Kungekudala okanye kamva, ekusebenzeni kwayo nayiphi na inkqubo, umba wokhuseleko uvela: ukuqinisekisa ukuqinisekiswa, ukuhlukana kwamalungelo, uphicotho-zincwadi kunye neminye imisebenzi. Sele yenzelwe iKubernetes , ekuvumela ukuba ufezekise ukuthotyelwa kwemigangatho nakwimimandla enzima kakhulu ... Isixhobo esifanayo sinikezelwa kwiinkalo ezisisiseko zokhuseleko eziphunyezwe kwiindlela ezakhelwe ngaphakathi ze-K8s. Okokuqala, kuya kuba luncedo kwabo baqala ukuqhelana noKubernetes - njengesiqalo sokufunda imiba enxulumene nokhuseleko.
Uqinisekiso
Kukho iintlobo ezimbini zabasebenzisi eKubernetes:
- Iiakhawunti zeNkonzo - iiakhawunti ezilawulwa yiKubernetes API;
- abasebenzisi — Abasebenzisi “abaqhelekileyo” abalawulwa ziinkonzo zangaphandle, ezizimeleyo.
Umahluko omkhulu phakathi kwezi ntlobo kukuba kwiiAkhawunti zeNkonzo kukho izinto ezikhethekileyo kwi-Kubernetes API (zibizwa ngokuba - ServiceAccounts), ezibophelelwe kwindawo yegama kunye nesethi yedatha yogunyaziso egcinwe kwiqela kwizinto zohlobo lweeMfihlo. Abasebenzisi abanjalo (iiAkhawunti zeNkonzo) zijoliswe ngokuyinhloko ukulawula amalungelo okufikelela kwi-Kubernetes API yeenkqubo ezisebenza kwi-cluster ye-Kubernetes.
Abasebenzisi abaqhelekileyo abanakho ukungena kwi-Kubernetes API: kufuneka balawulwe ngeendlela zangaphandle. Zenzelwe abantu okanye iinkqubo ezihlala ngaphandle kweqela.
Isicelo ngasinye se-API sinxulumene nokuba yi-Akhawunti yeNkonzo, uMsebenzisi, okanye ithathwa njengengaziwa.
Idatha yoqinisekiso lomsebenzisi ibandakanya:
- lomsebenzisi — igama lomsebenzisi (imeko ebuthathaka!);
- UID - umtya wokuchonga womsebenzisi ofundeka ngomatshini "ohambelana ngakumbi kwaye wahlukile kunegama lomsebenzisi";
- amaqela — uluhlu lwamaqela umsebenzisi angowawo;
- extra - imimandla eyongezelelweyo enokusetyenziswa yindlela yogunyaziso.
I-Kubernetes inokusebenzisa inani elikhulu leendlela zokuqinisekisa: Izatifikethi ze-X509, iithokheni ze-Bearer, i-proxy yokuqinisekisa, i-HTTP Basic Auth. Usebenzisa ezi ndlela, unokuphumeza inani elikhulu lezicwangciso zogunyaziso: ukusuka kwifayile engatshintshiyo enamagama agqithisiweyo ukuya kwiOpenID OAuth2.
Ngaphezu koko, kunokwenzeka ukusebenzisa izikimu zogunyaziso ezininzi ngaxeshanye. Ngokungagqibekanga, iqela lisebenzisa:
- iithokheni zeakhawunti yenkonzo - yeeAkhawunti zeNkonzo;
- X509 - Yabasebenzisi.
Umbuzo malunga nokulawula i-ServiceAccounts ungaphaya kobubanzi beli nqaku, kodwa kwabo bafuna ukuziqhelanisa nalo mbandela ngokubanzi, ndincoma ukuqala nge . Siza kujonga ngakumbi umba wendlela iziqinisekiso ze-X509 ezisebenza ngayo.
