Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

第 11 章 在 PolicyGenerator 或 PolicyGenTemplate CR 中使用 hub 模板

Topology Aware Lifecycle Manager 支持在 GitOps Zero Touch Provisioning (ZTP) 的配置策略中支持 Red Hat Advanced Cluster Management (RHACM) hub 集群模板功能。

hub-side 集群模板允许您定义可动态自定义到目标集群的配置策略。这可减少为具有辅助配置但具有不同值的很多集群创建单独的策略的需求。

重要

策略模板仅限于与定义策略的命名空间相同的命名空间。这意味着,您必须在创建策略的同一命名空间中创建 hub 模板中引用的对象。

重要

使用 PolicyGenTemplate CR 管理和监控对受管集群的策略将在即将发布的 OpenShift Container Platform 发行版本中弃用。使用 Red Hat Advanced Cluster Management (RHACM) 和 PolicyGenerator CR 提供了等效的和改进的功能。

有关 PolicyGenerator 资源的更多信息,请参阅 RHACM 策略生成器 文档。

您可以使用 hub 模板填充应用到受管集群的生成的策略中的组和站点值来管理带有 ConfigMap CR 的集群配置。在站点 PolicyGeneratorPolicyGentemplate CR 中使用 hub 模板意味着您不需要为每个站点创建一个策略 CR。

您可以根据用例(如硬件类型或区域)将集群分组到不同的类别中。每个集群都应该有一个与集群所在的组或组对应的标签。如果您管理位于不同 ConfigMap CR 中的每个组的配置值,则只需要一个策略 CR 来使用 hub 模板将更改应用到组中的所有集群。

以下示例演示了如何使用三个 ConfigMap CR 和一个组 PolicyGenerator CR 将站点和组配置应用到按硬件类型和区域分组的集群。

注意

ConfigMap CR 有一个 1 MiB 大小限制 (Kubernetes 文档)。ConfigMap CR 的有效大小被 last-applied-configuration 注解进一步限制。要避免 last-applied-configuration 限制,请在模板 ConfigMap 中添加以下注解: 

argocd.argoproj.io/sync-options: Replace=true
Copy to Clipboard Toggle word wrap

先决条件

  • 已安装 OpenShift CLI(oc)。
  • 已以具有 cluster-admin 权限的用户身份登录到 hub 集群。
  • 您已创建了管理自定义站点配置数据的 Git 存储库。存储库必须可从 hub 集群访问,并定义为 GitOps ZTP ArgoCD 应用程序的源存储库。

流程

  1. 创建包含组和站点配置的三个 ConfigMap CR:

    1. 创建名为 group-hardware-types-configmapConfigMap CR,以存放特定于硬件的配置。例如: 

      apiVersion: v1
kind: ConfigMap
metadata:
  name: group-hardware-types-configmap
  namespace: ztp-group
  annotations:
    argocd.argoproj.io/sync-options: Replace=true
      1 
      
data:
  # SriovNetworkNodePolicy.yaml
  hardware-type-1-sriov-node-policy-pfNames-1: "[\"ens5f0\"]"
  hardware-type-1-sriov-node-policy-pfNames-2: "[\"ens7f0\"]"
  # PerformanceProfile.yaml
  hardware-type-1-cpu-isolated: "2-31,34-63"
  hardware-type-1-cpu-reserved: "0-1,32-33"
  hardware-type-1-hugepages-default: "1G"
  hardware-type-1-hugepages-size: "1G"
  hardware-type-1-hugepages-count: "32"
      Copy to Clipboard Toggle word wrap
      1
      只有在 ConfigMap 大于 1 MiB 时,才需要 argocd.argoproj.io/sync-options 注解。

