: ma kā mākou hui Kubernetes, kēlā me kēia Namespace hōʻike i ka pōʻaiapili pahu one o kahi hui, a ua makemake mākou e kaupalena i ke komo ʻana iā lākou i hiki i nā hui ke pāʻani i kā lākou pahu one.
Hiki iā ʻoe ke hoʻokō i kāu makemake ma ka hāʻawi ʻana i kahi mea hoʻohana i kahi hui i loaʻa RoleBinding i kiko'ī Namespace и ClusterRole me nā kuleana hoʻoponopono. ʻO ka hōʻike YAML e like me kēia:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io(, i loko )
Hana i hoʻokahi RoleBinding Hiki iā ʻoe ke hana me ka lima, akā ma hope o ka hele ʻana i ka hōʻailona inoa inoa haneli, lilo ia i hana paʻakikī. ʻO kēia kahi e hiki ai i nā mea hoʻohana Kubernetes ke hoʻohana pono—e ʻae lākou iā ʻoe e hoʻomaʻemaʻe i ka hana ʻana i nā kumuwaiwai Kubernetes e pili ana i nā loli i nā kumuwaiwai. I kā mākou hihia makemake mākou e hana RoleBinding oiai e hana ana Namespace.
ʻO ka mea mua, e wehewehe kākou i ka hana maine hana i ka hoʻonohonoho pono e holo i ka ʻōlelo a laila kāhea i ka hana ʻōlelo:
(Nānā. unuhi.: ma ʻaneʻi a ma lalo o nā ʻōlelo i loko o ke code ua unuhi ʻia i ka ʻōlelo Lūkini. Eia hou, ua hoʻoponopono ʻia ka indentation i nā hakahaka ma kahi o [manaʻo ʻia ma Go] ʻaoʻao wale nō no ke kumu o ka heluhelu maikaʻi ʻana i loko o ka hoʻolālā Habr. Ma hope o kēlā me kēia papa inoa, aia nā loulou i ka mea kumu ma GitHub, kahi i mālama ʻia ai nā ʻōlelo Pelekane a me nā tab.)
func main() {
// Устанавливаем вывод логов в консольный STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Создаем канал для получения сигналов ОС
stop := make(chan struct{}) // Создаем канал для получения стоп-сигнала
// Регистрируем получение SIGTERM в канале sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines могут сами добавлять себя в WaitGroup,
// чтобы завершения их выполнения дожидались
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Создаем clientset для взаимодействия с кластером Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // Ждем сигналов (до получения сигнала более ничего не происходит)
log.Printf("Shutting down...")
close(stop) // Говорим goroutines остановиться
wg.Wait() // Ожидаем, что все остановлено
}(, i loko )
Hana mākou i kēia:
- Hoʻonohonoho mākou i kahi mea hoʻohana no nā hōʻailona ʻōnaehana kikoʻī e hoʻopau maikaʻi i ka mea hoʻohana.
- Hoʻohana mākou
WaitGroupe ho'ōki i nā goroutine a pau ma mua o ka hoʻopau ʻana i ka noi. - Hāʻawi mākou i ke komo i ka hui ma ka hana ʻana
clientset. - Hoʻolana
NamespaceController, kahi e loaʻa ai kā mākou loiloi āpau.
I kēia manawa pono mākou i kumu no ka loiloi, a i kā mākou hihia ʻo ia ka mea i ʻōlelo ʻia NamespaceController:
// NamespaceController следит через Kubernetes API за изменениями
// в пространствах имен и создает RoleBinding для конкретного namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController создает новый NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Создаем информер для слежения за Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}(, i loko )
Maanei mākou e hoʻonohonoho ai SharedIndexInformer, e kali maikaʻi (hoʻohana i kahi huna) no nā loli i nā inoa inoa (E heluhelu hou e pili ana i nā mea hoʻolaha ma ka ʻatikala ""- kokoke. unuhi). Ma hope o kēia hoʻohui mākou EventHandler i ka mea hōʻike, no laila ke hoʻohui i kahi inoa inoa (Namespace) kapa ʻia ka hana createRoleBinding.
ʻO ka hana aʻe e wehewehe i kēia hana createRoleBinding:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}(, i loko )
Loaʻa iā mākou ka inoa inoa obj a hoohuli i mea Namespace. A laila wehewehe mākou RoleBinding, e pili ana i ka faila YAML i ʻōlelo ʻia ma ka hoʻomaka, me ka hoʻohana ʻana i ka mea i hāʻawi ʻia Namespace a me ka hana ana RoleBinding. ʻO ka hope, e hoʻopaʻa inoa mākou inā ua kūleʻa ka hana ʻana.
ʻO ka hana hope e wehewehe ʻia Run:
// Run запускает процесс ожидания изменений в пространствах имён
// и действия в соответствии с этими изменениями.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// Когда эта функция завершена, пометим как выполненную
defer wg.Done()
// Инкрементируем wait group, т.к. собираемся вызвать goroutine
wg.Add(1)
// Вызываем goroutine
go c.namespaceInformer.Run(stopCh)
// Ожидаем получения стоп-сигнала
<-stopCh
}(, i loko )
Eia mākou e kamaʻilio nei WaitGroupe hoʻomaka mākou i ka goroutine a laila kāhea namespaceInformer, ka mea i hoakaka mua ia. Ke hiki mai ka hōʻailona hoʻomaha, e hoʻopau ia i ka hana, hoʻomaopopo WaitGroup, ʻaʻole i hoʻokō hou ʻia, a e haʻalele kēia hana.
Hiki ke ʻike ʻia ka ʻike e pili ana i ke kūkulu ʻana a me ka holo ʻana i kēia ʻōlelo ma kahi pūʻulu Kubernetes .
ʻO ia ka mea nāna e hana RoleBinding i ka manawa Namespace i ka hui Kubernetes, mākaukau.
Source: www.habr.com