Izatifikethi zabasebenzisi (X.509)
Indlela yakudala yokusebenza kunye nezatifikethi ibandakanya:
- ukuveliswa okungundoqo:
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048 - ukwenza isicelo sesatifikethi:
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company" - kusetyenzwa isicelo sesatifikethi usebenzisa i Kubernetes cluster CA izitshixo, ukufumana isatifikethi somsebenzisi (ukufumana isatifikethi, kufuneka usebenzise i-akhawunti enofikelelo kwiqhosha le-CA leqela le-Kubernetes, elibekwe ngokungagqibekanga
/etc/kubernetes/pki/ca.key):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500 - yenza ifayile yoqwalaselo:
- Inkcazo yeqela (chaza idilesi kunye nendawo yefayili yesatifikethi se-CA yofakelo oluthile lweqela):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443 - okanye njani hayiUkhetho olucetyiswayo - awunyanzelekanga ukuba ukhankanye isatifikethi esiyingcambu (emva koko kubectl ayizukukhangela ukuchaneka kwe-api-server yeqela):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443 - Ukongeza umsebenzisi kwifayile yoqwalaselo:
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key - Ukongeza umxholo:
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser - Ulwabiwo lwemeko emiselweyo:
kubectl config use-context mynewuser-context
- Inkcazo yeqela (chaza idilesi kunye nendawo yefayili yesatifikethi se-CA yofakelo oluthile lweqela):
Emva kokusetyenziswa oku ngasentla, kwifayile .kube/config uqwalaselo olunje luzakwenziwa:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.keyUkwenza kube lula ukudlulisa uqwalaselo phakathi kweeakhawunti kunye neeseva, kuluncedo ukuhlela amaxabiso ezi zitshixo zilandelayo:
-
certificate-authority -
client-certificate -
client-key
Ukwenza oku, ungafaka ikhowudi kwiifayile ezichazwe kuzo usebenzisa i-base64 kwaye ubhalise kuqwalaselo, ukongeza isimamva kwigama lezitshixo. -data, okt. ufumene certificate-authority-data kunye nezinye.
Izatifikethi ezine-beadm
Ngokukhululwa ukusebenza ngezatifikethi kube lula kakhulu enkosi kuguqulelo lwe alpha yenkxaso yayo kwi . Umzekelo, nantsi into eyenza ifayile yoqwalaselo ngezitshixo zomsebenzisi ngoku ijongeka ngathi:
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NB: Kuyafuneka bhengeza idilesi inokufunyanwa kuqwalaselo lwe-api-server, ethi ngokungagqibekanga ibekwe kuyo /etc/kubernetes/manifests/kube-apiserver.yaml.
Uqwalaselo olunesiphumo luya kuba yimveliso kwistdout. Kufuneka igcinwe ngaphakathi ~/.kube/config iakhawunti yomsebenzisi okanye kwifayile ekhankanyiweyo kwimeko eguquguqukayo KUBECONFIG.
Yemba Ngokunzulu
Kwabo bafuna ukuqonda imiba echazwe ngokucokisekileyo:
- ekusebenzeni kunye nezatifikethi kumaxwebhu asemthethweni e-Kubernetes;
- , apho umba wezatifikethi uchukunyiswa kwimbono ephathekayo.
- kuqinisekiso kwi-Kubernetes.
Ngena
Iakhawunti egunyazisiweyo engagqibekanga ayinamalungelo okusebenza kwiqela. Ukunika iimvume, uKubernetes usebenzisa indlela yogunyaziso.
Ngaphambi koguqulelo 1.6, uKubernetes wasebenzisa uhlobo logunyaziso olubizwa ngokuba ABAC (Ulawulo lofikelelo olusekwe kuphawu). Iinkcukacha malunga nayo inokufumaneka kwi . Le ndlela okwangoku ithathwa njengelifa, kodwa usengayisebenzisa ecaleni kwezinye iintlobo zoqinisekiso.
Indlela yangoku (kunye nebhetyebhetye) yokwahlula amalungelo ofikelelo kwiqela ibizwa RBAC (). Ibhengezwe njengezinzile ukususela kwinguqulelo . I-RBAC isebenzisa imodeli yamalungelo apho yonke into engavumelekanga ngokucacileyo inqatshelwe.
Ukwenza i-RBAC isebenze, kufuneka uqalise Kubernetes api-server ngeparameter --authorization-mode=RBAC. Iparameters zicwangciswe kumboniso ngoqwalaselo lwe api-server, ethi ngokungagqibekanga ibekwe ecaleni kwendlela. /etc/kubernetes/manifests/kube-apiserver.yaml, kwicandelo command. Nangona kunjalo, i-RBAC sele yenziwe ngokungagqibekanga, ngoko ke akufanelekanga ukuba uzikhathaze ngayo: ungakuqinisekisa oku ngexabiso. authorization-mode (kwisele ikhankanyiwe kube-apiserver.yaml). Ngendlela, phakathi kweentsingiselo zayo kunokubakho ezinye iintlobo zogunyaziso (node, webhook, always allow), kodwa siya kushiya ukuqwalaselwa kwabo ngaphandle kobubanzi bezinto eziphathekayo.
