课程内容:各种k8s部署方式。包括minikube部署,kubeadm部署,kubeasz部署,rancher部署,k3s部署。包括开发测试环境部署k8s,和生产环境部署k8s。
介绍主要的k8s资源的使用配置和命令。包括configmap,pod,service,replicaset,namespace,deployment,daemonset,ingress,pv,pvc,sc,role,rolebinding,clusterrole,clusterrolebinding,secret,serviceaccount,statefulset,job,cronjob,podDisruptionbudget,podSecurityPolicy,networkPolicy,resourceQuota,limitrange,endpoint,event,conponentstatus,node,apiservice,controllerRevision等。
本课程将详细介绍k8s所有命令,以及命令的go源码分析,学习知其然,知其所以然
————————————————--------------------------------------------------------------
type CreateClusterRoleOptions struct {//clusterrole结构体 *CreateRoleOptions//继承role结构体 NonResourceURLs []string//非资源url AggregationRule map[string]string//组合角色规则 }
//创建create clusterrole命令 func NewCmdCreateClusterRole(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command { c := &CreateClusterRoleOptions{//初始化clusterrole结构体 CreateRoleOptions: NewCreateRoleOptions(ioStreams), AggregationRule: map[string]string{}, } cmd := &cobra.Command{//创建cobra命令 Use: "clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run]", DisableFlagsInUseLine: true, Short: clusterRoleLong, Long: clusterRoleLong, Example: clusterRoleExample, Run: func(cmd *cobra.Command, args []string) { cmdutil.CheckErr(c.Complete(f, cmd, args))//准备运行 cmdutil.CheckErr(c.Validate())//校验参数 cmdutil.CheckErr(c.RunCreateRole())//运行逻辑 }, } c.PrintFlags.AddFlags(cmd)//设置print选项 cmdutil.AddApplyAnnotationFlags(cmd)//设置save-config选项 cmdutil.AddValidateFlags(cmd)//设置validate选项 cmdutil.AddDryRunFlag(cmd)//设置dry-run选项 cmd.Flags().StringSliceVar(&c.Verbs, "verb", c.Verbs, "Verb that applies to the resources contained in the rule")//设置verb选项 cmd.Flags().StringSliceVar(&c.NonResourceURLs, "non-resource-url", c.NonResourceURLs, "A partial url that user should have access to.")//设置non-resource-url选项 cmd.Flags().StringSlice("resource", []string{}, "Resource that the rule applies to")//设置resource选项 cmd.Flags().StringArrayVar(&c.ResourceNames, "resource-name", c.ResourceNames, "Resource in the white list that the rule applies to, repeat this flag for multiple items")//设置resource-name选项 cmd.Flags().Var(cliflag.NewMapStringString(&c.AggregationRule), "aggregation-rule", "An aggregation label selector for combining ClusterRoles.")//设置aggregation-rule选项 return cmd }
//运行准备函数 func (c *CreateClusterRoleOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error { // Remove duplicate nonResourceURLs nonResourceURLs := []string{} for _, n := range c.NonResourceURLs {//non-resource-url去重 if !arrayContains(nonResourceURLs, n) { nonResourceURLs = append(nonResourceURLs, n) } } c.NonResourceURLs = nonResourceURLs return c.CreateRoleOptions.Complete(f, cmd, args)//运行role的complete方法 }
//运行role的complete方法 func (o *CreateRoleOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error { name, err := NameFromCommandArgs(cmd, args)//获取资源名称 if err != nil { return err } o.Name = name//设置资源名称 // Remove duplicate verbs. verbs := []string{} for _, v := range o.Verbs { // VerbAll respresents all kinds of verbs. if v == "*" {//如果是*,则verbs是*,并break verbs = []string{"*"} break } if !arrayContains(verbs, v) {//去重 verbs = append(verbs, v) } } o.Verbs = verbs//设置verbs // Support resource.group pattern. If no API Group specified, use "" as core API Group. // e.g. --resource=pods,deployments.extensions resources := cmdutil.GetFlagStringSlice(cmd, "resource")//获取resource选项 for _, r := range resources { sections := strings.SplitN(r, "/", 2)//用/分割字符 resource := &ResourceOptions{} if len(sections) == 2 { resource.SubResource = sections[1]//设置子资源 } parts := strings.SplitN(sections[0], ".", 2)//用.