Qaphela. transl.: Ama-Opharetha ayi-software eyisiza ye-Kubernetes, edizayinelwe ukwenza ngokuzenzakalelayo ukuqaliswa kwezenzo ezijwayelekile ezintweni zeqoqo lapho izehlakalo ezithile zenzeka. Sesike sabhala mayelana nama-opharetha ku , lapho babekhuluma khona ngemibono nezimiso eziyisisekelo zomsebenzi wabo. Kodwa uma lokho kwaziswa bekukumbono ovela ohlangothini lokusebenzisa izingxenye esezilungile ze-Kubernetes, khona-ke ukuhunyushwa kwesihloko esisha esihlongozwayo manje sekuwumbono wonjiniyela/unjiniyela we-DevOps odidwe ukuqaliswa komsebenzi omusha.
Nginqume ukubhala lokhu okuthunyelwe ngesibonelo sempilo yangempela ngemva kwemizamo yami yokuthola imibhalo ekudaleni u-opharetha we-Kubernetes, odlule ekufundeni ikhodi.
Isibonelo esizochazwa yilesi: kuqoqo lethu le-Kubernetes, ngalinye Namespace imele indawo yebhokisi lesihlabathi leqembu, futhi besifuna ukukhawulela ukufinyelela kuzo ukuze amaqembu akwazi ukudlala kumabhokisi awo esanti kuphela.
Ungakwazi ukufeza okufunayo ngokunikeza umsebenzisi iqembu elinalo RoleBinding ukuze ucacise Namespace ΠΈ ClusterRole ngamalungelo okuhlela. Ukumelwa kwe-YAML kuzobukeka kanje:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-team-1
namespace: team-1
subjects:
- kind: Group
name: kubernetes-team-1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io(, ku )
Dala eyodwa RoleBinding Ungakwenza mathupha, kodwa ngemva kokuwela uphawu lwezikhala zamagama eziyikhulu, kuba umsebenzi oyisicefe. Kulapho o-opharetha be-Kubernetes besiza khonaβbakuvumela ukuthi wenze ngokuzenzakalelayo ukudalwa kwezinsiza ze-Kubernetes ngokusekelwe ezinguqukweni zezinsiza. Esimeni sethu sifuna ukudala RoleBinding ngenkathi udala Namespace.
Okokuqala, ake sichaze umsebenzi mainokwenza isethaphu edingekayo ukuze iqalise isitatimende bese ibiza isenzo sesitatimende:
(Qaphela. transl.: lapha nangezansi amazwana kukhodi ahunyushwa ngesiRashiya. Ngaphezu kwalokho, ukuhlehlisa kulungiselwe ezikhaleni esikhundleni samathebhu [okunconywe kokuthi Go] ngenjongo yokufunda kangcono ngaphakathi kwesakhiwo se-Habr. Ngemva kokufakwa kuhlu ngakunye kukhona izixhumanisi kokwangempela ku-GitHub, lapho kugcinwa khona amazwana namathebhu olimi lwesiNgisi.)
func main() {
// Π£ΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅ΠΌ Π²ΡΠ²ΠΎΠ΄ Π»ΠΎΠ³ΠΎΠ² Π² ΠΊΠΎΠ½ΡΠΎΠ»ΡΠ½ΡΠΉ STDOUT
log.SetOutput(os.Stdout)
sigs := make(chan os.Signal, 1) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² ΠΠ‘
stop := make(chan struct{}) // Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΊΠ°Π½Π°Π» Π΄Π»Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
// Π Π΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ SIGTERM Π² ΠΊΠ°Π½Π°Π»Π΅ sigs
signal.Notify(sigs, os.Interrupt, syscall.SIGTERM, syscall.SIGINT)
// Goroutines ΠΌΠΎΠ³ΡΡ ΡΠ°ΠΌΠΈ Π΄ΠΎΠ±Π°Π²Π»ΡΡΡ ΡΠ΅Π±Ρ Π² WaitGroup,
// ΡΡΠΎΠ±Ρ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΈΡ
Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΄ΠΎΠΆΠΈΠ΄Π°Π»ΠΈΡΡ
wg := &sync.WaitGroup{}
runOutsideCluster := flag.Bool("run-outside-cluster", false, "Set this flag when running outside of the cluster.")
flag.Parse()
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ clientset Π΄Π»Ρ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Ρ ΠΊΠ»Π°ΡΡΠ΅ΡΠΎΠΌ Kubernetes
clientset, err := newClientSet(*runOutsideCluster)
if err != nil {
panic(err.Error())
}
controller.NewNamespaceController(clientset).Run(stop, wg)
<-sigs // ΠΠ΄Π΅ΠΌ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² (Π΄ΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°Π»Π° Π±ΠΎΠ»Π΅Π΅ Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ)
log.Printf("Shutting down...")
close(stop) // ΠΠΎΠ²ΠΎΡΠΈΠΌ goroutines ΠΎΡΡΠ°Π½ΠΎΠ²ΠΈΡΡΡΡ
wg.Wait() // ΠΠΆΠΈΠ΄Π°Π΅ΠΌ, ΡΡΠΎ Π²ΡΠ΅ ΠΎΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΎ
}(, ku )
Senza lokhu okulandelayo:
- Silungiselela isibambi samasiginali athile wesistimu yokusebenza ukuze sibangele ukunqanyulwa okuhle kwesisebenzisi.
