Kunjalo, emva kokukhululwa
Kule tutorial siya kudala inyathelo ngenyathelo
isishwankathelo
Ukuba siya ku
Umzobo woku-1: Isishwankathelo esisemthethweni sendlela yogunyaziso loMmeli
Masijonge ngaphakathi
Ngokuqinisekileyo, kukho ulwazi oluluncedo apho, kodwa akukho sikhokelo malunga nendlela yokuyisebenzisa yonke. Ke, njengaye nawuphi na umntu obhadlileyo, ukhangela isikhokelo kwi-Intanethi. Kwaye ke ... Uyasilela. Iyenzeka. Masiyilungise lento.
Ngaphambi kokuba siqhubele phambili ekudaleni i-POC yethu, masibuyele kumbono jikelele weendlela zogunyaziso ze-Consul (Umzobo 1) kwaye siwucokise kumxholo we-Kubernetes.
izakhiwo
Kule tutorial, siya kwenza iseva ye-Consul kumatshini owahlukileyo oza kunxibelelana neqela le-Kubernetes kunye nomxhasi we-Consul ofakiwe. Emva koko siya kudala usetyenziso lwethu lwe-dummy kwi-pod kwaye sisebenzise indlela yethu yogunyaziso emiselweyo ukufunda kwiqhosha lethu le-Consul / ivenkile yexabiso.
Umzobo ongezantsi uchaza ulwakhiwo esilwenzayo kwesi sifundo, kunye nengqiqo emva kwendlela yogunyaziso, eya kuchazwa kamva.
Umzobo 2: I-Kubernetes Authorization Method Overview
Inqaku elikhawulezayo: i-Consul server ayifuni ukuhlala ngaphandle kweqela le-Kubernetes ukuze oku kusebenze. Kodwa ewe, angayenza ngale ndlela naleya.
Ke, sithatha i-Consul overview diagram (Diagram 1) kunye nokusebenzisa i-Kubernetes kuyo, sifumana umzobo ongentla (uMzobo 2), kwaye ingqiqo apha ilandelayo:
- I-pod nganye iya kuba ne-akhawunti yenkonzo eqhotyoshelwe kuyo equlethe ithokheni ye-JWT eyenziwe kwaye eyaziwa nguKubernetes. Lo mqondiso uphinde ufakwe kwi-pod ngokungagqibekanga.
- Isicelo sethu okanye inkonzo ngaphakathi kwepod iqalisa umyalelo wokungena kumxumi wethu we-Consul. Isicelo sokungena siya kubandakanya uphawu lwethu kunye negama yenziwe ngokukodwa indlela yogunyaziso (uhlobo lweKubernetes). Eli nyathelo #2 lihambelana nesinyathelo 1 somzobo we-Consul (iSikimu 1).
- Umxumi wethu we-Consul uya kuthi ke asithumele esi sicelo kumncedisi wethu we-Consul.
- UBUGCISA! Apha kulapho umncedisi we-Consul uqinisekisa ubunyani besicelo, uqokelela ulwazi malunga nesazisi sesicelo kwaye usithelekise nayo nayiphi na imigaqo echazwe kwangaphambili. Ngezantsi ngomnye umzobo ukubonisa oku. Eli nyathelo lihambelana namanyathelo 3, 4 kunye ne-5 e-Consul overview diagram (Idiagram 1).
- Umncedisi wethu we-Consul uvelisa ithokheni yoMmeli kunye neemvume ngokwemigaqo yethu yendlela yogunyaziso echaziweyo (esiyichazile) malunga nesazisi somceli. Iya kuthi ke ithumele loo mqondiso emva. Oku kuhambelana nesinyathelo sesi-6 somzobo we-Consul (Umzobo 1).
- Umxhasi wethu we-Consul uthumela ithokheni kwisicelo esicelayo okanye inkonzo.
Isicelo sethu okanye inkonzo yethu ngoku inokusebenzisa lo mqondiso we-Consul ukunxibelelana nedatha yethu ye-Consul, njengoko kumiselwe ngamalungelo ophawu.
Umlingo utyhiliwe!
Kwabo bangonwabanga nje ngomvundla ophuma emnqwazini kwaye nifuna ukwazi ukuba isebenza njani... mandinibonise indlela enzulu ngayo. umngxuma umvundla».
