Ukwazisa i-shell-operator: ukudala abasebenzi be-Kubernetes kube lula

Sele kukho amanqaku kwiblogi yethu athetha ngayo amandla omqhubi kwi-Kubernetes kwaye njani bhala umsebenzisi olula ngokwakho. Ngeli xesha singathanda ukunika ingqalelo yakho isisombululo sethu soMthombo oVulekileyo, esithatha ukudalwa kwabaqhubi ukuya kwinqanaba elilula kakhulu-jonga iqokobhe-umqhubi!

Kutheni?

Umbono we-shell-operator ulula kakhulu: rhuma kwiziganeko ezivela kwizinto ze-Kubernetes, kwaye xa ezi ziganeko zifunyenwe, qalisa inkqubo yangaphandle, inika ulwazi malunga nomsitho:

Isidingo sayo savela xa, ngexesha lokusebenza kwamaqela, imisebenzi emincinci yaqala ukubonakala ukuba ngokwenene sifuna ukuzenzekelayo ngendlela efanelekileyo. Yonke le misebenzi mincinci yasonjululwa kusetyenziswa izikripthi ezilula ze-bash, nangona, njengoko uyazi, kungcono ukubhala abaqhubi kwiGolang. Ngokucacileyo, utyalo-mali kuphuhliso olupheleleyo lomsebenzisi ngomsebenzi omncinci onjalo akunakusebenza.

Umsebenzisi kwimizuzu eyi-15

Makhe sijonge umzekelo wento enokwenziwa ngokuzenzekelayo kwiqela le-Kubernetes kunye nendlela i-shell-operator enokunceda ngayo. Umzekelo uya kuba ngulo ulandelayo: ukuphindaphinda imfihlelo yokufikelela kwi-docker registry.

Iipodi ezisebenzisa imifanekiso ephuma kubhaliso lwabucala kufuneka ziqulathe kwi-manifest yabo ikhonkco eliya kwimfihlo enedatha yokufikelela kubhaliso. Le mfihlelo kufuneka yenziwe kwindawo nganye yamagama phambi kokudala ii-pods. Oku kunokwenziwa ngesandla, kodwa ukuba simisela iimeko-bume eziguquguqukayo, ke isithuba samagama sesicelo esinye siya kuba sininzi. Kwaye ukuba akukho zicelo ze-2-3 ... inani leemfihlo liba likhulu kakhulu. Kwaye enye into malunga neemfihlo: Ndingathanda ukutshintsha isitshixo ukufikelela kwirejista ngamaxesha ngamaxesha. Ekugqibeleni, imisebenzi yezandla njengesisombululo ayisebenzi ngokupheleleyo -Sidinga ukwenza indalo kunye nokuhlaziywa kweemfihlo.

I-automation elula

Masibhale umbhalo weqokobhe osebenza kanye rhoqo kwimizuzwana engu-N kwaye ujonge izithuba zamagama ubukho bemfihlo, kwaye ukuba akukho mfihlo, iyadalwa. Inzuzo yesi sisombululo kukuba ibukeka njengeskripthi segobolondo kwi-cron - indlela yakudala kunye neqondakalayo kumntu wonke. Ingxaki kukuba kwixesha eliphakathi kokuqaliswa kwayo indawo entsha yegama inokudalwa kwaye ixesha elithile liya kuhlala lingenamfihlo, eliya kubangela iimpazamo ekuqaliseni iipods.

Ukuzenzekela ngeqokobhe-opharetha

Ukuze iskripthi sethu sisebenze ngokuchanekileyo, ukuqaliswa kwe-cron yakudala kufuneka kutshintshwe ngokuqaliswa xa indawo yegama yongezwa: kulo mzekelo, unokwenza imfihlo ngaphambi kokuba uyisebenzise. Makhe sibone indlela yokwenza oku usebenzisa i-shell-operator.

Okokuqala, makhe sijonge iskripthi. Izikripthi ngokwemigaqo ye-shell-operator zibizwa ngokuba ziihuku. Yonke ihuka xa iqhutywa ngeflegi --config yazisa i-shell-operator malunga nezibophelelo zayo, okt. malunga nokuba yeyiphi imisitho ekufuneka iqaliswe. Kwimeko yethu siya kusebenzisa onKubernetesEvent:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
cat <<EOF
{
"onKubernetesEvent": [
  { "kind": "namespace",
    "event":["add"]
  }
]}
EOF
fi

Kuchazwe apha ukuba sinomdla wokongeza iziganeko (add) izinto zodidi namespace.

Ngoku kufuneka ungeze ikhowudi eya kuphunyezwa xa umsitho usenzeka:

#!/bin/bash
if [[ $1 == "--config" ]] ; then
  # конфигурация
cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "namespace",
  "event":["add"]
}
]}
EOF
else
  # реакция:
  # узнать, какой namespace появился
  createdNamespace=$(jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH)
  # создать в нём нужный секрет
  kubectl create -n ${createdNamespace} -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  ...
data:
  ...
EOF
fi

Kakhulu! Umphumo waba ngumbhalo omncinci, omhle. Ukuze "uyivuselele", kukho amanyathelo amabini asele: lungiselela umfanekiso kwaye uqalise kwi-cluster.

Ukulungiselela umfanekiso ngekhonkco

Ukuba ujonga iscript, unokubona ukuba imiyalelo isetyenzisiwe kubectl и jq. Oku kuthetha ukuba umfanekiso kufuneka ube nezi zinto zilandelayo: i-hook yethu, i-shell-operator eya kubeka iliso kwiziganeko kwaye iqhube i-hook, kunye nemiyalelo esetyenziswa yi-hook (kubectl kunye ne-jq). I-Hub.docker.com sele inomfanekiso osele ulungile apho i-shell-operator, kubectl kunye ne-jq zipakishwe. Konke okuseleyo kukongeza i-hook elula Dockerfile:

$ cat Dockerfile
FROM flant/shell-operator:v1.0.0-beta.1-alpine3.9
ADD namespace-hook.sh /hooks

$ docker build -t registry.example.com/my-operator:v1 . 
$ docker push registry.example.com/my-operator:v1

Ukubaleka kwiqela

Makhe sijonge ikhonkco kwakhona kwaye ngeli xesha sibhale phantsi ukuba zeziphi izenzo kunye nokuba zeziphi izinto ezenzayo kwiqela:

1. irhuma kwimicimbi yokudala indawo yamagama;
2. yenza imfihlo kwizithuba zamagama ngaphandle kwaleyo iqaliswe kuyo.

Kuyavela ukuba i-pod apho umfanekiso wethu uya kuqaliswa kufuneka ube neemvume zokwenza ezi zenzo. Oku kunokwenziwa ngokudala eyakho iServiceAccount. Imvume kufuneka yenziwe ngohlobo lwe-ClusterRole kunye ne-ClusterRoleBinding, kuba sinomdla kwizinto ezivela kwiqela lonke.

Inkcazo yokugqibela kwi-YAML iya kujongeka ngolu hlobo:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitor-namespaces-acc

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: monitor-namespaces
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: monitor-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: monitor-namespaces
subjects:
  - kind: ServiceAccount
    name: monitor-namespaces-acc
    namespace: example-monitor-namespaces

Ungaqalisa umfanekiso odibeneyo njengoThutho olulula:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-operator
spec:
  template:
    spec:
      containers:
      - name: my-operator
        image: registry.example.com/my-operator:v1
      serviceAccountName: monitor-namespaces-acc

Ukwenzela lula, isithuba segama esahlukileyo siyadalwa apho umqhubi weqokobhe ayakusungulwa kwaye umboniso owenziweyo uya kusetyenziswa:

$ kubectl create ns example-monitor-namespaces
$ kubectl -n example-monitor-namespaces apply -f rbac.yaml
$ kubectl -n example-monitor-namespaces apply -f deployment.yaml

Kuphelele apho: iqokobhe-umqhubi uya kuqalisa, rhuma kwimicimbi yokudala indawo yamagama kwaye uqhube ikhonkco xa kufuneka.

Ngoko ke, umbhalo weqokobhe olula ujike waba ngumsebenzi wokwenyani we Kubernetes kwaye isebenza njengenxalenye yeqela. Kwaye konke oku ngaphandle kwenkqubo enzima yokuphuhlisa abaqhubi eGolang:

Kukho omnye umzekeliso kulo mbandela...

Siza kuyityhila ngakumbi intsingiselo yayo kwenye yezi papasho zilandelayo.

Ukucoca

Izinto zokulandelela zilungile, kodwa kuhlala kukho imfuneko yokusabela ukutshintsha ezinye iimpawu zento, umzekelo, ukutshintsha inani le replicas kuBeko okanye ukutshintsha iilebhile zezinto.

Xa isiganeko sifika, i-shell-operator ifumana i-JSON manifest yento. Sinokukhetha iipropathi ezinomdla kuthi kule JSON kwaye siqhube ikhonkco kuphela xa betshintsha. Kukho intsimi yale nto jqFilter, apho ufuna ukukhankanya i-jq yokubonisa ezakusetyenziswa kumboniso we JSON.

Umzekelo, ukuphendula kutshintsho kwiileyibhile zezinto zokusasazwa, kufuneka ucofe umhlaba labels ngaphandle kwebala metadata. Uqwalaselo luya kuba ngolu hlobo:

cat <<EOF
{
"onKubernetesEvent": [
{ "kind": "deployment",
  "event":["update"],
  "jqFilter": ".metadata.labels"
}
]}
EOF

Le ntetha ye-jqFilter ijika i-Depot ye-JSON ebonakalayo ibe yi-JSON emfutshane eneelebhile:

iqokobhe lomsebenzisi lizakuqhuba ihuku kuphela xa le JSON imfutshane itshintsha, kwaye utshintsho kwezinye iipropati aziyi kuhoywa.

