我如何在Kubernetes中创建新的名称空间 [英] How I create new namespace in Kubernetes
问题描述
我在多租户节点应用程序中工作,我知道可以在Kubernetes中创建新的名称空间来运行kubectl命令,如下所示:
kubectl create namespace <namespace name>
I work in a multi-tenant node app, I know to create a new namespace in Kubernetes is possible to run a kubectl command as follow:
kubectl create namespace <namespace name>
当新客户注册新帐户时,如何从节点微服务创建新的命名空间?
How can I create a new namespace from node Microservices when a new customer make a sign up for a new account?
是否有一些kubectl API可以从外部应用程序发出请求?
Is there some kubectl API to make a request from an external app?
用户是否需要从应用程序注销,销毁在kubernetes中创建的Pod?
Is necessary for the user to log out from app, destroy the pods created in kubernetes?
推荐答案
就像从应用程序中的shell调用一样简单:
It could be as simple as calling from a shell in your app:
kubectl create namespace <your-namespace-name>
本质上,kubectl与kube-apiserver对话.
Essentially, kubectl talks to the kube-apiserver.
您也可以直接调用kube-apiserver.这是列出豆荚的示例:
You can also directly call the kube-apiserver. This is an example to list the pods:
$ curl -k -H 'Authorization: Bearer <token>' \
https://$KUBERNETES_SERVICE_HOST:6443/api/<api-version>/namespaces/default/pods
更具体地说,是创建名称空间:
More specifically to create a namespace:
$ curl -k -H -X POST -H 'Content-Type: application/json' \
-H 'Authorization: Bearer <token>' \
https://$KUBERNETES_SERVICE_HOST:6443/api/v1/namespaces/ -d '
{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"name": "mynewnamespace"
}
}'
如果您想知道<token>
,它是Kubernetes 秘密通常属于ServiceAccount,并绑定到 ClusterRole
允许您创建名称空间.
In case you are wondering about the <token>
, it's a Kubernetes Secret typically belonging to a ServiceAccount and bound to a ClusterRole
that allows you to create namespaces.
您可以这样创建一个服务帐户:
You can create a Service Account like this:
$ kubectl create serviceaccount namespace-creator
然后您将看到这样的令牌(令牌是自动生成的):
Then you'll see the token like this (a token is automatically generated):
$ kubectl describe sa namespace-creator
Name: namespace-creator
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: namespace-creator-token-xxxxx
Tokens: namespace-creator-token-xxxxx
Events: <none>
那么您将获得秘密:
$ kubectl describe secret namespace-creator-token-xxxxx
Name: namespace-creator-token-xxxx
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: namespace-creator
kubernetes.io/service-account.uid: <redacted>
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: <REDACTED> <== This is the token you need for Authorization: Bearer
您的ClusterRole
应该看起来像这样:
Your ClusterRole
should look something like this:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: namespace-creator
rules:
- apiGroups: ["*"]
resources: ["namespaces"]
verbs: ["create"]
然后您将像这样绑定它:
Then you would bind it like this:
$ kubectl create clusterrolebinding namespace-creator-binding --clusterrole=namespace-creator --serviceaccount=namespace-creator
在编写代码时,您可以使用任何语言的任何HTTP客户端库来调用相同的端点.
When it comes to writing code you can use any HTTP client library in any language to call the same endpoints.
还有诸如 client-go 库之类的库,用于处理连接问题到kube-apiserver.
There are also libraries like the client-go library that takes care of the plumbing of connecting to a kube-apiserver.
这篇关于我如何在Kubernetes中创建新的名称空间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!