클러스터 역할 및 클러스터 업데이트 비헤이비어 집합

8183 단어 kubernetes

Aggregated ClusterRoles


Kubernetes v1.9부터 ClusterRole은 역할 집합 기능(Aggregation)을 사용할 수 있습니다.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: monitoring
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.example.com/aggregate-to-monitoring: "true"
rules: [] # 自動的に該当するラベルを持つClusterRoleのルールが追加される

이 방식.aggregationRule.clusterRoleSelectors.matchLabels으로 해당 레이블이 있는 ClusterRole의 내용을 제공합니다.
위의 관리 프로그램을 배포하면 클러스터 역할 규칙이 자동으로 추가됩니다.rules.

User-facing roles


Kuberntes v1.9에서cluster-admin,admin,edit,view의ClusterRole도이AggregatedClusterRoles를 사용하도록 변경되었습니다.
  • rbac.authorization.k8s.io/aggregate-to-admin: "true"
  • rbac.authorization.k8s.io/aggregate-to-edit: "true"
  • rbac.authorization.k8s.io/aggregate-to-view: "true"
  • 에서 기술한 장면은 다음과 같은 절차를 이용하여 명세표를 작성하여 개념 디자인에서 체량의 부피를 분석하도록 한다.
    구체적으로 이런 느낌이에요.
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      annotations:
        rbac.authorization.kubernetes.io/autoupdate: "true"
      labels:
        kubernetes.io/bootstrapping: rbac-defaults
      name: admin
    aggregationRule:
      clusterRoleSelectors:
      - matchLabels:
          rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rules: [] # そのうち集約したroleの内容になる
    
    실제 rules의 내용은 rbac.authorization.k8s.io/aggregate-to-admin: "true" 라벨이 있는 다음 ClusterRole입니다.
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      annotations:
        rbac.authorization.kubernetes.io/autoupdate: "true"
      labels:
        kubernetes.io/bootstrapping: rbac-defaults
        rbac.authorization.k8s.io/aggregate-to-admin: "true"
      name: system:aggregate-to-admin
    rules:
      ... (省略。 adminにつけるべきrulesが続きます)
    
    이 메커니즘을 사용하면 CRD와 같은 클러스터 역할에 새로 만든 리소스에 대한 권한을 쉽게 포함할 수 있습니다.

    Kubernetes 및 사용자 facing roles 업데이트


    Kubernetes 클러스터에서 이터레이션 업데이트를 반복하는 사용자facing roles는 Kubernetes의 역할 이전으로 인해 불가사의하게 변했다.
    그것 때문에 무슨 문제가 생기는 건 아니지만 처음 봤을 때 깜짝 놀라서 상황을 공유한다.
    Kubernetes 클러스터를 업그레이드할 때, Kubernetes는 이전 Role에 존재했던 Rule과 다음에 할 Rule를 혼합하여 새로운 Rule를 만듭니다.
    (v1.8->v1.9 시, 구admin 규칙 + 새로운 규칙 = system:aggregate-to-admin, 상응하는aggregate 원시 역할로 계승https://github.com/kubernetes/kubernetes/blob/317853c90c674920bfbbdac54fe66092ddc9f15f/pkg/registry/rbac/rest/storage_rbac.go#L309
    결과의 규칙은 이렇다.
    aggregationRule:
      clusterRoleSelectors:
      - matchLabels:
          rbac.authorization.k8s.io/aggregate-to-admin: "true"
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      annotations:
        rbac.authorization.kubernetes.io/autoupdate: "true"
      labels:
        kubernetes.io/bootstrapping: rbac-defaults
      name: admin
    rules:
    - apiGroups:
      - ""
      resources:
      - pods
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - ""
      resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - replicationcontrollers
      - replicationcontrollers/scale
      - secrets
      - serviceaccounts
      - services
      - services/proxy
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - ""
      resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      resources:
      - namespaces
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      resources:
      - serviceaccounts
      verbs:
      - impersonate
    - apiGroups:
      - apps
      resources:
      - deployments
      - deployments/rollback
      - deployments/scale
      - statefulsets
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - autoscaling
      resources:
      - horizontalpodautoscalers
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - batch
      resources:
      - cronjobs
      - jobs
      - scheduledjobs # 1.9ではサポート終了したscheduledjobsのルールが未だに存在する
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - extensions
      resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - ingresses
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups:
      - authorization.k8s.io
      resources:
      - localsubjectaccessreviews
      verbs:
      - create
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - rolebindings
      - roles
      verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    - apiGroups: # 以降しばらく冗長なdaemonsetsのroleが続く
      - apps
      resources:
      - daemonsets
      verbs:
      - create
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - delete
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - deletecollection
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - get
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - list
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - patch
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - update
    - apiGroups:
      - apps
      resources:
      - daemonsets
      verbs:
      - watch
    - apiGroups:# 以降しばらく冗長なreplicasetsのroleが続く
      - apps
      resources:
      - replicasets
      verbs:
      - create
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - delete
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - deletecollection
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - get
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - list
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - patch
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - update
    - apiGroups:
      - apps
      resources:
      - replicasets
      verbs:
      - watch
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - create
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - delete
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - deletecollection
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - get
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - list
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - patch
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - update
    - apiGroups:
      - apps
      resources:
      - replicasets/scale
      verbs:
      - watch
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - create
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - delete
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - deletecollection
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - get
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - list
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - patch
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - update
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - watch
    
  • 지원되는 규칙이 없음
  • 업그레이드 시 새로 추가된 규칙은verbs를 합치지 않고 지루하게 추론된다
  • 보기 흉한 것 외에는 큰 실제적인 위해가 없어서 처음 봤을 때 깜짝 놀랐다.

    총결산


    Kubernetes 1.9부터 사용자 facing roles는 Aggregated ClusterRoles를 사용했습니다.
    또 User-facing roles는 버전 업그레이드 시 좋은 느낌으로 통합되지만 처음 보면 깜짝 놀라서 무슨 일이 일어났는지 정리했다.

    좋은 웹페이지 즐겨찾기