Nco tseg. txhais.: Cov neeg khiav dej num yog cov pab cuam software rau Kubernetes, tsim los ua kom muaj kev ua haujlwm ntawm kev ua haujlwm niaj hnub ntawm pawg khoom thaum qee yam xwm txheej tshwm sim. Peb twb tau sau txog cov neeg ua haujlwm hauv
Kuv txiav txim siab sau tsab ntawv no nrog rau qhov piv txwv ntawm lub neej tiag tiag tom qab kuv sim nrhiav cov ntaub ntawv ntawm kev tsim tus neeg teb xov tooj rau Kubernetes, uas tau dhau los ntawm kev kawm cov cai.
Qhov piv txwv uas yuav piav qhia yog qhov no: hauv peb cov Kubernetes pawg, txhua tus Namespace
sawv cev rau pab pawg sandbox ib puag ncig, thiab peb xav txwv kev nkag mus rau lawv kom cov pab pawg tsuas tuaj yeem ua si hauv lawv tus kheej sandboxes.
Koj tuaj yeem ua tiav qhov koj xav tau los ntawm kev muab tus neeg siv ib pab pawg uas muaj RoleBinding
rau qhov tshwj xeeb Namespace
ΠΈ ClusterRole
nrog kho cov cai. Tus sawv cev YAML yuav zoo li no:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
(
Tsim ib qho RoleBinding
Koj tuaj yeem ua nws manually, tab sis tom qab hla lub cim cim npe, nws dhau los ua haujlwm nyuaj. Qhov no yog qhov uas Kubernetes cov neeg ua haujlwm tuaj yeem ua ke-lawv tso cai rau koj los tsim cov peev txheej Kubernetes raws li kev hloov pauv rau cov peev txheej. Hauv peb qhov xwm txheej peb xav tsim RoleBinding
thaum tsim Namespace
.
Ua ntej tshaj, cia peb txhais cov haujlwm main
uas ua qhov yuav tsum tau teeb tsa los khiav cov nqe lus thiab tom qab ntawd hu rau nqe lus ua haujlwm:
(Nco tseg. txhais.: ntawm no thiab hauv qab cov lus hauv cov cai tau muab txhais ua lus Lavxias. Ntxiv mus, qhov indentation tau raug kho rau qhov chaw es tsis txhob [pom zoo hauv Go] tabs nkaus xwb rau lub hom phiaj ntawm kev nyeem tau zoo dua hauv Habr layout. Tom qab txhua daim ntawv teev npe muaj cov txuas mus rau thawj ntawm GitHub, qhov twg cov lus hais lus Askiv thiab cov ntawv khaws cia.)
func main() {
// Π£ΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅ΠΌ Π²ΡΠ²ΠΎΠ΄ Π»ΠΎΠ³ΠΎΠ² Π² ΠΊΠΎΠ½ΡΠΎΠ»ΡΠ½ΡΠΉ STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² ΠΠ‘
stop := make(chan struct{}) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
// Π Π΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ SIGTERM Π² ΠΊΠ°Π½Π°Π»Π΅ sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines ΠΌΠΎΠ³ΡΡ ΡΠ°ΠΌΠΈ Π΄ΠΎΠ±Π°Π²Π»ΡΡΡ ΡΠ΅Π±Ρ Π² WaitGroup,
// ΡΡΠΎΠ±Ρ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΈΡ
Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΄ΠΎΠΆΠΈΠ΄Π°Π»ΠΈΡΡ
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ clientset Π΄Π»Ρ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // ΠΠ΄Π΅ΠΌ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² (Π΄ΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»Π° Π±ΠΎΠ»Π΅Π΅ Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
log.Printf("Shutting down...")
close(stop) // ΠΠΎΠ²ΠΎΡΠΈΠΌ goroutines ΠΎΡΡΠ°Π½ΠΎΠ²ΠΈΡΡΡΡ
wg.Wait() // ΠΠΆΠΈΠ΄Π°Π΅ΠΌ, ΡΡΠΎ Π²ΡΠ΅ ΠΎΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΎ
}
(
Peb ua cov hauv qab no:
- Peb teeb tsa tus neeg tuav haujlwm rau cov cim kev ua haujlwm tshwj xeeb kom ua rau kev txiav txim siab zoo ntawm tus neeg teb xov tooj.