Umxholo wokuqaliswa kweHook

Uqwalaselo lwehuku likuvumela ukuba uchaze iinketho ezininzi zemisitho-umzekelo, iinketho ezi-2 zemisitho kwiKubernetes kunye neeshedyuli ezi-2:

{"onKubernetesEvent":[
  {"name":"OnCreatePod",
  "kind": "pod",
  "event":["add"]
  },
  {"name":"OnModifiedNamespace",
  "kind": "namespace",
  "event":["update"],
  "jqFilter": ".metadata.labels"
  }
],
"schedule": [
{ "name":"every 10 min",
  "crontab":"* */10 * * * *"
}, {"name":"on Mondays at 12:10",
"crontab": "* 10 12 * * 1"
]}

Uphambuko oluncinci: ewe, i-shell-operator ixhasa sebenzisa izikripthi zesimbo secrontab. Iinkcukacha ezithe vetshe zinokufumaneka kwi amaxwebhu.

Ukwahlula ukuba kutheni ihuku yasungulwa, iqokobhe-umqhubi wenza ifayile yethutyana kwaye igqithise indlela eya kuyo ngokuguquguqukayo kwikhonkco. BINDING_CONTEXT_TYPE. Ifayile iqulethe inkcazo ye-JSON yesizathu sokusebenzisa ihuku. Umzekelo, rhoqo ngemizuzu eli-10 ihuku iya kuqhuba nesiqulatho silandelayo:

[{ "binding": "every 10 min"}]

... kwaye ngoMvulo iya kuqala ngale nto:

[{ "binding": "every 10 min"}, { "binding": "on Mondays at 12:10"}]

kuba onKubernetesEvent Kuya kubakho ii-JSON ezixhokonxayo, kuba iqulethe inkcazo yento:

[
 {
 "binding": "onCreatePod",
 "resourceEvent": "add",
 "resourceKind": "pod",
 "resourceName": "foo",
 "resourceNamespace": "bar"
 }
]

Imixholo yemimandla inokuqondwa kumagama abo, kwaye iinkcukacha ezingakumbi zinokufundwa kuyo amaxwebhu. Umzekelo wokufumana igama lovimba kwibala resourceName usebenzisa i-jq sele ibonisiwe kwikhonkco eliphindaphinda iimfihlo:

jq -r '.[0].resourceName' $BINDING_CONTEXT_PATH

Unokufumana amanye amacandelo ngendlela efanayo.

Yintoni elandelayo?

Kwindawo yokugcina iprojekthi, kwi /imizekelo abalawuli, kukho imizekelo yeekhonkco ezilungele ukuqhuba kwi-cluster. Xa ubhala amagwegwe akho, unokuwasebenzisa njengesiseko.

Kukho inkxaso yokuqokelela i-metrics usebenzisa i-Prometheus - i-metrics ekhoyo ichazwe kwicandelo IIMETRIKI.

Njengoko unokuthekelela, i-shell-operator ibhalwe kwi-Go kwaye isasazwe phantsi kwelayisensi ye-Open Source (Apache 2.0). Siya kuba nombulelo ngalo naluphi na uncedo lophuhliso iprojekthi kwiGitHub: kunye neenkwenkwezi, kunye nemiba, kwaye utsale izicelo.

Ukuphakamisa isigqubuthelo sobumfihlo, siya kukwazisa kwakhona ukuba umqhubi weqokobhe encinci inxalenye yenkqubo yethu enokugcina izongezo ezifakwe kwiqela le-Kubernetes zihlaziyiwe kwaye zenze izenzo ezahlukeneyo ezizenzekelayo. Funda ngakumbi malunga nale nkqubo uxelelwe ngokoqobo ngoMvulo kwi-HighLoad ++ 2019 eSt. Petersburg - kungekudala siza kupapasha ividiyo kunye nokubhaliweyo kwale ngxelo.

Sinesicwangciso sokuvula yonke le nkqubo: i-addon-operator kunye nokuqokelela kwethu amakhonkco kunye neemodyuli. Ngendlela, i-addon-operator sele ikhona iyafumaneka kwi github, kodwa uxwebhu lwalo lusasendleleni. Ukukhutshwa kokuqokelela iimodyuli kucwangciswe ehlotyeni.

Hla umamele!

PS

Funda nakwibhlog yethu:

• «AbaSebenzi be-Kubernetes: indlela yokuqhuba izicelo ezifanelekileyo";
• «Ukubhala umsebenzisi weKubernetes kwisiGolang";
• «Ukwazisa iplagi entsha yeGrafana-iphaneli yeStatusmap";
• «Ukwazisa loghouse-inkqubo yoMthombo oVulekileyo yokusebenza ngeelog kwi-Kubernetes";
• «Sibonisa ngokusemthethweni i-dapp - into eluncedo ye-DevOps yokugcinwa kwe-CI/CD».

umthombo: www.habr.com