kube apisever准入策略简单介绍

背景

早期kube apiserver准入策略只能通过webhook方式
ValidatingAdmissionPolicy(1.30稳定)用于进行验证准入
MutatingAdmissionPolicy(1.32引入,1.36稳定)用于进行修改准入

apiserver启动参数需要添加

    - --feature-gates=MutatingAdmissionPolicy=true
    - --runtime-config=admissionregistration.k8s.io/v1beta1=true

介绍

ValidatingAdmissionPolicy

准备策略

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: demo
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  validations:
    - expression: "object.spec.replicas > 1"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: demo
spec:
  policyName: demo
  validationActions: [Deny]

准备deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: app
        image: nginx

验证

k apply -f policy.yaml
k apply -f deployment.yaml

得到如下

The deployments "demo" is invalid: : ValidatingAdmissionPolicy 'demo' with binding 'demo' denied request: failed expression: object.spec.replicas > 1

MutatingAdmissionPolicy

准备策略

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: demo
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["pods"]
  matchConditions:
    - name: appName
      expression: "!object.metadata.labels.exists(label, label == \"appName\")"
  reinvocationPolicy: IfNeeded
  mutations:
    - patchType: "ApplyConfiguration"
      applyConfiguration:
        expression: >
          Object{
            metadata: Object.metadata{
              labels: Object.metadata.labels{
                  appName: "demo",
                }
            }
          }
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicyBinding
metadata:
  name: demo
spec:
  policyName: demo

准备deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: app
        image: nginx

验证

k apply -f policy.yaml
k apply -f deployment.yaml
k get pod -n demo -l appName=demo

得到如下

NAME                   READY   STATUS    RESTARTS   AGE
demo-98dd56467-brx4j   1/1     Running   0          54s
demo-98dd56467-rl7bb   1/1     Running   0          54s
©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

相关阅读更多精彩内容

友情链接更多精彩内容