Ngendlela, sele sishicilele ngenkcazo eneenkcukacha ezichanekileyo zemigaqo kunye neempawu zokusebenza kunye ne-RBAC, ngoko ke ndiya kuzikhawulela kuluhlu olufutshane lweziseko kunye nemizekelo.
Ezi zintlu zilandelayo ze-API zisetyenziselwa ukulawula ukufikelela kwi-Kubernetes nge-RBAC:
-
RoleиClusterRole— iindima ezichaza amalungelo ofikelelo: -
Roleikuvumela ukuba uchaze amalungelo ngaphakathi kwendawo yamagama; -
ClusterRole- ngaphakathi kweqela, kubandakanywa ukuhlanganisana-izinto ezithile ezifana neendawo, ii-urls ezingezizo izixhobo (okt. ezinganxulumananga nezixhobo zeKubernetes - umzekelo,/version,/logs,/api*); -
RoleBindingиClusterRoleBinding- esetyenziselwa ukubophaRoleиClusterRolekumsebenzisi, iqela lomsebenzisi okanye iServiceAccount.
Indima kunye ne-RoleBinding entities zilinganiselwe nge-namespace, okt. kufuneka ibekwisithuba samagama esinye. Nangona kunjalo, i-RoleBinding inokubhekisa kwi-ClusterRole, ekuvumela ukuba wenze iseti yeemvume eziqhelekileyo kunye nokulawula ukufikelela ngokuzisebenzisa.
Iindima zichaza amalungelo kusetyenziswa iiseti zemithetho equlathe:
- Amaqela e-API - bona nge-apiGroups kunye nemveliso
kubectl api-resources; - izixhobo (Zixhobo:
pod,namespace,deploymentkwaye nangokunjalo.); - Izenzi (izenzi:
set,updatekwaye nangokunjalo.). - amagama emithombo (
resourceNames) - kwimeko xa ufuna ukubonelela ngokufikelela kwisixhobo esithile, kwaye kungekhona kuzo zonke izibonelelo zolu hlobo.
Uhlalutyo oluneenkcukacha ngakumbi logunyaziso kwi-Kubernetes lunokufumaneka kwiphepha . Endaweni yoko (okanye kunoko, ukongeza koku), ndiya kunika imizekelo ebonisa umsebenzi wakhe.
Imizekelo yamaqumrhu e-RBAC
Elula Role, ekuvumela ukuba ufumane uluhlu kunye nobume beepods kwaye ubeke iliso kwindawo yamagama target-namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Umzekelo: ClusterRole, ekuvumela ukuba ufumane uluhlu kunye nobume beepods kwaye uzibeke iliso kulo lonke iqela:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# секции "namespace" нет, так как ClusterRole задействует весь кластер
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
Umzekelo: RoleBinding, evumela umsebenzisi mynewuser "funda" iipod kwisithuba samagama my-namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # имя пользователя зависимо от регистра!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # здесь должно быть “Role” или “ClusterRole”
name: pod-reader # имя Role, что находится в том же namespace,
# или имя ClusterRole, использование которой
# хотим разрешить пользователю
apiGroup: rbac.authorization.k8s.ioUphicotho lwesiganeko
Ngokucwangcisekileyo, uyilo lweKubernetes lunokumelwa ngolu hlobo lulandelayo:
Icandelo eliphambili le-Kubernetes elinoxanduva lokuqhuba izicelo i-api-server. Yonke imisebenzi kwi-cluster idlula kuyo. Unokufunda ngakumbi malunga nezi ndlela zangaphakathi kwinqaku "».
Ukuphicothwa kwenkqubo yinto enomdla kwi-Kubernetes, ekhutshaziweyo ngokungagqibekanga. Ikuvumela ukuba ungene kuzo zonke iifowuni kwi-Kubernetes API. Njengoko unokuthekelela, zonke iintshukumo ezinxulumene nokubeka iliso kunye nokutshintsha imeko yeqela zenziwa ngale API. Inkcazo elungileyo yezakhono zayo (njengesiqhelo) inokufumaneka kwi K8s. Okulandelayo, ndiya kuzama ukubonisa isihloko ngolwimi olulula.
