Ogow. turjumiHawl-wadeenadu waa software-ka caawiya Kubernetes, oo loogu talagalay inay si otomaatig ah u fuliyaan fulinta falalka joogtada ah ee walxaha clusterka marka dhacdooyinka qaarkood dhacaan. Horay ayaan wax uga qornay hawl-wadeennada gudaha , halkaas oo ay kaga hadleen fikradaha aasaasiga ah iyo mabaadiida shaqadooda. Laakiin haddii alaabtaasi ay ahayd mid ka badan aragtida dhinaca ka shaqeynta qaybaha diyaarsan ee Kubernetes, ka dibna tarjumaadda maqaalka cusub ee hadda la soo jeediyay ayaa horeyba u ahaa aragtida horumarinta / DevOps engineer oo la yaabay hirgelinta hawlwadeen cusub.
Waxaan go'aansaday inaan ku qoro qoraalkan tusaalaha nolosha dhabta ah ka dib markii aan isku dayay inaan helo dukumeenti ku saabsan abuurista hawlwadeenka Kubernetes, kaas oo dhex maray barashada koodka.
Tusaalaha lagu sifayn doono waa kan: Kubernetes kutladayada, mid walba Namespace waxay ka dhigan tahay jawiga sandbox-ka kooxda, waxaana rabnay inaan xaddidno gelitaankooda si ay kooxuhu ugu ciyaaraan kaliya sanduuqyada ciidooda.
Waxaad ku gaari kartaa waxaad rabto adiga oo ku meeleeya isticmaale koox leh RoleBinding si gaar ah Namespace ΠΈ ClusterRole xuquuqda tafatirka leh. Matalaadda YAML waxay u ekaan doontaa sidan:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io(gudaha )
Hal abuur RoleBinding Waxaad ku samayn kartaa gacanta, laakiin ka dib markaad ka gudubto boqolka magac ee calaamadda, waxay noqotaa hawl adag. Tani waa halka hawl wadeenada Kubernetes ay ku anfacaan-waxay kuu oggolaanayaan inaad si toos ah u abuurto ilaha Kubernetes iyadoo lagu salaynayo isbeddelada ilaha. Xaaladeena waxaan rabnaa inaan abuurno RoleBinding inta la abuurayo Namespace.
Marka hore aan qeexno shaqada mainkaas oo sameeya habaynta loo baahan yahay si uu u socodsiiyo bayaanka ka dibna ugu yeedha ficilka bayaanka:
(Ogow. turjumiHalkan iyo hoosta faallooyinka koodka waxaa lagu tarjumay Ruush. Intaa waxaa dheer, soo gelista waxa lagu saxay meelo bannaan halkii laga ahaan lahaa [lagu taliyay in Go] tabsiyada oo keliya ujeedada akhriska wanaagsan ee qaabka Habr. Liis kasta ka dib waxaa jira xiriiriya asalka GitHub, halkaas oo faallooyinka iyo tabaha afka Ingiriisiga lagu kaydiyo.)
func main() {
// Π£ΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅ΠΌ Π²ΡΠ²ΠΎΠ΄ Π»ΠΎΠ³ΠΎΠ² Π² ΠΊΠΎΠ½ΡΠΎΠ»ΡΠ½ΡΠΉ STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² ΠΠ‘
stop := make(chan struct{}) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
// Π Π΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ SIGTERM Π² ΠΊΠ°Π½Π°Π»Π΅ sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines ΠΌΠΎΠ³ΡΡ ΡΠ°ΠΌΠΈ Π΄ΠΎΠ±Π°Π²Π»ΡΡΡ ΡΠ΅Π±Ρ Π² WaitGroup,
// ΡΡΠΎΠ±Ρ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΈΡ
Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΄ΠΎΠΆΠΈΠ΄Π°Π»ΠΈΡΡ
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ clientset Π΄Π»Ρ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // ΠΠ΄Π΅ΠΌ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² (Π΄ΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»Π° Π±ΠΎΠ»Π΅Π΅ Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
log.Printf("Shutting down...")
close(stop) // ΠΠΎΠ²ΠΎΡΠΈΠΌ goroutines ΠΎΡΡΠ°Π½ΠΎΠ²ΠΈΡΡΡΡ
wg.Wait() // ΠΠΆΠΈΠ΄Π°Π΅ΠΌ, ΡΡΠΎ Π²ΡΠ΅ ΠΎΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΎ
}(gudaha )
Waxaan samaynaa kuwan soo socda:
- Waxaan u habeyneynaa maamule calaamadaha nidaamka qalliinka gaarka ah si ay u sababto joojinta quruxda badan ee hawlwadeenka.
- Waxaan isticmaalnaa
WaitGroupin si qurux badan loo joojiyo dhammaan gorutines ka hor inta aan la joojin codsiga. - Waxaan bixinaa gelitaanka kooxda anagoo abuurayna
clientset. - Daahfurka
NamespaceController, kaas oo dhammaan caqli-galkeennu ku jiri doono.
Hadda waxaan u baahannahay aasaas macquul ah, xaaladdeenna tani waa tan la sheegay NamespaceController:
// NamespaceController ΡΠ»Π΅Π΄ΠΈΡ ΡΠ΅ΡΠ΅Π· Kubernetes API Π·Π° ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ
// Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΠ΅Π½ ΠΈ ΡΠΎΠ·Π΄Π°Π΅Ρ RoleBinding Π΄Π»Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController ΡΠΎΠ·Π΄Π°Π΅Ρ Π½ΠΎΠ²ΡΠΉ NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ΅Ρ Π΄Π»Ρ ΡΠ»Π΅ΠΆΠ΅Π½ΠΈΡ Π·Π° Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}(gudaha )
Halkan waxaan ku habayn SharedIndexInformer, kaas oo si wax ku ool ah (adoo isticmaalaya khasnado) sugi doona isbeddelada meelaha magacyada (ka akhri wax badan oo ku saabsan xog-ogayaasha maqaalka ""- qiyaastii turjumaada). Intaa ka dib waanu isku xidhna EventHandler wargeliyaha, si marka lagu daro meel magac ah (Namespace) shaqada ayaa loo yaqaan createRoleBinding.
Tallaabada xigta waa in la qeexo shaqadan createRoleBinding:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}(gudaha )
Waxaan u helnaa goobta magaceed sida obj una beddel shay Namespace. Markaas ayaanu qeexaynaa RoleBinding, oo ku salaysan faylka YAML ee lagu sheegay bilowga, iyadoo la adeegsanayo shayga la bixiyay Namespace iyo abuurista RoleBinding. Ugu dambayntii, waxaynu galnay in abuurku guulaystay iyo in kale.
Shaqada ugu dambeysa ee lagu qeexayo waa Run:
// Run Π·Π°ΠΏΡΡΠΊΠ°Π΅Ρ ΠΏΡΠΎΡΠ΅ΡΡ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΡΠ½
// ΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΡΠΈΠΌΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// ΠΠΎΠ³Π΄Π° ΡΡΠ° ΡΡΠ½ΠΊΡΠΈΡ Π·Π°Π²Π΅ΡΡΠ΅Π½Π°, ΠΏΠΎΠΌΠ΅ΡΠΈΠΌ ΠΊΠ°ΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π½ΡΡ
defer wg.Done()
// ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½ΡΠΈΡΡΠ΅ΠΌ wait group, Ρ.ΠΊ. ΡΠΎΠ±ΠΈΡΠ°Π΅ΠΌΡΡ Π²ΡΠ·Π²Π°ΡΡ goroutine
wg.Add(1)
// ΠΡΠ·ΡΠ²Π°Π΅ΠΌ goroutine
go c.namespaceInformer.Run(stopCh)
// ΠΠΆΠΈΠ΄Π°Π΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
<-stopCh
}(gudaha )
Waar waannu ka hadlaynaa WaitGroupin aan bilowno goroutine ka dibna wac namespaceInformer, oo hore loo qeexay. Marka calaamada joogsiga yimaado, waxay joojin doontaa shaqada, ogeysii WaitGroup, kaas oo aan hadda la fulin, shaqadana way bixi doontaa.
Macluumaadka ku saabsan dhisidda iyo socodsiinta bayaankan kutlada Kubernetes waxaa laga heli karaa gudaha .
Taas ayaa loogu talagalay hawlwadeenka abuura RoleBinding muuqaalka kore Namespace Kubernetes kutlada, diyaar ah.
Source: www.habr.com