红帽全球峰会1.6. 生成用于安装 GitOps Operator 的策略
Red Hat Advanced Cluster Management 策略的一个常见用途是在一个或多个受管 Red Hat OpenShift Container Platform 集群上安装 Operator。继续阅读以了解如何使用 Policy Generator 生成策略,并使用生成的策略安装 OpenShift Container Platform GitOps Operator:
1.6.1. 生成安装 OpenShift Container Platform GitOps 的策略
您可以使用 Policy Generator 生成安装 OpenShift Container Platform GitOps 的策略。OpenShift Container Platform GitOps operator 提供 所有命名空间 安装模式,您可以在以下示例中查看它们。创建名为 openshift-gitops-subscription.yaml 的 Subscription 清单文件,如下例所示:
apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: openshift-gitops-operator namespace: openshift-operators spec: channel: stable name: openshift-gitops-operator source: redhat-operators sourceNamespace: openshift-marketplace
要固定到 Operator 的特定版本,您可以添加以下参数和值: spec.startingCSV: openshift-gitops-operator.v<version>。将 <version> 替换为您的首选版本。
需要 PolicyGenerator 配置文件。使用名为 policy-generator-config.yaml 的配置文件来生成策略,以便在所有 OpenShift Container Platform 受管集群上安装 OpenShift Container Platform GitOps。请参见以下示例:
apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
name: install-openshift-gitops
policyDefaults:
namespace: policies
placement:
clusterSelectors:
vendor: "OpenShift"
remediationAction: enforce
policies:
- name: install-openshift-gitops
manifests:
- path: openshift-gitops-subscription.yaml
最后所需的文件是 kustomization.yaml,它需要以下配置:
generators: - policy-generator-config.yaml
生成的策略可能类似以下带有 PlacementRule 的文件(已弃用):
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-install-openshift-gitops
namespace: policies
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: vendor
operator: In
values:
- OpenShift
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-install-openshift-gitops
namespace: policies
placementRef:
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
name: placement-install-openshift-gitops
subjects:
- apiGroup: policy.open-cluster-management.io
kind: Policy
name: install-openshift-gitops
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/description:
name: install-openshift-gitops
namespace: policies
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: install-openshift-gitops
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-gitops-operator
namespace: openshift-operators
spec:
channel: stable
name: openshift-gitops-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
remediationAction: enforce
severity: low支持 OpenShift Container Platform 文档中的从清单生成的策略。OpenShift Container Platform 文档中的任何配置指南都可以使用 Policy Generator 应用。
1.6.2. 使用带有 OperatorGroup 的策略依赖项
当使用 OperatorGroup 清单安装 Operator 时,OperatorGroup 必须在创建 Subscription 前存在于集群中。使用策略依赖项功能以及 Policy Generator,确保在执行 订阅 策略前 OperatorGroup 策略兼容。
通过按您想要的顺序列出清单来设置策略依赖项。例如,您可能想要首先创建命名空间策略,然后创建 OperatorGroup,最后再创建 Subscription。
启用 policyDefaults.orderManifests 参数,并在 Policy Generator 配置清单中禁用 policyDefaults.consolidateManifests,以自动设置清单之间的依赖项。
