Zindikirani. transl.: Othandizira ndi mapulogalamu othandizira a Kubernetes, opangidwa kuti azingochita zinthu zomwe zimachitika nthawi zonse pamagulu amagulu pakachitika zinthu zina. Talemba kale za ogwira ntchito mu , kumene analankhula za malingaliro ndi mfundo zazikulu za ntchito yawo. Koma ngati zinthuzo zinali zowoneka bwino kuchokera kumbali yogwiritsira ntchito zida zokonzekera za Kubernetes, ndiye kuti kumasulira kwa nkhani yatsopano yomwe yaperekedwa tsopano ndi masomphenya a injiniya / DevOps omwe amadabwa ndi kukhazikitsidwa kwa wogwiritsa ntchito watsopano.
Ndinaganiza zolemba izi ndi chitsanzo chenicheni nditatha kuyesa kupeza zolemba pakupanga wogwiritsa ntchito Kubernetes, yemwe adadutsa pophunzira kachidindo.
Chitsanzo chomwe chidzafotokozedwe ndi ichi: mu gulu lathu la Kubernetes, aliyense Namespace ikuyimira malo a sandbox a timu, ndipo tinkafuna kuchepetsa mwayi wopezeka nawo kuti magulu azisewera m'mabokosi awoawo.
Mutha kukwaniritsa zomwe mukufuna popatsa wogwiritsa gulu lomwe lili RoleBinding ku specific Namespace ΠΈ ClusterRole ndi ufulu wosintha. Kuyimira kwa YAML kudzawoneka motere:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io(mu )
Pangani imodzi RoleBinding Mutha kuchita pamanja, koma mutatha kuwoloka chizindikiro chamalo zana, imakhala ntchito yotopetsa. Apa ndipamene ogwiritsira ntchito a Kubernetes amabwera mothandiza-amakulolani kuti muzitha kupanga zida za Kubernetes kutengera kusintha kwazinthu. M'malo mwathu tikufuna kupanga RoleBinding polenga Namespace.
Choyamba, tiyeni tifotokoze ntchito mainyomwe imapanga khwekhwe lofunikira kuti liyendetse chiganizocho kenako ndikuyitanira kuchitapo kanthu:
(Zindikirani. transl.: apa ndi pansipa ndemanga zomwe zili mu code zimamasuliridwa ku Russian. Kuphatikiza apo, indentation yasinthidwa kukhala mipata m'malo mwa [omwe akulimbikitsidwa mu Go] kuti azitha kuwerengeka bwino mkati mwa masanjidwe a Habr. Pambuyo pamndandanda uliwonse pali maulalo apachiyambi pa GitHub, pomwe ndemanga ndi ma tabu achingerezi amasungidwa.)
func main() {
// Π£ΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅ΠΌ Π²ΡΠ²ΠΎΠ΄ Π»ΠΎΠ³ΠΎΠ² Π² ΠΊΠΎΠ½ΡΠΎΠ»ΡΠ½ΡΠΉ STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² ΠΠ‘
stop := make(chan struct{}) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
// Π Π΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ SIGTERM Π² ΠΊΠ°Π½Π°Π»Π΅ sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines ΠΌΠΎΠ³ΡΡ ΡΠ°ΠΌΠΈ Π΄ΠΎΠ±Π°Π²Π»ΡΡΡ ΡΠ΅Π±Ρ Π² WaitGroup,
// ΡΡΠΎΠ±Ρ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΈΡ
Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΄ΠΎΠΆΠΈΠ΄Π°Π»ΠΈΡΡ
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ clientset Π΄Π»Ρ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // ΠΠ΄Π΅ΠΌ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² (Π΄ΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»Π° Π±ΠΎΠ»Π΅Π΅ Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
log.Printf("Shutting down...")
close(stop) // ΠΠΎΠ²ΠΎΡΠΈΠΌ goroutines ΠΎΡΡΠ°Π½ΠΎΠ²ΠΈΡΡΡΡ
wg.Wait() // ΠΠΆΠΈΠ΄Π°Π΅ΠΌ, ΡΡΠΎ Π²ΡΠ΅ ΠΎΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΎ
}(mu )
Timachita izi:
- Timakonza chogwirizira cha ma siginecha ena ogwiritsira ntchito kuti athetse opareshoni mwaulemu.
