Cherechedza. transl.: Vashandisi isoftware yekubatsira yeKubernetes, yakagadzirirwa kuitisa otomatiki kuita kwemaitiro echinyakare pazvinhu zvesumbu kana zvimwe zviitiko zvikaitika. Takatonyora nezvevashandi mu , pavakataura nezvepfungwa dzinokosha uye nheyo dzebasa ravo. Asi kana izvo zvinyorwa zvaive zvakanyanya zvekuonekwa kubva kudivi rekushanda zvakagadzirirwa-zvakagadzirwa zvikamu zveKubernetes, saka kushandura kwechinyorwa chitsva chave kurongwa chatova chiono chemugadziri / DevOps injinjini inokatyamadzwa nekuitwa kwemushandisi mutsva.
Ndakafunga kunyora chinyorwa ichi nemuenzaniso wehupenyu chaihwo mushure mekuedza kwangu kutsvaga zvinyorwa pakugadzira mushandisi weKubernetes, iyo yakapfuura nekudzidza kodhi.
Muenzaniso uchatsanangurwa ndeuyu: muboka redu reKubernetes, rimwe nerimwe Namespace inomiririra nharaunda yebhokisi rejecha rechikwata, uye isu taida kudzikisira kusvika kwavari kuitira kuti zvikwata zvingotamba mumabhokisi ejecha zvawo.
Iwe unogona kuzadzisa zvaunoda nekupa mushandisi boka rine RoleBinding kune zvakananga Namespace ΠΈ ClusterRole nekodzero dzekugadzirisa. Iyo YAML inomiririra ichaita seizvi:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io(in )
Gadzira imwe RoleBinding Iwe unogona kuzviita nemaoko, asi mushure mekuyambuka zana remazita emucherechedzo, rinova basa rinonetesa. Apa ndipo panouya Kubernetes vanoshanda-vanokutendera kuti uite otomatiki kusikwa kweKubernetes zviwanikwa zvichienderana nekuchinja kune zviwanikwa. Muchiitiko chedu tinoda kugadzira RoleBinding uchigadzira Namespace.
Chekutanga, ngatitsanangurirei basa racho mainiyo inoita iyo inodiwa setup yekumhanyisa chirevo uye yobva yadaidza chirevo chiito:
(Cherechedza. transl.: pano uye pasi pemashoko ari mukodhi anoshandurirwa muchiRussia. Pamusoro pezvo, indentation yakagadziridzwa kune nzvimbo panzvimbo pe[inokurudzirwa muGo] matebu chete nechinangwa chekuverenga zvirinani mukati meiyo Habr marongero. Mushure mekunyorwa kwega kwega kune zvinongedzo kune yekutanga paGitHub, panochengetwa Chirungu-mutauro uye ma tabo.)
func main() {
// Π£ΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅ΠΌ Π²ΡΠ²ΠΎΠ΄ Π»ΠΎΠ³ΠΎΠ² Π² ΠΊΠΎΠ½ΡΠΎΠ»ΡΠ½ΡΠΉ STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² ΠΠ‘
stop := make(chan struct{}) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
// Π Π΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ SIGTERM Π² ΠΊΠ°Π½Π°Π»Π΅ sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines ΠΌΠΎΠ³ΡΡ ΡΠ°ΠΌΠΈ Π΄ΠΎΠ±Π°Π²Π»ΡΡΡ ΡΠ΅Π±Ρ Π² WaitGroup,
// ΡΡΠΎΠ±Ρ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΈΡ
Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΄ΠΎΠΆΠΈΠ΄Π°Π»ΠΈΡΡ
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ clientset Π΄Π»Ρ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // ΠΠ΄Π΅ΠΌ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² (Π΄ΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»Π° Π±ΠΎΠ»Π΅Π΅ Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
log.Printf("Shutting down...")
close(stop) // ΠΠΎΠ²ΠΎΡΠΈΠΌ goroutines ΠΎΡΡΠ°Π½ΠΎΠ²ΠΈΡΡΡΡ
wg.Wait() // ΠΠΆΠΈΠ΄Π°Π΅ΠΌ, ΡΡΠΎ Π²ΡΠ΅ ΠΎΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΎ
}(in )
Isu tinoita zvinotevera:
- Isu tinogadzirisa mubato kune chaiwo masisitimu anoshanda masisitimu kukonzeresa kumisa zvine nyasha kweanoshanda.
