Ke hantle, ka mora tokollo qalong ea Mots'eanong 2019, ho Consul o ka fana ka tumello ea likopo le lits'ebeletso tse sebetsang ho Kubernetes ka tlhaho.
Thutong ena re tla bopa mohato ka mohato (Bopaki ba mohopolo, PoC) e bonts'ang tšobotsi ena e ncha. U lebelletsoe ho ba le tsebo ea mantlha ea Kubernetes le Consul ea Hashicorp. Leha o ka sebelisa sethala sefe kapa sefe sa maru kapa tikoloho ea meaho, thutong ena re tla sebelisa Google Cloud Platform.
tjhebokakaretso
Haeba re ea ho , re tla fumana kakaretso e potlakileng ea morero oa eona le boemo ba tšebeliso, hammoho le lintlha tse ling tsa tekheniki le kakaretso ea mohopolo. Ke khothaletsa haholo ho e bala bonyane hang pele ke tsoela pele, kaha joale ke tla be ke e hlalosa le ho e hlafuna kaofela.
Setšoantšo sa 1: Kakaretso ea semmuso ea mokhoa oa tumello ea Consul
Ha re shebeng ka hare .
Ehlile, ho na le tlhaiso-leseling e sebetsang moo, empa ha ho na tataiso ea hore na u ka e sebelisa kaofela joang. Kahoo, joalo ka motho leha e le ofe ea hlaphohetsoeng kelellong, u batla tataiso Inthaneteng. Mme ebe ... O hloleha. Hoa etsahala. Ha re lokiseng taba ena.
Pele re tsoela pele ho theha POC ea rona, ha re khutleleng ho kakaretso ea mekhoa ea tumello ea Consul (Sets'oants'o sa 1) 'me re se ntlafatse ho latela moelelo oa Kubernetes.
mehaho
Thutong ena, re tla theha seva sa Consul mochining o arohaneng o tla buisana le sehlopha sa Kubernetes se kentsoeng moreki oa Consul. Joale re tla theha kopo ea rona ea dummy ka har'a pod mme re sebelise mokhoa oa rona oa tumello o hlophisitsoeng ho bala ho tsoa lebenkeleng la rona la Consul / boleng.
Sets'oants'o se ka tlase se fana ka lintlha tsa meralo eo re e bopang thutong ena, hammoho le moelelo oa mokhoa oa tumello, o tla hlalosoa hamorao.
Setšoantšo sa 2: Kakaretso ea Mokhoa oa Authorization oa Kubernetes
Tsebiso e potlakileng: seva sa Consul ha se hloke ho lula kantle ho sehlopha sa Kubernetes hore sena se sebetse. Empa ee, a ka e etsa ka tsela ena le eane.
Kahoo, ho nka setšoantšo sa kakaretso sa Consul (Sets'oants'o sa 1) le ho sebelisa Kubernetes ho sona, re fumana setšoantšo se kaholimo (Sets'oants'o sa 2), 'me mohopolo mona ke o latelang:
- Pod e 'ngoe le e' ngoe e tla ba le ak'haonte ea ts'ebeletso e hokeletsoeng ho eona e nang le tokene ea JWT e hlahisitsoeng le e tsejoang ke Kubernetes. Letšoao lena le boetse le kenngoa ka har'a pod ka ho sa feleng.
- Kopo ea rona kapa tšebeletso ka har'a pod e qala taelo ea ho kena ho moreki oa rona oa Consul. Kopo ea ho kena e tla kenyelletsa le letšoao le lebitso la rona e entsoeng ka ho khetheha mokhoa oa tumello (mofuta oa Kubernetes). Mohato ona #2 o lumellana le mohato oa 1 oa setšoantšo sa Consul (Sekema sa 1).
- Moreki oa rona oa Consul o tla fetisetsa kopo ena ho seva sa rona sa Consul.
- BOCHAI! Mona ke moo seva sa Consul se netefatsang bonnete ba kopo, se bokella tlhahisoleseding mabapi le boitsebiso ba kopo le ho e bapisa le melao leha e le efe e amanang le eona. Ka tlaase mona ke setšoantšo se seng ho bontša sena. Mohato ona o lumellana le mehato ea 3, ea 4 le ea 5 ea setšoantšo sa kakaretso sa Consul (Sets'oants'o sa 1).
- Seva ea rona ea Consul e hlahisa lets'oao la Consul le nang le tumello ho latela melao ea rona ea tumello e boletsoeng (eo re e hlalositseng) mabapi le boitsebiso ba mokopi. Etlaba e romela letshwao leo morao. Sena se lumellana le mohato oa 6 oa setšoantšo sa Consul (Setšoantšo sa 1).
- Moreki oa rona oa Consul o fetisetsa lets'oao ho kopo kapa ts'ebeletso e kopang.
Ts'ebeliso ea rona kapa ts'ebeletso ea rona joale e ka sebelisa lets'oao lena la Consul ho buisana le lintlha tsa rona tsa Consul, joalo ka ha ho laetsoe ke litokelo tsa tokeneng.
Boselamose bo senotswe!
Ho lona ba sa thabeleng mmutlanyana feela o tswileng katiba mme le batla ho tseba hore na o sebetsa jwang... e re ke le bontshe hore na ho tebile hakae. lesoba la mmutlanyana".
Joalokaha ho boletsoe pejana, mohato oa rona oa "boselamose" (Setšoantšo sa 2: Mohato oa 4) ke moo seva sa Consul se netefatsang kopo, se bokella tlhahisoleseding mabapi le kopo, 'me e se bapise le melao leha e le efe e amanang le eona. Mohato ona o lumellana le mehato ea 3, ea 4 le ea 5 ea setšoantšo sa kakaretso sa Consul (Sets'oants'o sa 1). Ka tlase ke setšoantšo (Sets'oants'o sa 3), seo sepheo sa sona e leng ho bontša ka ho hlaka se hlileng se etsahalang tlasa hood mokhoa o khethehileng oa tumello ea Kubernetes.
Setšoantšo sa 3: Boselamose bo senotsoe!
- E le qalo, moreki oa rona oa Consul o fetisetsa kopo ea ho kena ho seva sa rona sa Consul ka tokene ea ak'haonte ea Kubernetes le lebitso le ikhethileng la mokhoa oa tumello o entsoeng pejana. Mohato ona o lumellana le mohato oa 3 tlhalosong ea potoloho e fetileng.
- Hona joale seva sa Consul (kapa moetapele) se hloka ho netefatsa bonnete ba lets'oao le amohetseng. Ka hona, e tla buisana le sehlopha sa Kubernetes (ka moreki oa Consul) mme, ka tumello e nepahetseng, re tla fumana hore na lets'oao ke la 'nete le hore na ke la mang.
- Kopo e netefalitsoeng e khutlisetsoa ho moetapele oa Consul, mme seva sa Consul se sheba mohlala oa mokhoa oa tumello ka lebitso le boletsoeng ho tsoa kopo ea ho kena (le mofuta oa Kubernetes).
- Moetapele oa consul o khetholla mohlala oa mokhoa o boletsoeng (haeba o fumanoa) mme o bala melao e tlamang e khomaretsoeng ho eona. Joale e bala melao ena ebe e e bapisa le litšobotsi tse tiisitsoeng tsa boitsebiso.
- TA-dah! Ha re feteleng pele ho mohato oa 5 tlhalosong e fetileng ea potoloho.
Matha Consul-server ka mochine o tloaelehileng oa sebele
Ho tloha joale ho ea pele, hangata ke tla be ke fana ka litaelo tsa ho theha POC ena, hangata ka lintlha tsa bullet, ntle le litlhaloso tse felletseng tsa polelo. Hape, joalo ka ha ho boletsoe pejana, ke tla sebelisa GCP ho theha lits'ebetso tsohle, empa u ka etsa lisebelisoa tse tšoanang kae kapa kae.
- Qala mochine oa sebele (mohlala / seva).
- Theha molao bakeng sa firewall (sehlopha sa ts'ireletso ho AWS):
- Ke rata ho fana ka lebitso le tšoanang la mochine ho molao le tag ea marang-rang, tabeng ena "skywiz-consul-server-poc".
- Fumana aterese ea hau ea IP ea komporo ea hau 'me u e kenye lethathamong la liaterese tsa IP hore re tsebe ho fihlella sebopeho sa mosebelisi (UI).
- Bula port 8500 bakeng sa UI. Tobetsa Create. Re tla fetola firewall ena haufinyane [].
- Kenya molao oa firewall ho mohlala. Khutlela ho dashboard ea VM ho Consul Server 'me u kenye "skywiz-consul-server-poc" lebaleng la li-tag tsa marang-rang. Tobetsa Boloka.
- Kenya Consul mochining oa sebele, sheba mona. Hopola hore o hloka Consul version ≥ 1.5 [link]
- Ha re theheng node e le 'ngoe Consul - tlhophiso e tjena.
groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d- Bakeng sa tataiso e qaqileng haholoanyane ea ho kenya Consul le ho theha sehlopha sa li-node tse 3, bona .
- Etsa faele /etc/consul.d/agent.json ka tsela e latelang []:
### /etc/consul.d/agent.json
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}- Qala seva sa rona sa Consul:
consul agent
-server
-ui
-client 0.0.0.0
-data-dir=/var/lib/consul
-bootstrap-expect=1
-config-dir=/etc/consul.d- U lokela ho bona sehlopha sa lihlahisoa 'me u qetelle u e-na le "... ntjhafatso e thibetsoe ke ACLs."
- Fumana aterese ea kantle ea IP ea seva sa Consul 'me u bule sebatli se nang le aterese ena ea IP ho port 8500. Etsa bonnete ba hore UI ea bula.
- Leka ho kenya linotlolo/boleng para. Ho tlameha ho na le phoso. Sena ke hobane re laetse seva sa Consul ka ACL mme ra holofatsa melao eohle.
- Khutlela ho khetla ea hau ho seva sa Consul 'me u qale ts'ebetso ka morao kapa ka tsela e' ngoe ea ho e etsa hore e sebetse ebe u kenya tse latelang:
consul acl bootstrap- Fumana boleng ba "SecretID" 'me u khutlele ho UI. Ka ACL tab ya, kenya lekunutu ID ya tokeneng u sa tsoa qopitsa. Kopitsa SecretID sebakeng se seng, re tla e hloka hamorao.
- Joale eketsa konopo / boleng para. Bakeng sa POC ena, eketsa tse latelang: senotlolo: “custom-ns/test_key”, boleng: “Ke ka har’a foldara ea custom-ns!”
Ho hlahisa sehlopha sa Kubernetes bakeng sa ts'ebeliso ea rona le moreki oa Consul joalo ka Daemoset
- Theha sehlopha sa K8s (Kubernetes). Re tla e etsa sebakeng se ts'oanang le sebatli hore se fihlelle kapele, ka hona re ka sebelisa subnet e tšoanang ho hokela habonolo le liaterese tsa IP tsa kahare. Re tla e bitsa "skywiz-app-with-consul-client-poc".
- Joalo ka lehlakoreng le leng, mona ke thuto e ntle eo ke e fumaneng ha ke ntse ke theha sehlopha sa POC Consul le Consul Connect.
- Re tla be re sebelisa chate ea helm ea Hashicorp e nang le faele ea boleng bo atolositsoeng.
- Kenya le ho lokisa Helm. Mehato ea tlhophiso:
kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update- chate ea helm:
- Sebelisa faele ea boleng e latelang (hlokomela hore ke holofalitse haholo):
### poc-helm-consul-values.yaml
global:
enabled: false
image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
enabled: true
join: ["<PRIVATE_IP_CONSUL_SERVER>"]
extraConfig: |
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
# Minimal Consul configuration. Not suitable for production.
server:
enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
enabled: false- Sebelisa chate ea helmete:
./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc- Ha e leka ho sebetsa, e tla hloka litumello bakeng sa seva sa Consul, kahoo a re li kenye.
- Ela hloko "Pod Address Range" e fumanehang ho dashboard ea lihlopha 'me u khutlele ho "skywiz-consul-server-poc" molao oa firewall.
- Kenya lethathamo la liaterese bakeng sa pod lethathamong la liaterese tsa IP le likou tse bulehileng 8301 le 8300.
- E-ea ho Consul UI 'me ka mor'a metsotso e seng mekae u tla bona sehlopha sa rona se hlaha tabeng ea li-node.
Ho lokisa mokhoa oa tumello ka ho kopanya Consul le Kubernetes
- Khutlela ho khetla ea seva sa Consul 'me u romelle tokene eo u e bolokileng pejana:
export CONSUL_HTTP_TOKEN=<SecretID>- Re tla hloka tlhahisoleseling ho tsoa sehlopheng sa rona sa Kubernetes ho theha mohlala oa mokhoa oa auth:
- kubernetes-moamoheli
kubectl get endpoints | grep kubernetes- kubernetes-service-account-jwt
kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:- Letšoao le kenyelelitsoe ke base64, kahoo u le hlakole u sebelisa sesebelisoa seo u se ratang []
- hobernetes-ca-cert
kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:- Nka setifikeiti sa "ca.crt" (kamora base64 decoding) 'me u se ngole faeleng ea "ca.crt".
- Joale tiisa mokhoa oa auth, o nkela li-place le litekanyetso tseo u sa tsoa li fumana.
consul acl auth-method create
-type "kubernetes"
-name "auth-method-skywiz-consul-poc"
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc"
-kubernetes-host "<k8s_endpoint_retrieved earlier>"
[email protected]
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"- Ka mor'a moo re hloka ho theha molao le ho o hokahanya le karolo e ncha. Bakeng sa karolo ena o ka sebelisa Consul UI, empa re tla sebelisa mola oa taelo.
- Ngola molao
### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
policy = "write"
}- Sebelisa molao
consul acl policy create
-name kv-custom-ns-policy
-description "This is an example policy for kv at custom-ns/"
-rules @kv-custom-ns-policy.hcl- Fumana ID ea molao oo u sa tsoa o etsa ho tsoa tlhahiso.
- Etsa karolo ka molao o mocha.
consul acl role create
-name "custom-ns-role"
-description "This is an example role for custom-ns namespace"
-policy-id <policy_id>- Joale re tla amahanya karolo ea rona e ncha le mohlala oa mokhoa oa auth. Hlokomela hore "sekhetho" se bontša hore na kopo ea rona ea ho kena e tla fumana karolo ena. Sheba mona bakeng sa likhetho tse ling tsa likhetho:
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-ns-role'
-selector='serviceaccount.namespace=="custom-ns"'Qetellong, litlhophiso
Litokelo tsa ho fihlella
- Etsa litokelo tsa ho fihlella. Re hloka ho fa Consul tumello ea ho netefatsa le ho tseba hore na tokene ea akhaonto ea tšebeletso ea K8s ke mang.
- Ngola tse latelang faeleng :
###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: review-tokens
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-getter
namespace: default
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-service-accounts
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: service-account-getter
apiGroup: rbac.authorization.k8s.io- Ha re theheng litokelo tsa phihlello
kubectl create -f skywiz-poc-consul-server_rbac.yamlHo hokela ho Consul Client
- Joalokaha ho boletsoe Ho na le likhetho tse 'maloa tsa ho hokela daemoset, empa re tla fetela ho tharollo e bonolo e latelang:
- Kenya faele e latelang [].
### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: consul-ds-client
spec:
selector:
app: consul
chart: consul-helm
component: client
hasDNS: "true"
release: skywiz-app-with-consul-client-poc
ports:
- protocol: TCP
port: 80
targetPort: 8500- Ebe u sebelisa taelo e latelang ea buildin ho theha configmap []. Ka kopo hlokomela hore re bua ka lebitso la ts'ebeletso ea rona, le nkele sebaka ha ho hlokahala.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOFHo lekola mokhoa oa auth
Joale a re boneng boselamose bo sebetsa!
- Theha lifoldara tse ling tse 'maloa ka konopo e tšoanang ea boemo bo holimo (ke hore. /sample_key) le boleng ba khetho ea hau. Theha maano le likarolo tse nepahetseng bakeng sa litsela tse ncha tsa bohlokoa. Re tla etsa litlamo hamorao.
Teko ea sebaka sa mabitso:
- Ha re iketsetse sebaka sa rona sa mabitso:
kubectl create namespace custom-ns- Ha re theheng pod sebakeng sa rona se secha sa mabitso. Ngola tlhophiso bakeng sa pod.
###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-ns
namespace: custom-ns
spec:
containers:
- name: poc-ubuntu-custom-ns
image: ubuntu
command: ["/bin/bash", "-ec", "sleep infinity"]
restartPolicy: Never- Etsa tlasa:
kubectl create -f poc-ubuntu-custom-ns.yaml- Hang ha setshelo se sebetsa, e-ea moo 'me u kenye curl.
kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y- Joale re tla romella kopo ea ho kena ho Consul re sebelisa mokhoa oa tumello oo re o entseng pejana [].
- Ho sheba token e kentsoeng ho tsoa akhaonteng ea hau ea litšebeletso:
cat /run/secrets/kubernetes.io/serviceaccount/token- Ngola tse latelang faeleng e ka har'a sets'oants'o:
### payload.json
{
"AuthMethod": "auth-method-test",
"BearerToken": "<jwt_token>"
}- Kena!
curl
--request POST
--data @payload.json
consul-ds-client.default.svc.cluster.local/v1/acl/login- Ho phethela mehato e kaholimo moleng o le mong (kaha re tla be re etsa liteko tse ngata), o ka etsa tse latelang:
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login- E sebetsa! Bonyane e lokela. Joale nka SecretID 'me u leke ho fumana senotlolo / boleng boo re lokelang ho ba le bona.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”- O ka khetha "Value" ea base64 'me oa bona hore e lumellana le boleng ba custom-ns/test_key ho UI. Haeba u sebelisitse boleng bo tšoanang ka holimo thutong ena, boleng ba hau bo kentsoeng e tla ba IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.
Teko ea ak'haonte ea litšebeletso tsa mosebelisi:
- Theha ServiceAccount ea tloaelo u sebelisa taelo e latelang [].
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: custom-sa
EOF- Theha faele e ncha ea tlhophiso bakeng sa pod. Ka kopo hlokomela hore ke kenyelelitse ho kenya li-curl ho boloka mosebetsi :)
###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-sa
namespace: default
spec:
serviceAccountName: custom-sa
containers:
- name: poc-ubuntu-custom-sa
image: ubuntu
command: ["/bin/bash","-ec"]
args: ["apt-get update && apt-get install curl -y; sleep infinity"]
restartPolicy: Never- Ka mor'a moo, tsamaisa khetla ka har'a setshelo.
kubectl exec -it poc-ubuntu-custom-sa /bin/bash- Kena!
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login- Ha hoa fanoa ka tumello. Oh, re lebetse ho kenya melao e ncha e tlamang ka litumello tse nepahetseng, ha re etseng hona joale.
Pheta mehato e fetileng ka holimo:
a) Etsa Leano le ts'oanang la sehlongwapele "custom-sa/".
b) Theha Karolo, e bitse "custom-sa-role"
c) Hokela Leano Karolong eo.
- Theha Melao e Tlamang (ho khoneha feela ho tloha ho cli/api). Ela hloko moelelo o fapaneng oa folakha ea mokhethoa.
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-sa-role'
-selector='serviceaccount.name=="custom-sa"'- Kena hape ho tsoa "poc-ubuntu-custom-sa" setshelo. Katleho!
- Sheba mokhoa oa rona oa ho fumana mokhoa oa custom-sa/ key.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”- U ka boela ua etsa bonnete ba hore letšoao lena ha le fane ka monyetla oa ho fumana kv ka "custom-ns/". Pheta feela taelo e ka holimo ka mor'a hore u nkele "custom-sa" sebaka ka "custom-ns".
Ha hoa fanoa ka tumello.
Mohlala oa holimo:
- Ke habohlokoa ho hlokomela hore limmapa tsohle tse tlamang melao li tla eketsoa ho tokeneng ka litokelo tsena.
- Setshelo sa rona "poc-ubuntu-custom-sa" se sebakeng sa mabitso - kahoo ha re se sebeliseng ho tlama melao e fapaneng.
- Pheta mehato e fetileng:
a) Etsa Leano le ts'oanang la "default/" prefix ea bohlokoa.
b) Theha Karolo, e rehe "default-ns-role"
c) Hokela Leano Karolong eo. - Theha Melao e Tlamang (e khoneha feela ho tsoa ho cli/api)
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='default-ns-role'
-selector='serviceaccount.namespace=="default"'- Khutlela ho "poc-ubuntu-custom-sa" ea rona 'me u leke ho fumana tsela ea "default/" kv.
- Ha hoa fanoa ka tumello.
U ka sheba lintlha tse boletsoeng bakeng sa tokeneng ka 'ngoe ho UI tlas'a ACL > Tokens. Joalokaha u ka bona, letšoao la rona la hona joale le na le "custom-sa-role" e le 'ngoe feela e amanang le eona. Letšoao leo re le sebelisang hona joale le ile la hlahisoa ha re kena 'me ho ne ho e-na le molao o le mong feela o tlamang o neng o tšoana ka nako eo. Re hloka ho kena hape 'me re sebelise token e ncha. - Etsa bonnete ba hore u ka bala ho tsoa litseleng tsa "custom-sa/" le "default/" kv ka bobeli.
Katleho!
Sena ke hobane "poc-ubuntu-custom-sa" ea rona e lumellana le litlamo tsa "custom-sa" le "default-ns".
fihlela qeto e
TTL token mgmt?
Nakong ea ha ho ngoloa sena, ha ho na mokhoa o kopanetsoeng oa ho khetholla TTL bakeng sa li-tokens tse hlahisoang ke mokhoa ona oa tumello. E ka ba monyetla o motle oa ho fana ka boiketsetso bo sireletsehileng ba tumello ea Consul.
Ho na le khetho ea ho iketsetsa lets'oao le TTL:
Nako ea ho Felloa ke Nako - Nako eo letšoao lena le tla hlakoloa. (Ka boikhethelo; e kentsoe ho Consul 1.5.0)- E fumaneha feela bakeng sa ho iketsetsa / ntlafatso
Re tšepa hore haufinyane re tla khona ho laola hore na li-tokens li hlahisoa joang (ka molao kapa mokhoa oa tumello) le ho eketsa TTL.
Ho fihlela ka nako eo, ho khothaletsoa hore u sebelise ntlha ea ho tsoa ho logic ea hau.
Hape bala lingoliloeng tse ling ho blog ea rona:
Source: www.habr.com