    2. 创建名为 group-zones-configmapConfigMap CR,以存放区域配置。例如: 

      apiVersion: v1
kind: ConfigMap
metadata:
  name: group-zones-configmap
  namespace: ztp-group
data:
  # ClusterLogForwarder.yaml
  zone-1-cluster-log-fwd-outputs: "[{\"type\":\"kafka\", \"name\":\"kafka-open\", \"url\":\"tcp://10.46.55.190:9092/test\"}]"
  zone-1-cluster-log-fwd-pipelines: "[{\"inputRefs\":[\"audit\", \"infrastructure\"], \"labels\": {\"label1\": \"test1\", \"label2\": \"test2\", \"label3\": \"test3\", \"label4\": \"test4\"}, \"name\": \"all-to-default\", \"outputRefs\": [\"kafka-open\"]}]"
      Copy to Clipboard Toggle word wrap

    3. 创建名为 site-data-configmapConfigMap CR,以存放特定于站点的配置。例如: 

      apiVersion: v1
kind: ConfigMap
metadata:
  name: site-data-configmap
  namespace: ztp-group
data:
  # SriovNetwork.yaml
  du-sno-1-zone-1-sriov-network-vlan-1: "140"
  du-sno-1-zone-1-sriov-network-vlan-2: "150"
      Copy to Clipboard Toggle word wrap
    注意

    每个 ConfigMap CR 必须与从组 PolicyGenerator CR 生成的策略位于同一个命名空间中。

  2. 提交 Git 中的 ConfigMap CR,然后推送到由 Argo CD 应用程序监控的 Git 存储库。

  3. 将硬件类型和区域标签应用到集群。以下命令适用于名为 du-sno-1-zone-1 的单个集群,选择的标签为 "hardware-type": "hardware-type-1""group-du-sno-zone": "zone-1": 

    $ oc patch managedclusters.cluster.open-cluster-management.io/du-sno-1-zone-1 --type merge -p '{"metadata":{"labels":{"hardware-type": "hardware-type-1", "group-du-sno-zone": "zone-1"}}}'
    Copy to Clipboard Toggle word wrap

  4. 根据您的要求,创建一个组 PolicyGeneratorPolicyGentemplate CR,它使用 hub 模板从 ConfigMap 对象获取所需的数据:

    1. 创建组 PolicyGenerator CR。这个示例 PolicyGenerator CR 为与 policyDefaults.placement 字段中列出的标签匹配的集群配置日志、VLAN ID、NIC 和 Performance Profile: 

      ---
apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
    name: group-du-sno-pgt
placementBindingDefaults:
    name: group-du-sno-pgt-placement-binding
policyDefaults:
    placement:
        labelSelector:
            matchExpressions:
                - key: group-du-sno-zone
                  operator: In
                  values:
                    - zone-1
                - key: hardware-type
                  operator: In
                  values:
                    - hardware-type-1
    remediationAction: inform
    severity: low
    namespaceSelector:
        exclude:
            - kube-*
        include:
            - '*'
    evaluationInterval:
        compliant: 10m
        noncompliant: 10s
policies:
    - name: group-du-sno-pgt-group-du-sno-cfg-policy
      policyAnnotations:
        ran.openshift.io/ztp-deploy-wave: "10"
      manifests:
        - path: source-crs/ClusterLogForwarder.yaml
          patches:
            - spec:
                outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
                pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
        - path: source-crs/PerformanceProfile-MCP-master.yaml
          patches:
            - metadata:
                name: openshift-node-performance-profile
              spec:
                additionalKernelArgs:
                    - rcupdate.rcu_normal_after_boot=0
                    - vfio_pci.enable_sriov=1
                    - vfio_pci.disable_idle_d3=1
                    - efi=runtime
                cpu:
                    isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}'
                    reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}'
                hugepages:
                    defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}'
                    pages:
                        - count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}'
                          size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}'
                realTimeKernel:
                    enabled: true
    - name: group-du-sno-pgt-group-du-sno-sriov-policy
      policyAnnotations:
        ran.openshift.io/ztp-deploy-wave: "100"
      manifests:
        - path: source-crs/SriovNetwork.yaml
          patches:
            - metadata:
                name: sriov-nw-du-fh
              spec:
                resourceName: du_fh
                vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}'
        - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml
          patches:
            - metadata:
                name: sriov-nnp-du-fh
              spec:
                deviceType: netdevice
                isRdma: false
                nicSelector:
                    pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
                numVfs: 8
                priority: 10
                resourceName: du_fh
        - path: source-crs/SriovNetwork.yaml
          patches:
            - metadata:
                name: sriov-nw-du-mh
              spec:
                resourceName: du_mh
                vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}'
        - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml
          patches:
            - metadata:
                name: sriov-nw-du-fh
              spec:
                deviceType: netdevice
                isRdma: false
                nicSelector:
                    pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
                numVfs: 8
                priority: 10
                resourceName: du_fh
      Copy to Clipboard Toggle word wrap