Kwaye ke, ukwenza uphicotho zincwadi, kufuneka sigqithise iiparamitha ezintathu ezifunekayo kwisikhongozeli esikwi-api-server, echazwe ngokweenkcukacha ngakumbi ngezantsi:
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml -
--audit-log-path=/var/log/kube-audit/audit.log -
--audit-log-format=json
Ukongeza kwezi parameters ezintathu eziyimfuneko, kukho ezininzi izicwangciso ezongezelelweyo ezinxulumene nophicotho-zincwadi: ukusuka kwi-log rotation ukuya kwiinkcazo ze-webhook. Umzekelo weeparamitha zokujikeleza kwelogi:
-
--audit-log-maxbackup=10 -
--audit-log-maxsize=100 -
--audit-log-maxage=7
Kodwa asiyi kuhlala kuzo ngokweenkcukacha ngakumbi - unokufumana zonke iinkcukacha kuzo .
Njengoko sele kukhankanyiwe, zonke iiparameters zisetwe kwi-manifest ngoqwalaselo lwe-api-server (ngokungagqibekanga /etc/kubernetes/manifests/kube-apiserver.yaml), kwicandelo command. Masibuyele kwiiparamitha ezi-3 ezifunekayo kwaye sizihlalutye:
-
audit-policy-file— indlela eya kwifayile yeYAML echaza umgaqo-nkqubo wophicotho. Siza kubuyela kumxholo wayo kamva, kodwa okwangoku ndiza kuqaphela ukuba ifayile kufuneka ifundeke ngenkqubo ye-api-server. Ke ngoko, kuyimfuneko ukuyinyusa ngaphakathi kwesitya, apho unokongeza le khowudi ilandelayo kumacandelo afanelekileyo oqwalaselo:volumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies -
audit-log-path— indlela eya kwifayile yelog. Umendo kufuneka ufikeleleke kwinkqubo ye-api-server, ke sichaza ukunyuka kwayo ngendlela efanayo:volumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs -
audit-log-format— ifomathi yelog yophicotho. Ukungagqibeki ngujson, kodwa ifomati yokubhaliweyo yelifa iyafumaneka (legacy).
Umgaqo-nkqubo woPhicotho-zincwadi
Ngoku malunga nefayile ekhankanyiweyo echaza umgaqo-nkqubo wokuloga. Ingqikelelo yokuqala yomgaqo-nkqubo wophicotho yile level, inqanaba lokugawula. Zimi ngolu hlobo lulandelayo:
-
None- musa ukungena; -
Metadata— Imethadatha yesicelo sokungena: umsebenzisi, ixesha lesicelo, isixhobo ekujoliswe kuso (ipod, indawo yamagama, njl.), uhlobo lwesenzo (isenzi), njl.; -
Request-log imetadata kunye nomzimba wesicelo; -
RequestResponse-log imethadatha, umzimba wesicelo kunye nomzimba wokuphendula.
Amanqanaba amabini okugqibela (Request и RequestResponse) musa ukuloga izicelo ezingakhange zifikelele kwimithombo (ufikelelo koko kubizwa ngokuba zii-url ezingezoncedo).
Kananjalo zonke izicelo ziyadlula izigaba eziliqela:
-
RequestReceived- inqanaba xa isicelo sifunyenwe yiprosesa kwaye asikadluliswa ngokubhekele phaya ecaleni kwekhonkco labaqhubekekisi; -
ResponseStarted— iiheader zempendulo zithunyelwa, kodwa ngaphambi kokuba umzimba wempendulo uthunyelwe. Yenzelwe imibuzo ehlala ixesha elide (umzekelo,watch); -
ResponseComplete- umzimba wempendulo uthunyelwe, akukho lwazi lungakumbi luya kuthunyelwa; -
Panic- iziganeko zenziwa xa imeko engaqhelekanga ifunyenwe.
Ukutsiba nawaphi na amanyathelo onokuwasebenzisa omitStages.
Kwifayile yomgaqo-nkqubo, sinokuchaza amacandelo amaninzi anemigangatho eyahlukeneyo yokugawulwa kwemithi. Umgaqo wokuqala wongqamaniso ofunyenwe kwinkcazo yomgaqo-nkqubo uya kusetyenziswa.
