Manatua. fa'aliliu.: O tagata fa'atino o polokalame fesoasoani mo Kubernetes, ua fuafuaina e fa'autometi le fa'atinoina o gaioiga masani i luga o mea fa'apipi'i pe a tutupu ni mea fa'apitoa. Ua uma ona matou tusia e uiga i le aufaipisinisi i totonu , lea sa latou talanoa ai e uiga i manatu faavae ma mataupu faavae o la latou galuega. Ae afai o lena mea e sili atu i se vaaiga mai le itu o le faʻaogaina o vaega ua saunia mo Kubernetes, o le faʻaliliuga o loʻo faʻatulagaina nei o le tala fou ua uma ona vaʻaia le vaʻaiga a se inisinia / DevOps e le mautonu i le faʻatinoina o se tagata faʻaoga fou.
Na ou filifili e tusi lenei pou ma se faʻataʻitaʻiga moni o le olaga pe a uma aʻu taumafaiga e suʻe faʻamaumauga i le fatuina o se faʻalapotopotoga mo Kubernetes, lea na alu i le suʻesuʻeina o le code.
O le faʻataʻitaʻiga o le a faʻamatalaina o le mea lenei: i la matou Kubernetes cluster, taʻitasi Namespace o lo'o fa'atusalia ai le si'osi'omaga o le pusa oneone a le 'au, ma sa matou manana'o e fa'atapula'aina le avanoa i ai ina ia mafai ai e 'au ona ta'alo i a latou lava pusa oneone.
E mafai ona e ausia le mea e te manaʻo ai e ala i le tuʻuina atu o se tagata faʻaoga se vaega e iai RoleBinding e patino Namespace и ClusterRole ma aia tatau fa'atonutonu. Ole fa'atusa ole YAML ole a fa'apea:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io(, i )
Fausia se tasi RoleBinding E mafai ona e faia ma le lima, ae a uma ona laasia le selau igoa avanoa, e avea ma se galuega faigata. O le mea lea e maua ai e le kamupani Kubernetes - latou te faʻatagaina oe e faʻaautomatika le fausiaina o punaoa Kubernetes e faʻatatau i suiga i punaoa. I la matou tulaga matou te mananao e fai RoleBinding a o faia Namespace.
Muamua, se'i o tatou fa'auiga le galuega mainlea e faia le seti manaʻomia e faʻatautaia ai le faʻamatalaga ona valaʻau lea o le faʻamatalaga gaioiga:
(Manatua. fa'aliliu.: iinei ma lalo o faʻamatalaga i le code ua faaliliuina i le gagana Rusia. E le gata i lea, ua fa'asa'o le fa'ailoga i avanoa nai lo [fautuaina i le Go] fa'amau na'o le fa'amoemoe e sili atu le faitau i totonu o le fa'asologa o le Habr. A maeʻa lisi taʻitasi o loʻo i ai fesoʻotaʻiga i le uluaʻi i luga ole GitHub, lea e teu ai faʻamatalaga faʻaPeretania ma laupepa.)
func main() {
// Устанавливаем вывод логов в консольный STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Создаем канал для получения сигналов ОС
stop := make(chan struct{}) // Создаем канал для получения стоп-сигнала
// Регистрируем получение SIGTERM в канале sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines могут сами добавлять себя в WaitGroup,
// чтобы завершения их выполнения дожидались
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Создаем clientset для взаимодействия с кластером Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // Ждем сигналов (до получения сигнала более ничего не происходит)
log.Printf("Shutting down...")
close(stop) // Говорим goroutines остановиться
wg.Wait() // Ожидаем, что все остановлено
}(, i )
Matou te faia mea nei:
- Matou te faʻapipiʻiina se faʻataʻitaʻiga mo faʻailoga faʻapitoa faiga faʻaogaina e mafua ai le faʻamutaina lelei o le tagata faʻatautaia.
- Matou te faaaogaina
WaitGroupia taofi ma le alofa goroutine uma a'o le'i faamutaina le talosaga. - Matou te tuʻuina atu le avanoa i le fuifui e ala i le fatuina
clientset. - Fa'alauiloa
NamespaceController, lea o le a maua uma ai o tatou manatu.
Ole taimi nei tatou te manaʻomia se faʻavae mo manatu, ma i la tatou tulaga o le mea lea o loʻo taʻua NamespaceController:
// NamespaceController следит через Kubernetes API за изменениями
// в пространствах имен и создает RoleBinding для конкретного namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController создает новый NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Создаем информер для слежения за Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}(, i )
O iinei tatou configure SharedIndexInformer, lea o le a lelei (faʻaaogaina se faʻaoga) faʻatali mo suiga i igoa avanoa (faitau atili e uiga i faʻamatalaga i le tusiga ""- tusa. fa'aliliuga). A maeʻa lenei matou faʻafesoʻotaʻi EventHandler i le fa'amatalaga, ina ia fa'aopoopoina se igoa avanoa (Namespace) ua ta'ua galuega createRoleBinding.
O le isi laasaga o le faʻamalamalamaina o lenei galuega createRoleBinding:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}(, i )
Matou te maua le igoa avanoa e pei obj ma liliu i se mea Namespace. Ona tatou faauigaina lea RoleBindingfaʻavae i luga o le faila YAML na taʻua i le amataga, faʻaaoga le mea na tuʻuina atu Namespace ma le foafoaina RoleBinding. Mulimuli ane, matou te logoina pe na manuia le foafoaga.
O le galuega mulimuli e faʻamatalaina o le Run:
// Run запускает процесс ожидания изменений в пространствах имён
// и действия в соответствии с этими изменениями.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// Когда эта функция завершена, пометим как выполненную
defer wg.Done()
// Инкрементируем wait group, т.к. собираемся вызвать goroutine
wg.Add(1)
// Вызываем goroutine
go c.namespaceInformer.Run(stopCh)
// Ожидаем получения стоп-сигнала
<-stopCh
}(, i )
O lea tatou te talanoa WaitGroupia tatou amata le goroutine ona valaau lea namespaceInformer, lea ua uma ona faamatalaina. A oʻo mai le faailo taofi, o le a faʻamutaina le galuega, logo WaitGroup, lea e le o toe faia, ma o lenei galuega o le a alu ese.
O faʻamatalaga e uiga i le fausiaina ma le faʻaogaina o lenei faʻamatalaga i luga o le Kubernetes cluster e mafai ona maua i totonu .
O le mea lena mo le tagata fa'afoe e fau RoleBinding afea Namespace i le fuifui Kubernetes, sauni.
puna: www.habr.com