    2. 创建组 PolicyGenTemplate CR。此 PolicyGenTemplate CR 示例为与 spec.bindingRules 下列出的标签匹配的集群配置日志、VLAN ID、NIC 和 Performance Profile: 

      apiVersion: ran.openshift.io/v1
kind: PolicyGenTemplate
metadata:
  name: group-du-sno-pgt
  namespace: ztp-group
spec:
  bindingRules:
    # These policies will correspond to all clusters with these labels
    group-du-sno-zone: "zone-1"
    hardware-type: "hardware-type-1"
  mcp: "master"
  sourceFiles:
    - fileName: ClusterLogForwarder.yaml # wave 10
      policyName: "group-du-sno-cfg-policy"
      spec:
        outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
        pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'

    - fileName: PerformanceProfile.yaml # wave 10
      policyName: "group-du-sno-cfg-policy"
      metadata:
        name: openshift-node-performance-profile
      spec:
        additionalKernelArgs:
        - rcupdate.rcu_normal_after_boot=0
        - vfio_pci.enable_sriov=1
        - vfio_pci.disable_idle_d3=1
        - efi=runtime
        cpu:
          isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}'
          reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}'
        hugepages:
          defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}'
          pages:
            - size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}'
              count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}'
        realTimeKernel:
          enabled: true

    - fileName: SriovNetwork.yaml # wave 100
      policyName: "group-du-sno-sriov-policy"
      metadata:
        name: sriov-nw-du-fh
      spec:
        resourceName: du_fh
        vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}'

    - fileName: SriovNetworkNodePolicy.yaml # wave 100
      policyName: "group-du-sno-sriov-policy"
      metadata:
        name: sriov-nnp-du-fh
      spec:
        deviceType: netdevice
        isRdma: false
        nicSelector:
          pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
        numVfs: 8
        priority: 10
        resourceName: du_fh

    - fileName: SriovNetwork.yaml # wave 100
      policyName: "group-du-sno-sriov-policy"
      metadata:
        name: sriov-nw-du-mh
      spec:
        resourceName: du_mh
        vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}'

    - fileName: SriovNetworkNodePolicy.yaml # wave 100
      policyName: "group-du-sno-sriov-policy"
      metadata:
        name: sriov-nw-du-fh
      spec:
        deviceType: netdevice
        isRdma: false
        nicSelector:
          pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
        numVfs: 8
        priority: 10
        resourceName: du_fh
      Copy to Clipboard Toggle word wrap
    注意

    要检索特定于站点的配置值,请使用 .ManagedClusterName 字段。这是一个模板上下文值设置为目标受管集群的名称。

    要检索特定于组的配置,请使用 .ManagedClusterLabels 字段。这是一个模板上下文值设置为受管集群标签的值。

  5. 提交 Git 中的站点 PolicyGeneratorPolicyGentemplate CR,并推送到由 ArgoCD 应用程序监控的 Git 存储库。

    注意

    对引用的 ConfigMap CR 的后续更改不会自动同步到应用的策略。您需要手动同步新的 ConfigMap 更改来更新现有的 PolicyGenerator CR。请参阅 "Syncing new ConfigMap changes to existing PolicyGenerator 或 PolicyGenTemplate CR"。

    您可以将相同的 PolicyGeneratorPolicyGentemplate CR 用于多个集群。如果有配置更改,则唯一需要进行修改的 ConfigMap 对象是保存每个集群配置和受管集群标签的 ConfigMap 对象。

返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat