我如何在Kubernetes中创建新的名称空间 [英] How I create new namespace in Kubernetes

问题描述

我在多租户节点应用程序中工作，我知道可以在Kubernetes中创建新的名称空间来运行kubectl命令，如下所示: kubectl create namespace <namespace name>

I work in a multi-tenant node app, I know to create a new namespace in Kubernetes is possible to run a kubectl command as follow: kubectl create namespace <namespace name>

当新客户注册新帐户时，如何从节点微服务创建新的命名空间?

How can I create a new namespace from node Microservices when a new customer make a sign up for a new account?

是否有一些kubectl API可以从外部应用程序发出请求?

Is there some kubectl API to make a request from an external app?

用户是否需要从应用程序注销，销毁在kubernetes中创建的Pod?

Is necessary for the user to log out from app, destroy the pods created in kubernetes?

推荐答案

就像从应用程序中的shell调用一样简单:

It could be as simple as calling from a shell in your app:

kubectl create namespace <your-namespace-name>

本质上，kubectl与kube-apiserver对话.

Essentially, kubectl talks to the kube-apiserver.

您也可以直接调用kube-apiserver.这是列出豆荚的示例:

You can also directly call the kube-apiserver. This is an example to list the pods:

$ curl -k -H 'Authorization: Bearer <token>' \
              https://$KUBERNETES_SERVICE_HOST:6443/api/<api-version>/namespaces/default/pods

更具体地说，是创建名称空间:

More specifically to create a namespace:

$ curl -k -H -X POST -H 'Content-Type: application/json' \
                     -H 'Authorization: Bearer <token>' \
                     https://$KUBERNETES_SERVICE_HOST:6443/api/v1/namespaces/ -d '
{
    "apiVersion": "v1",
    "kind": "Namespace",
    "metadata": {
        "name": "mynewnamespace"
    }
}'

如果您想知道<token>，它是Kubernetes 秘密通常属于ServiceAccount，并绑定到 ClusterRole 允许您创建名称空间.

In case you are wondering about the <token>, it's a Kubernetes Secret typically belonging to a ServiceAccount and bound to a ClusterRole that allows you to create namespaces.

您可以这样创建一个服务帐户:

You can create a Service Account like this:

$ kubectl create serviceaccount namespace-creator

然后您将看到这样的令牌(令牌是自动生成的):

Then you'll see the token like this (a token is automatically generated):

$ kubectl describe sa namespace-creator
Name:                namespace-creator
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   namespace-creator-token-xxxxx
Tokens:              namespace-creator-token-xxxxx
Events:              <none>

那么您将获得秘密:

$ kubectl describe secret namespace-creator-token-xxxxx
Name:         namespace-creator-token-xxxx
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: namespace-creator
              kubernetes.io/service-account.uid: <redacted>

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      <REDACTED> <== This is the token you need for Authorization: Bearer

您的ClusterRole应该看起来像这样:

Your ClusterRole should look something like this:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-creator
rules:
- apiGroups: ["*"]
  resources: ["namespaces"]
  verbs: ["create"]

然后您将像这样绑定它:

Then you would bind it like this:

$ kubectl create clusterrolebinding namespace-creator-binding --clusterrole=namespace-creator --serviceaccount=namespace-creator

在编写代码时，您可以使用任何语言的任何HTTP客户端库来调用相同的端点.

When it comes to writing code you can use any HTTP client library in any language to call the same endpoints.

还有诸如 client-go 库之类的库，用于处理连接问题到kube-apiserver.

There are also libraries like the client-go library that takes care of the plumbing of connecting to a kube-apiserver.

这篇关于我如何在Kubernetes中创建新的名称空间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！