I-kubelet daemon ihlola utshintsho kwi-manifest ngoqwalaselo lwe-api-server kwaye, ukuba kukho nakuphi na okuchongiweyo, iqala kwakhona isikhongozeli nge-api-server. Kodwa kukho ingcaciso ebalulekileyo: utshintsho kwifayile yenkqubo aziyi kuhoywa yiyo. Emva kokwenza utshintsho kwifayile yepolisi, kuya kufuneka uqalise kwakhona i-api-server ngesandla. Ekubeni i-api-server iqalwe njenge , iqela kubectl delete ayizukuyibangela ukuba iqale kwakhona. Kuya kufuneka uyenze ngesandla docker stop kwi-kube-masters, apho umgaqo-nkqubo wophicotho utshintshiwe:
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')Xa uvumela uphicotho-zincwadi, kubalulekile ukukhumbula oko umthwalo kwi kube-apiserver uyenyuka. Ngokukodwa, ukusetyenziswa kwememori yokugcina umxholo wesicelo kuyenyuka. Ukuloga kuqala kuphela emva kokuba isihloko sempendulo sithunyelwe. Umthwalo ukwaxhomekeke kubume bomgaqo-nkqubo wophicotho.
Imizekelo yemigaqo-nkqubo
Makhe sijonge ubume beefayile zomgaqo-nkqubo sisebenzisa imizekelo.
Nantsi ifayile elula policyukuloga yonke into kwinqanaba Metadata:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
Kumgaqo-nkqubo ungakhankanya uluhlu lwabasebenzisi (Users и ServiceAccounts) kunye namaqela abasebenzisi. Umzekelo, le yindlela esiya kubahoya ngayo abasebenzisi benkqubo, kodwa faka yonke enye into kwinqanaba Request:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: RequestKukwangenzeka ukuchaza iithagethi:
- izithuba zamagama (
namespaces); - Izenzi (izenzi:
get,update,deletekunye nabanye); - izixhobo (Zixhobo, oku:
pod,configmapsnjl.njl) kunye namaqela ovimba (apiGroups).
Thabatha ingqalelo! Izixhobo kunye namaqela ezixhobo (amaqela e-API, okt apiGroups), kunye neenguqulelo zabo ezifakwe kwiqela, zinokufunyanwa ngokusebenzisa imiyalelo:
kubectl api-resources
kubectl api-versionsLo mgaqo-nkqubo wophicotho-zincwadi ulandelayo unikiwe njengomboniso weendlela ezizezona zingcono :
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
- "RequestReceived"
rules:
# Не логировать события, считающиеся малозначительными и не опасными:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # это api group с пустым именем, к которому относятся
# базовые ресурсы Kubernetes, называемые “core”
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# Не логировать обращения к read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# Не логировать сообщения, относящиеся к типу ресурсов “события”:
- level: None
resources:
- group: "" # core
resources: ["events"]
# Ресурсы типа Secret, ConfigMap и TokenReview могут содержать секретные данные,
# поэтому логируем только метаданные связанных с ними запросов
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Уровень логирования по умолчанию для стандартных ресурсов API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Уровень логирования по умолчанию для всех остальных запросов
- level: MetadataOmnye umzekelo omhle womgaqo-nkqubo wophicotho .
Ukuphendula ngokukhawuleza kwiziganeko zophicotho-zincwadi, kunokwenzeka chaza i-webhook. Lo mbandela ubandakanywa kuyo , ndiya kuyishiya ngaphandle kobubanzi beli nqaku.
Iziphumo
Eli nqaku libonelela ngesishwankathelo seendlela zokhuseleko ezisisiseko kumaqela e-Kubernetes, akuvumela ukuba wenze ii-akhawunti zomsebenzisi ezizezakho, wahlule amalungelo abo, kwaye urekhode izenzo zabo. Ndiyathemba ukuba kuya kuba luncedo kwabo bajongene nemiba enjalo kwithiyori okanye ekusebenzeni. Ndikwacebisa ukuba ufunde uluhlu lwezinye izinto kwisihloko sokhuseleko kwi-Kubernetes, enikwe kwi-"PS" - mhlawumbi phakathi kwabo uya kufumana iinkcukacha eziyimfuneko kwiingxaki ezichaphazelekayo kuwe.
PS
Funda nakwibhlog yethu:
- «";
- «";
- «";
- «";
- «».
umthombo: www.habr.com