- Peb siv
WaitGroup
kom gracefully nres tag nrho goroutines ua ntej txiav daim ntawv thov. - Peb muab kev nkag mus rau pawg los ntawm kev tsim
clientset
. - Tua tawm
NamespaceController
, nyob rau hauv uas tag nrho peb cov logic yuav nyob.
Tam sim no peb xav tau lub hauv paus rau logic, thiab nyob rau hauv peb cov ntaub ntawv no yog ib tug hais NamespaceController
:
// NamespaceController ΡΠ»Π΅Π΄ΠΈΡ ΡΠ΅ΡΠ΅Π· Kubernetes API Π·Π° ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ
// Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΠ΅Π½ ΠΈ ΡΠΎΠ·Π΄Π°Π΅Ρ RoleBinding Π΄Π»Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController ΡΠΎΠ·Π΄Π°Π΅Ρ Π½ΠΎΠ²ΡΠΉ NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ΅Ρ Π΄Π»Ρ ΡΠ»Π΅ΠΆΠ΅Π½ΠΈΡ Π·Π° Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}
(
Ntawm no peb configure SharedIndexInformer
, uas yuav ua tau zoo (siv lub cache) tos rau kev hloov pauv hauv namespaces (Nyeem ntxiv txog cov neeg qhia hauv kab lus "EventHandler
rau tus neeg qhia, yog li ntawd thaum ntxiv lub npe (Namespace
) muaj nuj nqi hu ua createRoleBinding
.
Cov kauj ruam tom ntej yog los txhais cov haujlwm no createRoleBinding
:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}
(
Peb tau txais lub npe raws li obj
thiab hloov nws mus rau ib yam khoom Namespace
. Ces peb txhais RoleBinding
, raws li YAML cov ntaub ntawv tau hais thaum pib, siv cov khoom muab Namespace
thiab tsim RoleBinding
. Thaum kawg, peb teev seb qhov kev tsim tau ua tiav.
Lub luag haujlwm kawg yuav tsum tau txhais yog Run
:
// Run Π·Π°ΠΏΡΡΠΊΠ°Π΅Ρ ΠΏΡΠΎΡΠ΅ΡΡ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΡΠ½
// ΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΡΠΈΠΌΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// ΠΠΎΠ³Π΄Π° ΡΡΠ° ΡΡΠ½ΠΊΡΠΈΡ Π·Π°Π²Π΅ΡΡΠ΅Π½Π°, ΠΏΠΎΠΌΠ΅ΡΠΈΠΌ ΠΊΠ°ΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π½ΡΡ
defer wg.Done()
// ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½ΡΠΈΡΡΠ΅ΠΌ wait group, Ρ.ΠΊ. ΡΠΎΠ±ΠΈΡΠ°Π΅ΠΌΡΡ Π²ΡΠ·Π²Π°ΡΡ goroutine
wg.Add(1)
// ΠΡΠ·ΡΠ²Π°Π΅ΠΌ goroutine
go c.namespaceInformer.Run(stopCh)
// ΠΠΆΠΈΠ΄Π°Π΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
<-stopCh
}
(
Ntawm no peb tham WaitGroup
uas peb tso lub goroutine thiab ces hu namespaceInformer
, uas tau txhais ua ntej lawm. Thaum lub teeb liab nres tuaj txog, nws yuav xaus txoj haujlwm, qhia WaitGroup
, uas tsis raug tua lawm, thiab qhov haujlwm no yuav tawm mus.
Cov ntaub ntawv hais txog kev tsim thiab khiav cov nqe lus no ntawm Kubernetes pawg tuaj yeem pom hauv
Qhov ntawd yog nws rau tus neeg teb xov tooj uas tsim RoleBinding
thaum Namespace
hauv Kubernetes pawg, npaj txhij.
Tau qhov twg los: www.hab.com