kube apisever準入策略簡單介紹

背景

早期kube apiserver準入策略只能通過webhook方式
ValidatingAdmissionPolicy(1.30穩(wěn)定)用于進行驗證準入
MutatingAdmissionPolicy(1.32引入,1.36穩(wěn)定)用于進行修改準入

apiserver啟動參數(shù)需要添加

    - --feature-gates=MutatingAdmissionPolicy=true
    - --runtime-config=admissionregistration.k8s.io/v1beta1=true

介紹

ValidatingAdmissionPolicy

準備策略

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: demo
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  validations:
    - expression: "object.spec.replicas > 1"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: demo
spec:
  policyName: demo
  validationActions: [Deny]

準備deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: app
        image: nginx

驗證

k apply -f policy.yaml
k apply -f deployment.yaml

得到如下

The deployments "demo" is invalid: : ValidatingAdmissionPolicy 'demo' with binding 'demo' denied request: failed expression: object.spec.replicas > 1

MutatingAdmissionPolicy

準備策略

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: demo
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["pods"]
  matchConditions:
    - name: appName
      expression: "!object.metadata.labels.exists(label, label == \"appName\")"
  reinvocationPolicy: IfNeeded
  mutations:
    - patchType: "ApplyConfiguration"
      applyConfiguration:
        expression: >
          Object{
            metadata: Object.metadata{
              labels: Object.metadata.labels{
                  appName: "demo",
                }
            }
          }
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicyBinding
metadata:
  name: demo
spec:
  policyName: demo

準備deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: app
        image: nginx

驗證

k apply -f policy.yaml
k apply -f deployment.yaml
k get pod -n demo -l appName=demo

得到如下

NAME                   READY   STATUS    RESTARTS   AGE
demo-98dd56467-brx4j   1/1     Running   0          54s
demo-98dd56467-rl7bb   1/1     Running   0          54s
?著作權歸作者所有,轉載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

相關閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容