创建名称空间后自动创建Kubernetes资源 [英] Automatically create Kubernetes resources after namespace creation

查看:91
本文介绍了创建名称空间后自动创建Kubernetes资源的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有2个团队:

  • devs:每次部署其应用程序的分支/标签时,它们都会创建一个新的Kubernetes命名空间
  • ops:他们使用(群集)角色和(群集)角色绑定管理对群集的访问控制

问题在于,在"ops"创建RBAC资源之前,"devs"无法kubectl他们的名称空间.而且'devs'本身无法创建RBAC资源,因为它们没有要放入角色绑定资源中的主题列表(共享列表不是一种选择).

The problem is that 'devs' cannot kubectl their namespaces until 'ops' have created RBAC resources. And 'devs' cannot create RBAC resources themselves as they don't have the list of subjects to put in the rolebinding resource (sharing the list is not an option).

我已经阅读了有关入学网钩的官方文档,但据我了解,它们仅对触发Webhook的资源起作用.

I have read the official documentation about Admission webhooks but what I understood is that they only act on the resource that triggered the webhook.

每当创建一个新的名称空间时,Kubernetes中是否存在一种本机和/或简单的方法来应用资源?

Is there a native and/or simple way in Kubernetes to apply resources whenever a new namespace is created?

推荐答案

我通过编写自定义控制器提出了一个解决方案.

I've come up with a solution by writing a custom controller.

部署以下自定义资源后,控制器将rolerolebinding注入与dev-.*fix-.*匹配的命名空间中:

With the following custom resource deployed, the controller injects the role and rolebinding in namespaces matching dev-.* and fix-.*:

kind: NamespaceResourcesInjector
apiVersion: blakelead.com/v1alpha1
metadata:
  name: nri-test
spec:
  namespaces:
  - dev-.*
  - fix-.*
  resources:
  - |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: dev-role
    rules:
      - apiGroups: [""]
        resources: ["pods","pods/portforward", "services", "deployments", "ingresses"]
        verbs: ["list", "get"]
      - apiGroups: [""]
        resources: ["pods/portforward"]
        verbs: ["create"]
      - apiGroups: [""]
        resources: ["namespaces"]
        verbs: ["list", "get"]
  - |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: dev-rolebinding
    subjects:
    - kind: User
      name: dev
    roleRef:
      kind: Role
      name: dev-role
      apiGroup: rbac.authorization.k8s.io

控制器仍处于开发的早期阶段,但我正在越来越多的集群中成功使用它.

The controller is still in early stages of development but I'm using it successfully in more and more clusters.

这里是那些有兴趣的人: https://github.com/blakelead/nsinjector

Here it is for those interested: https://github.com/blakelead/nsinjector

这篇关于创建名称空间后自动创建Kubernetes资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