分割字符 if len(parts) == 2 { resource.Group = parts[1]//设置group } resource.Resource = parts[0]//设置资源 if resource.Resource == "*" && len(parts) == 1 && len(sections) == 1 { o.Resources = []ResourceOptions{*resource}//如果资源是*,则设置资源为*,并break break } o.Resources = append(o.Resources, *resource)//添加资源 } // Remove duplicate resource names. resourceNames := []string{} for _, n := range o.ResourceNames {//resource-name去重 if !arrayContains(resourceNames, n) { resourceNames = append(resourceNames, n) } } o.ResourceNames = resourceNames//设置resource-name // Complete other options for Run. o.Mapper, err = f.ToRESTMapper()//设置mapper if err != nil { return err } o.DryRun = cmdutil.GetDryRunFlag(cmd)//设置干跑 o.OutputFormat = cmdutil.GetFlagString(cmd, "output")//设置output if o.DryRun { o.PrintFlags.Complete("%s (dry run)") } printer, err := o.PrintFlags.ToPrinter()//把print flag转化为printer if err != nil { return err } o.PrintObj = func(obj runtime.Object) error {//设置printObj函数 return printer.PrintObj(obj, o.Out) } o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace()//获取namespace if err != nil { return err } clientset, err := f.KubernetesClientSet()//获取clientset if err != nil { return err } o.Client = clientset.RbacV1()//设置client return nil }
//运行校验函数 func (c *CreateClusterRoleOptions) Validate() error { if c.Name == "" {//name为空报错 return fmt.Errorf("name must be specified") } if len(c.AggregationRule) > 0 {//AggregationRule不能和下面选项共存 if len(c.NonResourceURLs) > 0 || len(c.Verbs) > 0 || len(c.Resources) > 0 || len(c.ResourceNames) > 0 { return fmt.Errorf("aggregation rule must be specified without nonResourceURLs, verbs, resources or resourceNames") } return nil } // validate verbs. if len(c.Verbs) == 0 {//verb不能为空 return fmt.Errorf("at least one verb must be specified") } if len(c.Resources) == 0 && len(c.NonResourceURLs) == 0 {//resource和non-resource-url不能都未空 return fmt.Errorf("one of resource or nonResourceURL must be specified") } // validate resources if len(c.Resources) > 0 { for _, v := range c.Verbs { if !arrayContains(validResourceVerbs, v) {//判断verb是否有效 return fmt.Errorf("invalid verb: '%s'", v) } } if err := c.validateResource(); err != nil {//校验资源 return err } } //validate non-resource-url if len(c.NonResourceURLs) > 0 {//如果non-rsource-url不为空 for _, v := range c.Verbs { if !arrayContains(validNonResourceVerbs, v) {//校验verb是否有效 return fmt.Errorf("invalid verb: '%s' for nonResourceURL", v) } } for _, nonResourceURL := range c.NonResourceURLs { if nonResourceURL == "*" { continue } if nonResourceURL == "" || !strings.HasPrefix(nonResourceURL, "/") { return fmt.Errorf("nonResourceURL should start with /")//non-resource-url必须/开头 } if strings.ContainsRune(nonResourceURL[:len(nonResourceURL)-1], '*') {//*只能出现在末尾 return fmt.Errorf("nonResourceURL only supports wildcard matches when '*' is at the end") } } } return nil }
//调用role的validate方法 func (o *CreateRoleOptions) validateResource() error { for _, r := range o.Resources { if len(r.Resource) == 0 {//资源不能为空 return fmt.Errorf("resource must be specified if apiGroup/subresource specified") } if r.Resource == "*" { return nil } resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group} groupVersionResource, err := o.Mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}) if err == nil { resource = groupVersionResource } for _, v := range o.Verbs { if groupResources, ok := specialVerbs[v]; ok {//如果是特殊动作 match := false for _, extra := range groupResources {//如果特殊动作的资源包含现在的资源 if resource.Resource == extra.Resource && resource.Group == extra.Group { match = true err = nil break } } if !match { return fmt.Errorf("can not perform '%s' on '%s' in group '%s'", v, resource.Resource, resource.Group) } } } if err != nil { return err } } return nil }
//执行逻辑 func (c *CreateClusterRoleOptions) RunCreateRole() error { clusterRole := &rbacv1.ClusterRole{//创建一个clusterrole对象 // this is ok because we know exactly how we want to be serialized TypeMeta: metav1.TypeMeta{APIVersion: rbacv1.SchemeGroupVersion.String(), Kind: "ClusterRole"}, } clusterRole.Name = c.Name//设置clusterrole名称 var err error if len(c.AggregationRule) == 0 {//如果aggregation-rule没值 rules, err := generateResourcePolicyRules(c.Mapper, c.Verbs, c.Resources, c.ResourceNames, c.NonResourceURLs)//构造policy if err != nil { return err } clusterRole.Rules = rules//设置policy } else { clusterRole.AggregationRule = &rbacv1.AggregationRule{//构造aggregationRule ClusterRoleSelectors: []metav1.LabelSelector{ { MatchLabels: c.AggregationRule, }, }, } } // Create ClusterRole. if !c.DryRun {//非干跑 clusterRole, err = c.Client.ClusterRoles().Create(clusterRole)//创建clusterrole if err != nil { return err } } return c.PrintObj(clusterRole)//打印结果 }
//构造policy func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resources []ResourceOptions, resourceNames []string, nonResourceURLs []string) ([]rbacv1.PolicyRule, error) { // groupResourceMapping is a apigroup-resource map. The key of this map is api group, while the value // is a string array of resources under this api group. // E.g. groupResourceMapping = {"extensions": ["replicasets", "deployments"], "batch":["jobs"]} groupResourceMapping := map[string][]string{} // This loop does the following work: // 1. Constructs groupResourceMapping based on input resources. // 2. Prevents pointing to non-existent resources. // 3. Transfers resource short name to long name. E.g. rs.extensions is transferred to replicasets.extensions for _, r := range resources {//遍历资源 resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group} groupVersionResource, err := mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}) if err == nil { resource = groupVersionResource }设置资源 if len(r.SubResource) > 0 {//如果有子资源则加上子资源 resource.Resource = resource.Resource + "/" + r.SubResource } if !arrayContains(groupResourceMapping[resource.Group], resource.Resource) {//如果资源不再map里则放入 groupResourceMapping[resource.Group] = append(groupResourceMapping[resource.Group], resource.Resource) } } // Create separate rule for each of the api group. rules := []rbacv1.PolicyRule{}//构造policyRule slice for _, g := range sets.StringKeySet(groupResourceMapping).List() {//遍历map rule := rbacv1.PolicyRule{}//构造policyrule对象 rule.Verbs = verbs//设置verbs rule.Resources = groupResourceMapping[g]//设置资源 rule.APIGroups = []string{g}//设置apiGroup rule.ResourceNames = resourceNames//设置资源名称 rules = append(rules, rule)//把rule加到slice中 } if len(nonResourceURLs) > 0 {//如果non-resource-url有值 rule := rbacv1.PolicyRule{}构造policyrule对象 rule.Verbs = verbs//设置verb rule.NonResourceURLs = nonResourceURLs//设置non-resource-url rules = append(rules, rule)//添加rule到slice } return rules, nil }