Njengoko kuchaziwe ngaphambili, inyathelo lethu "lomlingo" (Umfanekiso 2: Inyathelo lesi-4) kulapho umncedisi we-Consul uqinisekisa isicelo, uqokelela ulwazi malunga nesicelo, kwaye uthelekise kuyo nayiphi na imigaqo echazwe kwangaphambili. Eli nyathelo lihambelana namanyathelo 3, 4 kunye ne-5 e-Consul overview diagram (Idayagram 1). Ngezantsi ngumzobo (umzobo wesi-3), injongo yawo kukubonisa ngokucacileyo oko kwenzeka ngokwenene phantsi kwentloko indlela yogunyaziso ethile Kubernetes.
Umzobo 3: Umlingo utyhiliwe!
- Njengesiqalo, umxhasi wethu we-Consul udlulisela isicelo sokungena kwi-Consul server yethu kunye ne-akhawunti ye-Kubernetes ithokheni kunye negama lomzekelo wendlela yogunyaziso eyenziwe ngaphambili. Eli nyathelo lihambelana nesinyathelo sesi-3 kwinkcazo yesekethe yangaphambili.
- Ngoku umncedisi we-Consul (okanye inkokeli) kufuneka iqinisekise ubunyani bophawu olufunyenweyo. Ngoko ke, iya kudibana neqela le-Kubernetes (nge-Consul client) kwaye, kunye neemvume ezifanelekileyo, siya kufumanisa ukuba uphawu luyinyani kwaye ingubani.
- Isicelo esiqinisekisiweyo sibuyiselwa kwinkokeli ye-Consul, kwaye umncedisi we-Consul ujonge indlela yogunyaziso kunye negama elikhankanyiweyo kwisicelo sokungena (kunye nohlobo lweKubernetes).
- Inkokeli ye-consul ichonga umzekelo wendlela yogunyaziso echaziweyo (ukuba ifunyenwe) kwaye ifunde isethi yemithetho ebophelelayo eqhotyoshelwe kuyo. Emva koko ifunda le migaqo kwaye ithelekise neempawu zesazisi eziqinisekisiweyo.
- TA-dah! Masiqhubele phambili kwinyathelo lesi-5 kwingcaciso yesekethe yangaphambili.
Qhuba uMncedisi-mncedisi kumatshini oqhelekileyo wenyani
Ukusukela ngoku ukuya phambili, ndiza kube ndinikeza imiyalelo malunga nendlela yokuyila le POC, rhoqo kwiindawo zembumbulu, ngaphandle kweenkcazo ezipheleleyo zesivakalisi. Kwakhona, njengoko kuphawuliwe ngaphambili, ndiza kusebenzisa i-GCP ukwenza zonke iziseko zophuhliso, kodwa unokudala isiseko esifanayo naphi na kwenye indawo.
- Qala umatshini wenyani (umzekelo/umncedisi).
- Yenza umgaqo wefirewall (iqela lokhuseleko kwi-AWS):
- Ndithanda ukwabela igama lomatshini ofanayo kuwo omabini umthetho kunye nethegi yenethiwekhi, kulo mzekelo "skywiz-consul-server-poc".
- Fumana idilesi ye-IP yekhompyuter yakho kwaye uyongeze kuluhlu lweedilesi ze-IP zomthombo ukuze sifikelele kujongano lomsebenzisi (UI).
- Vula izibuko 8500 ukwenzela UI. Cofa Yenza. Siza kuyitshintsha le firewall kwakhona kungekudala [
unxibelelwano ]. - Yongeza umthetho we-firewall kumzekelo. Buyela kwideshibhodi ye-VM kwi-Consul Server kwaye ungeze "skywiz-consul-server-poc" kwi-network tags field. Cofa Gcina.
- Faka i-Consul kumatshini obonakalayo, khangela apha. Khumbula ukuba ufuna i-Consul version ≥ 1.5 [ikhonkco]
- Masenze i-node enye i-Consul - uqwalaselo luhamba ngolu hlobo lulandelayo.
groupadd --system consul
useradd -s /sbin/nologin --system -g consul consul
mkdir -p /var/lib/consul
chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
mkdir /etc/consul.d
chown -R consul:consul /etc/consul.d
- Ukufumana isikhokelo esineenkcukacha ngakumbi ngokufaka i-Consul kunye nokuseta iqoqo lee-nodes ezi-3, bona
apha . - Yenza ifayile /etc/consul.d/agent.json ngolu hlobo lulandelayo [
unxibelelwano ]:
### /etc/consul.d/agent.json
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
- Qala iseva yethu ye-Consul:
consul agent
-server
-ui
-client 0.0.0.0
-data-dir=/var/lib/consul
-bootstrap-expect=1
-config-dir=/etc/consul.d
- Kuya kufuneka ubone iqela lemveliso kwaye uphele nge "... uhlaziyo oluvaliwe yi-ACLs."
- Fumana idilesi ye-IP yangaphandle yomncedisi we-Consul kwaye uvule isikhangeli ngale dilesi ye-IP kwi-port 8500. Qinisekisa ukuba i-UI ivula.
- Zama ukufaka isitshixo/ixabiso lesibini. Kunoba kukhona impazamo. Oku kungenxa yokuba silayishe umncedisi we-Consul nge-ACL kwaye sikhubaze yonke imithetho.
- Buyela kwiqokobhe lakho kumncedisi we-Consul kwaye uqale inkqubo ngasemva okanye enye indlela yokuyenza isebenze kwaye ungenise oku kulandelayo:
consul acl bootstrap
- Fumana ixabiso elithi "SecretID" kwaye ubuyele kwi-UI. Kwi ACL thebhu, ngenisa i-ID eyimfihlo yophawu osanda kukotshwa. Khuphela i-SecretID kwenye indawo, siya kuyidinga kamva.
- Ngoku yongeza isitshixo/ixabiso lesibini. Kule POC, yongeza oku kulandelayo: isitshixo: “custom-ns/test_key”, ixabiso: “Ndikwifolda yesiko-ns!”
Ukwazisa iqela leKubernetes kwisicelo sethu kunye nomxhasi weConsul njengeDaemoset
- Yenza iqela le-K8s (Kubernetes). Siza kuyidala kwindawo enye njengeseva ukufikelela ngokukhawuleza, kwaye ke sinokusebenzisa i-subnet efanayo ukudibanisa ngokulula needilesi ze-IP zangaphakathi. Siza kuyibiza ngokuthi "skywiz-app-with-consul-client-poc".
- Njengenqaku elisecaleni, nasi isifundo esilungileyo endisifumene ngelixa ndiseta iqela le-POC Consul kunye ne-Consul Connect.
- Siza kusebenzisa itshathi ye-Hashicorp helm enefayile yamaxabiso awandisiweyo.
- Faka kwaye uqwalasele iHelm. Amanyathelo oqwalaselo:
kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-admin-binding
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
./helm init --service-account=tiller
./helm update
- itshathi yokukhusela:
https://www.consul.io/docs/platform/k8s/helm.html - Sebenzisa le fayile yexabiso ilandelayo (qaphela ndiyikhubaze kakhulu):
### poc-helm-consul-values.yaml
global:
enabled: false
image: "consul:latest"
# Expose the Consul UI through this LoadBalancer
ui:
enabled: false
# Allow Consul to inject the Connect proxy into Kubernetes containers
connectInject:
enabled: false
# Configure a Consul client on Kubernetes nodes. GRPC listener is required for Connect.
client:
enabled: true
join: ["<PRIVATE_IP_CONSUL_SERVER>"]
extraConfig: |
{
"acl" : {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true
}
}
# Minimal Consul configuration. Not suitable for production.
server:
enabled: false
# Sync Kubernetes and Consul services
syncCatalog:
enabled: false
- Faka itshathi yokukhokela:
./helm install -f poc-helm-consul-values.yaml ./consul-helm - name skywiz-app-with-consul-client-poc
- Xa izama ukusebenza, iya kufuna iimvume zomncedisi we Consul, ngoko ke masizongeze.
- Qaphela "uluhlu lwedilesi yePod" ebekwe kwideshibhodi yeqela kwaye ubuyele kumgaqo wethu "skywiz-consul-server-poc" firewall.
- Yongeza uluhlu lweedilesi zepod kuluhlu lweedilesi ze-IP kwaye uvule izibuko 8301 kunye ne-8300.
- Yiya kwi-Consul UI kwaye emva kwemizuzu embalwa uya kubona iqela lethu livela kwi-nodes tab.
Ukuqwalasela iNdlela yoGunyaziso ngokuDityaniswa kweConsul kunye neKubernetes
- Buyela kwiqokobhe lomncedisi we-Consul kwaye uthumele ithokheni oyigcinileyo ngaphambili:
export CONSUL_HTTP_TOKEN=<SecretID>
- Siza kufuna ulwazi oluvela kwiqela lethu leKubernetes ukwenza umzekelo wendlela ye-auth:
- kubernetes-host
kubectl get endpoints | grep kubernetes
- kubernetes-service-account-jwt
kubectl get sa <helm_deployment_name>-consul-client -o yaml | grep "- name:"
kubectl get secret <secret_name_from_prev_command> -o yaml | grep token:
- Umqondiso unekhowudi ye-base64, ngoko ke uyicime usebenzisa isixhobo osithandayo [
unxibelelwano ] - kubernetes-ca-cert
kubectl get secret <secret_name_from_prev_command> -o yaml | grep ca.crt:
- Thatha isatifikethi se-“ca.crt” (emva kwe-base64 decoding) kwaye usibhale kwifayile ye-“ca.crt”.
- Ngoku qinisekisa indlela ye-auth, ususa izibambi-ndawo ngamaxabiso osanda kuwafumana.
consul acl auth-method create
-type "kubernetes"
-name "auth-method-skywiz-consul-poc"
-description "This is an auth method using kubernetes for the cluster skywiz-app-with-consul-client-poc"
-kubernetes-host "<k8s_endpoint_retrieved earlier>"
[email protected]
-kubernetes-service-account-
jwt="<decoded_token_retrieved_earlier>"
- Okulandelayo kufuneka senze umgaqo kwaye siwunamathisele kwindima entsha. Kule nxalenye ungasebenzisa i-Consul UI, kodwa siya kusebenzisa umgca womyalelo.
- Bhala umgaqo
### kv-custom-ns-policy.hcl
key_prefix "custom-ns/" {
policy = "write"
}
- Sebenzisa umgaqo
consul acl policy create
-name kv-custom-ns-policy
-description "This is an example policy for kv at custom-ns/"
-rules @kv-custom-ns-policy.hcl
- Fumana i-ID yomgaqo osanda kuwenza kwimveliso.
- Yenza indima ngomgaqo omtsha.
consul acl role create
-name "custom-ns-role"
-description "This is an example role for custom-ns namespace"
-policy-id <policy_id>
- Ngoku siza kudibanisa indima yethu entsha kunye nomzekelo wendlela ye-auth. Qaphela ukuba iflegi "yomkhethi" igqiba ukuba isicelo sethu sokungena siya kuyifumana le ndima. Jonga apha ukuze ufumane ezinye iindlela zokukhetha:
https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-ns-role'
-selector='serviceaccount.namespace=="custom-ns"'
Okokugqibela ulungelelwaniso
Amalungelo okufikelela
- Yenza amalungelo okufikelela. Kufuneka simnike imvume yoMmeli ukuba aqinisekise kwaye achonge isibonakaliso senkonzo ye-akhawunti ye-K8s.
- Bhala oku kulandelayo kwifayile
[ikhonkco] :
###skywiz-poc-consul-server_rbac.yaml
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: review-tokens
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-getter
namespace: default
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-service-accounts
namespace: default
subjects:
- kind: ServiceAccount
name: skywiz-app-with-consul-client-poc-consul-client
namespace: default
roleRef:
kind: ClusterRole
name: service-account-getter
apiGroup: rbac.authorization.k8s.io
- Masidale amalungelo okufikelela
kubectl create -f skywiz-poc-consul-server_rbac.yaml
Ukuqhagamshela kuMxumi wabathengi
- Njengoko kuphawuliwe
apha Kukho iindlela ezininzi onokukhetha kuzo zokuqhagamshela kwi-daemoset, kodwa siya kuqhubela phambili kwesi sisombululo silula silandelayo: - Faka le fayile ilandelayo [
unxibelelwano ].
### poc-consul-client-ds-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: consul-ds-client
spec:
selector:
app: consul
chart: consul-helm
component: client
hasDNS: "true"
release: skywiz-app-with-consul-client-poc
ports:
- protocol: TCP
port: 80
targetPort: 8500
- Emva koko sebenzisa lo myalelo ulandelayo wokwakha ukwenza imaphu yoqwalaselo [
unxibelelwano ]. Nceda uqaphele ukuba sibhekisa kwigama lenkonzo yethu, yitshintshe xa kukho imfuneko.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"consul": ["$(kubectl get svc consul-ds-client -o jsonpath='{.spec.clusterIP}')"]}
EOF
Ukuvavanya indlela ye-auth
Ngoku makhe sibone umlingo usebenza!
- Yenza iifolda ezininzi ezizitshixo ngeqhosha elifanayo eliphezulu (okt. /sample_key) kunye nexabiso lokhetho lwakho. Yenza imigaqo-nkqubo efanelekileyo kunye neendima zeendlela ezintsha eziphambili. Siza kwenza izibophelelo kamva.