- Timagwiritsa ntchito
WaitGroupkuti muyimitse mwaulemu ma goroutines onse musanathe kugwiritsa ntchito. - Timapereka mwayi wopita kumagulu popanga
clientset. - Yambitsani
NamespaceController, momwe malingaliro athu onse adzapezeka.
Tsopano tikusowa maziko a logic, ndipo kwa ife iyi ndi yomwe yatchulidwa NamespaceController:
// NamespaceController ΡΠ»Π΅Π΄ΠΈΡ ΡΠ΅ΡΠ΅Π· Kubernetes API Π·Π° ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ
// Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΠ΅Π½ ΠΈ ΡΠΎΠ·Π΄Π°Π΅Ρ RoleBinding Π΄Π»Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController ΡΠΎΠ·Π΄Π°Π΅Ρ Π½ΠΎΠ²ΡΠΉ NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ΅Ρ Π΄Π»Ρ ΡΠ»Π΅ΠΆΠ΅Π½ΠΈΡ Π·Π° Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}(mu )
Apa tikukonzekera SharedIndexInformer, yomwe idzachita bwino (pogwiritsa ntchito cache) kudikirira kusintha kwa mayina (werengani zambiri za odziwitsa m'nkhaniyo ""- pafupifupi. kumasulira). Pambuyo pake timagwirizanitsa EventHandler kwa wodziwitsa, kuti powonjezera dzina (Namespace) ntchito imatchedwa createRoleBinding.
Chotsatira ndikutanthauzira ntchitoyi createRoleBinding:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}(mu )
Timapeza dzina la dzina ngati obj ndikusintha kukhala chinthu Namespace. Kenako timafotokozera RoleBinding, kutengera fayilo ya YAML yomwe yatchulidwa koyambirira, pogwiritsa ntchito chinthu chomwe chaperekedwa Namespace ndi kulenga RoleBinding. Pomaliza, timalemba ngati chilengedwecho chinapambana.
Ntchito yomaliza kufotokozedwa ndi Run:
// Run Π·Π°ΠΏΡΡΠΊΠ°Π΅Ρ ΠΏΡΠΎΡΠ΅ΡΡ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΡΠ½
// ΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΡΠΈΠΌΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// ΠΠΎΠ³Π΄Π° ΡΡΠ° ΡΡΠ½ΠΊΡΠΈΡ Π·Π°Π²Π΅ΡΡΠ΅Π½Π°, ΠΏΠΎΠΌΠ΅ΡΠΈΠΌ ΠΊΠ°ΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π½ΡΡ
defer wg.Done()
// ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½ΡΠΈΡΡΠ΅ΠΌ wait group, Ρ.ΠΊ. ΡΠΎΠ±ΠΈΡΠ°Π΅ΠΌΡΡ Π²ΡΠ·Π²Π°ΡΡ goroutine
wg.Add(1)
// ΠΡΠ·ΡΠ²Π°Π΅ΠΌ goroutine
go c.namespaceInformer.Run(stopCh)
// ΠΠΆΠΈΠ΄Π°Π΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
<-stopCh
}(mu )
Apa tikulankhula WaitGroupkuti tiyambitse goroutine ndiyeno kuyimba namespaceInformer, zomwe zafotokozedwa kale. Chizindikiro choyimitsa chikafika, chidzathetsa ntchitoyi, dziwitsani WaitGroup, yomwe siinagwirenso ntchito, ndipo ntchitoyi idzatuluka.
Zambiri pakumanga ndi kuyendetsa mawu awa pagulu la Kubernetes zitha kupezeka mkati .
Ndizo kwa wogwiritsa ntchito yemwe amalenga RoleBinding liti Namespace mu gulu la Kubernetes, okonzeka.
Source: www.habr.com