- Sisebenzisa
WaitGroupukumisa kahle zonke izindlela ngaphambi kokunqamula uhlelo. - Sinikeza ukufinyelela kuqoqo ngokudala
clientset. - Yethula
NamespaceController, lapho yonke i-logic yethu izotholakala khona.
Manje sidinga isisekelo se-logic, futhi esimweni sethu lesi yisona esishiwo NamespaceController:
// NamespaceController ΡΠ»Π΅Π΄ΠΈΡ ΡΠ΅ΡΠ΅Π· Kubernetes API Π·Π° ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ
// Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΠ΅Π½ ΠΈ ΡΠΎΠ·Π΄Π°Π΅Ρ RoleBinding Π΄Π»Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ namespace.
type NamespaceController struct {
namespaceInformer cache.SharedIndexInformer
kclient *kubernetes.Clientset
}
// NewNamespaceController ΡΠΎΠ·Π΄Π°Π΅Ρ Π½ΠΎΠ²ΡΠΉ NewNamespaceController
func NewNamespaceController(kclient *kubernetes.Clientset) *NamespaceController {
namespaceWatcher := &NamespaceController{}
// Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ΅Ρ Π΄Π»Ρ ΡΠ»Π΅ΠΆΠ΅Π½ΠΈΡ Π·Π° Namespaces
namespaceInformer := cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
return kclient.Core().Namespaces().List(options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
return kclient.Core().Namespaces().Watch(options)
},
},
&v1.Namespace{},
3*time.Minute,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
)
namespaceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: namespaceWatcher.createRoleBinding,
})
namespaceWatcher.kclient = kclient
namespaceWatcher.namespaceInformer = namespaceInformer
return namespaceWatcher
}(, ku )
Lapha silungisa SharedIndexInformer, okuzokwenza ngempumelelo (usebenzisa inqolobane) ilinde izinguquko ezikhaleni zamagama (funda kabanzi mayelana nezimpimpi esihlokweni esithi ""- cishe. ukuhumusha). Ngemva kwalokhu sixhuma EventHandler kumpimpi, ukuze kuthi lapho wengeza indawo yegama (Namespace) umsebenzi ubizwa createRoleBinding.
Isinyathelo esilandelayo ukuchaza lo msebenzi createRoleBinding:
func (c *NamespaceController) createRoleBinding(obj interface{}) {
namespaceObj := obj.(*v1.Namespace)
namespaceName := namespaceObj.Name
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
Namespace: namespaceName,
},
Subjects: []v1beta1.Subject{
v1beta1.Subject{
Kind: "Group",
Name: fmt.Sprintf("ad-kubernetes-%s", namespaceName),
},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "edit",
},
}
_, err := c.kclient.Rbac().RoleBindings(namespaceName).Create(roleBinding)
if err != nil {
log.Println(fmt.Sprintf("Failed to create Role Binding: %s", err.Error()))
} else {
log.Println(fmt.Sprintf("Created AD RoleBinding for Namespace: %s", roleBinding.Name))
}
}(, ku )
Sithola indawo yegama njenge obj bese uyiguqulela entweni Namespace. Bese sichaza RoleBinding, ngokusekelwe kufayela le-YAML okukhulunywe ngalo ekuqaleni, kusetshenziswa into enikeziwe Namespace kanye nokudala RoleBinding. Ekugcineni, sibhala ukuthi ngabe ukudalwa kuphumelele yini.
Umsebenzi wokugcina ozochazwa ngu Run:
// Run Π·Π°ΠΏΡΡΠΊΠ°Π΅Ρ ΠΏΡΠΎΡΠ΅ΡΡ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Π² ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π°Ρ
ΠΈΠΌΡΠ½
// ΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΡΠΈΠΌΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΠΌΠΈ.
func (c *NamespaceController) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
// ΠΠΎΠ³Π΄Π° ΡΡΠ° ΡΡΠ½ΠΊΡΠΈΡ Π·Π°Π²Π΅ΡΡΠ΅Π½Π°, ΠΏΠΎΠΌΠ΅ΡΠΈΠΌ ΠΊΠ°ΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π½ΡΡ
defer wg.Done()
// ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½ΡΠΈΡΡΠ΅ΠΌ wait group, Ρ.ΠΊ. ΡΠΎΠ±ΠΈΡΠ°Π΅ΠΌΡΡ Π²ΡΠ·Π²Π°ΡΡ goroutine
wg.Add(1)
// ΠΡΠ·ΡΠ²Π°Π΅ΠΌ goroutine
go c.namespaceInformer.Run(stopCh)
// ΠΠΆΠΈΠ΄Π°Π΅ΠΌ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΏ-ΡΠΈΠ³Π½Π°Π»Π°
<-stopCh
}(, ku )
Lapha siyakhuluma WaitGroupukuthi sethula i-goroutine bese siyafona namespaceInformer, okuye kwachazwa ngaphambilini. Lapho isignali yokumisa ifika, izoqeda umsebenzi, yazisa WaitGroup, engasasetshenziswa, futhi lo msebenzi uzophuma.
Ulwazi mayelana nokwakha nokusebenzisa lesi sitatimende kuqoqo le-Kubernetes lungatholakala ku .
Lokho kungenxa yomsebenzisi odalayo RoleBinding nini Namespace ku-cluster ye-Kubernetes, ilungile.
Source: www.habr.com