Uvavanyo lwendawo yegama ngokwesiko:
- Masizenzele eyethu indawo yamagama:
kubectl create namespace custom-ns
- Masenze ipod kwindawo yethu entsha yamagama. Bhala ubumbeko lwepod.
###poc-ubuntu-custom-ns.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-ns
namespace: custom-ns
spec:
containers:
- name: poc-ubuntu-custom-ns
image: ubuntu
command: ["/bin/bash", "-ec", "sleep infinity"]
restartPolicy: Never
- Yila ngaphantsi:
kubectl create -f poc-ubuntu-custom-ns.yaml
- Emva kokuba isikhongozeli sisebenza, yiya apho kwaye ufake i-curl.
kubectl exec poc-ubuntu-custom-ns -n custom-ns -it /bin/bash
apt-get update && apt-get install curl -y
- Ngoku siza kuthumela isicelo sokungena kwi-Consul sisebenzisa indlela yogunyaziso esiyidale ngaphambili [
unxibelelwano ]. - Ukujonga ithokheni engenisiweyo kwiakhawunti yakho yenkonzo:
cat /run/secrets/kubernetes.io/serviceaccount/token
- Bhala oku kulandelayo kwifayile engaphakathi kwisikhongozeli:
### payload.json
{
"AuthMethod": "auth-method-test",
"BearerToken": "<jwt_token>"
}
- Ngema!
curl
--request POST
--data @payload.json
consul-ds-client.default.svc.cluster.local/v1/acl/login
- Ukugqibezela la manyathelo angasentla kumgca omnye (kuba siza kube siqhuba iimvavanyo ezininzi), ungenza oku kulandelayo:
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login
- Iyasebenza! Ubuncinane kufanele. Ngoku thatha i-SecretID kwaye uzame ukufikelela kwisitshixo / ixabiso esifanele sibe nokufikelela kulo.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-ns/test_key --header “X-Consul-Token: <SecretID_from_prev_response>”
- Unokwenza i-base64 decode "Ixabiso" kwaye ubone ukuba iyahambelana nexabiso kwi-custom-ns/test_key kwi-UI. Ukuba usebenzise ixabiso elifanayo ngasentla kwesi sifundo, ixabiso lakho elifakwe ngekhowudi liya kuba yi-IkknbSBpbiB0aGUgY3VzdG9tLW5zIGZvbGRlciEi.
Uvavanyo lweakhawunti yenkonzo yomsebenzisi:
- Yenza iAkhawunti yeNkonzo yesiko usebenzisa lo myalelo ulandelayo [
unxibelelwano ].
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: custom-sa
EOF
- Yenza ifayile yoqwalaselo entsha yepod. Nceda uqaphele ukuba ndifake ufakelo lwe-curl ukugcina umsebenzi :)
###poc-ubuntu-custom-sa.yaml
apiVersion: v1
kind: Pod
metadata:
name: poc-ubuntu-custom-sa
namespace: default
spec:
serviceAccountName: custom-sa
containers:
- name: poc-ubuntu-custom-sa
image: ubuntu
command: ["/bin/bash","-ec"]
args: ["apt-get update && apt-get install curl -y; sleep infinity"]
restartPolicy: Never
- Emva koko, sebenzisa igobolondo ngaphakathi kwesitya.
kubectl exec -it poc-ubuntu-custom-sa /bin/bash
- Ngema!
echo "{
"AuthMethod": "auth-method-skywiz-consul-poc",
"BearerToken": "$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
}"
| curl
--request POST
--data @-
consul-ds-client.default.svc.cluster.local/v1/acl/login
- Isivumelwano asamkelwanga. Owu, silibale ukongeza imithetho emitsha ebophelelayo ngeemvume ezifanelekileyo, masenze oko ngoku.
Phinda la manyathelo angaphambili angentla:
a) Yenza uMgaqo-nkqubo ofanayo wesimaphambili “custom-sa/”.
b) Yenza indima, uyibize "indima yesiko-sa-indima"
c) Ncamathisela iPolisi kwiNdima.
- Yenza i-Rule-Binding (inokwenzeka kuphela kwi-cli/api). Qaphela intsingiselo eyahlukileyo yomkhethi iflegi.
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='custom-sa-role'
-selector='serviceaccount.name=="custom-sa"'
- Ngena kwakhona kwisikhongozeli "poc-ubuntu-custom-sa". Impumelelo!