- Isu tinoshandisa
WaitGroupkumisa zvakanaka magoroutines usati wamisa application. - Isu tinopa mukana kune cluster nekugadzira
clientset. - Kutanga
NamespaceController, umo pfungwa dzedu dzese dzichawanikwa.
Zvino isu tinoda hwaro hwepfungwa, uye mune yedu iyi ndiyo yakataurwa NamespaceController:
// NamespaceController ΡΠ»Π΅Π΄ΠΈΡ ΡΠ΅ΡΠ΅Π· Kubernetes API Π·Π° ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ
// Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΠ΅Π½ ΠΈ ΡΠΎΠ·Π΄Π°Π΅Ρ RoleBinding Π΄Π»Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController ΡΠΎΠ·Π΄Π°Π΅Ρ Π½ΠΎΠ²ΡΠΉ NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ΅Ρ Π΄Π»Ρ ΡΠ»Π΅ΠΆΠ΅Π½ΠΈΡ Π·Π° Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}(in )
Pano tinogadzirisa SharedIndexInformer, iyo ichaita (uchishandisa cache) kumirira shanduko mumazita (verenga zvakawanda nezvevanozivisa muchinyorwa ""- approx. shanduro). Mushure meizvi tinobatanidza EventHandler kumuzivisi, kuitira kuti kana uchiwedzera zita (Namespace) basa rinonzi createRoleBinding.
Nhanho inotevera ndeyekutsanangura basa iri createRoleBinding:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}(in )
Isu tinowana nzvimbo yezita se obj wochishandura kuita chinhu Namespace. Zvadaro tinotsanangura RoleBinding, zvichibva pafaira reYAML rataurwa pakutanga, uchishandisa chinhu chakapihwa Namespace uye kugadzira RoleBinding. Pakupedzisira, tinonyora kana kusikwa kwakabudirira.
Basa rekupedzisira rinotsanangurwa ndeiyi Run:
// Run Π·Π°ΠΏΡΡΠΊΠ°Π΅Ρ ΠΏΡΠΎΡΠ΅ΡΡ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΡΠ½
// ΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΡΠΈΠΌΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// ΠΠΎΠ³Π΄Π° ΡΡΠ° ΡΡΠ½ΠΊΡΠΈΡ Π·Π°Π²Π΅ΡΡΠ΅Π½Π°, ΠΏΠΎΠΌΠ΅ΡΠΈΠΌ ΠΊΠ°ΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π½ΡΡ
defer wg.Done()
// ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½ΡΠΈΡΡΠ΅ΠΌ wait group, Ρ.ΠΊ. ΡΠΎΠ±ΠΈΡΠ°Π΅ΠΌΡΡ Π²ΡΠ·Π²Π°ΡΡ goroutine
wg.Add(1)
// ΠΡΠ·ΡΠ²Π°Π΅ΠΌ goroutine
go c.namespaceInformer.Run(stopCh)
// ΠΠΆΠΈΠ΄Π°Π΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
<-stopCh
}(in )
Apa tiri kutaura WaitGroupkuti titange goroutine tozofona namespaceInformer, izvo zvakambotsanangurwa. Kana chiratidzo chekumira chasvika, chinopedza basa, zivisa WaitGroup, iyo isisiri kuurayiwa, uye basa iri richabuda.
Ruzivo rwekuvaka uye nekumhanyisa chirevo ichi pane Kubernetes cluster inogona kuwanikwa mukati .
Ndizvo zvemushandisi anogadzira RoleBinding riinhi Namespace muKubernetes cluster, yakagadzirira.
Source: www.habr.com