- Jonga ukufikelela kwethu kwindlela yesiko-sa/ engundoqo.
curl
consul-ds-client.default.svc.cluster.local/v1/kv/custom-sa/test_key --header “X-Consul-Token: <SecretID>”
- Unokuqinisekisa kwakhona ukuba lo mqondiso awuniki ufikelelo kwi-kv kwi-"custom-ns/". Phinda nje lo myalelo ungasentla emva kokufaka u-"custom-sa" ngesimaphambili "custom-ns".
Isivumelwano asamkelwanga.
Umzekelo owelekayo:
- Kuyaphawuleka ukuba zonke iimephu ezibophelelayo ziya kongezwa kwithokheni ngala malungelo.
- Isikhongozeli sethu "poc-ubuntu-custom-sa" sikwindawo yegama engagqibekanga - ke masiyisebenzisele ukubophelela umthetho okwahlukileyo.
- Phinda amanyathelo angaphambili:
a) Yila uMgaqo-nkqubo ofanayo wesiqalo “esimiselweyo/” esingundoqo.
b) Yenza indima, uyinike igama "indima emiselweyo-indima"
c) Ncamathisela iPolisi kwiNdima. - Yenza iRule-Binding (iyenzeka kuphela kwicli/api)
consul acl binding-rule create
-method=auth-method-skywiz-consul-poc
-bind-type=role
-bind-name='default-ns-role'
-selector='serviceaccount.namespace=="default"'
- Buyela umva kwisikhongozeli sethu "poc-ubuntu-custom-sa" kwaye uzame ukufikelela kwi "default/" kv indlela.
- Isivumelwano asamkelwanga.
Ungajonga iziqinisekiso ezikhankanyiweyo zophawu ngalunye kwi-UI phantsi kwe-ACL > Iimpawu. Njengoko ubona, ithokheni yethu yangoku ine "custom-sa-role" enye edityaniswe kuyo. Umqondiso esiwusebenzisayo ngoku wenziwa xa singena kwaye kwakukho umthetho omnye obophelelayo ohambelana ngoko. Kufuneka singene kwakhona kwaye sisebenzise ithokheni entsha. - Qinisekisa ukuba unokufunda kuzo zozibini iindlela zika-"custom-sa/" kunye no "default/" kv.
Impumelelo!
Oku kungenxa yokuba i-“poc-ubuntu-custom-sa” yethu ihambelana ne-“custom-sa” kunye ne-“default-ns” yezibophelelo zemigaqo.
isiphelo
TTL uphawu mgmt?
Ngeli xesha lokubhala, akukho ndlela edibeneyo yokumisela i-TTL yamathokheni awenziwe yile ndlela yokugunyazisa. Iya kuba lithuba elihle lokubonelela ngokhuseleko oluzenzekelayo logunyaziso lwe-Consul.
Kukho ukhetho lokwenza ithokheni ngesandla ngeTTL:
https://www.consul.io/docs/acl/acl-system.html#acl-tokens
Ixesha Lokuphelelwa lixesha - Ixesha apho lo mqondiso uya kurhoxiswa. (Ngokuzikhethela; yongezwe kwi-Consul 1.5.0)- Ikhona kuphela ukwenza ngesandla/uhlaziyo
https://www.consul.io/api/acl/tokens.html#expirationtime
Ngethemba ukuba kwixesha elizayo siya kukwazi ukulawula indlela amathokheni enziwa ngayo (ngomgaqo okanye indlela yogunyaziso) kwaye ungeze i-TTL.
Kude kube ngoko, kucetyiswa ukuba usebenzise isiphelo sokuphuma kwilogic yakho.
https://www.consul.io/api/acl/acl.html#logout-from-auth-method https://www.consul.io/docs/acl/acl-auth-methods.html#overall-login-process
Funda namanye amanqaku kwibhlog yethu:
Ukufuduka ukusuka kwiClickHouse ngaphandle kogunyaziso ukuya kwiClickHouse ngesigunyaziso kukhokelele phi? Uyiqhuba njani imibhobho emininzi usebenzisa iGitLab CI/CD Amaqhinga amathathu alula okunciphisa iMifanekiso yeDocker Traefik njengomlawuli we-Ingress we-K8S Ugcino lwenani elikhulu leeprojekthi zewebhu ezingafaniyo Ibhot yeTelegram yeRedmine. Indlela yokwenza ubomi bube lula kuwe nakwabanye
umthombo: www.habr.com