2.3.4. 创建自定义策略控制器
了解如何编写、应用、查看和更新您的自定义策略控制器。您可以为策略控制器创建 YAML 文件,以部署到集群中。查看以下部分以创建策略控制器:
2.3.4.1. 编写一个策略控制器
使用位于 governance-policy-framework
存储库中的策略控制器框架。完成以下步骤来创建策略控制器:
运行以下命令克隆
governance-policy-framework
存储库:git clone git@github.com:stolostron/governance-policy-framework.git
通过更新策略模式定义自定义控制器策略。您的策略可能类似以下内容:
metadata: name: samplepolicies.policies.open-cluster-management.io spec: group: policy.open-cluster-management.io names: kind: SamplePolicy listKind: SamplePolicyList plural: samplepolicies singular: samplepolicy
更新策略控制器以监视
SamplePolicy
kind。运行以下命令:for file in $(find . -name "*.go" -type f); do sed -i "" "s/SamplePolicy/g" $file; done for file in $(find . -name "*.go" -type f); do sed -i "" "s/samplepolicy-controller/samplepolicy-controller/g" $file; done
通过完成以下步骤重新编译并运行策略控制器:
- 登录到您的集群。
- 选择用户图标,然后点击 Configure client。
- 将配置信息复制并粘贴到您的命令行中,然后按 Enter 键。
运行以下命令以应用您的策略 CRD 并启动控制器:
export GO111MODULE=on kubectl apply -f deploy/crds/policy.open-cluster-management.io_samplepolicies_crd.yaml export WATCH_NAMESPACE=<cluster_namespace_on_hub> go run cmd/manager/main.go
您可能会收到以下输出来表示控制器在运行:
{“level”:”info”,”ts”:1578503280.511274,”logger”:”controller-runtime.manager”,”msg”:”starting metrics server”,”path”:”/metrics”} {“level”:”info”,”ts”:1578503281.215883,”logger”:”controller-runtime.controller”,”msg”:”Starting Controller”,”controller”:”samplepolicy-controller”} {“level”:”info”,”ts”:1578503281.3203468,”logger”:”controller-runtime.controller”,”msg”:”Starting workers”,”controller”:”samplepolicy-controller”,”worker count”:1} Waiting for policies to be available for processing…
创建策略,验证控制器是否已检索策略,并在集群中应用策略。运行以下命令:
kubectl apply -f deploy/crds/policy.open-cluster-management.io_samplepolicies_crd.yaml
应用策略时,会出现一条消息来指示您的自定义控制器监控并检测到策略。信息可能类似以下内容:
{"level":"info","ts":1578503685.643426,"logger":"controller_samplepolicy","msg":"Reconciling SamplePolicy","Request.Namespace":"default","Request.Name":"example-samplepolicy"} {"level":"info","ts":1578503685.855259,"logger":"controller_samplepolicy","msg":"Reconciling SamplePolicy","Request.Namespace":"default","Request.Name":"example-samplepolicy"} Available policies in namespaces: namespace = kube-public; policy = example-samplepolicy namespace = default; policy = example-samplepolicy namespace = kube-node-lease; policy = example-samplepolicy
运行以下命令,检查
status
字段中的合规详情:kubectl describe SamplePolicy example-samplepolicy -n default
您的输出可能类似以下内容:
status: compliancyDetails: example-samplepolicy: cluster-wide: - 5 violations detected in namespace `cluster-wide`, there are 0 users violations and 5 groups violations default: - 0 violations detected in namespace `default`, there are 0 users violations and 0 groups violations kube-node-lease: - 0 violations detected in namespace `kube-node-lease`, there are 0 users violations and 0 groups violations kube-public: - 1 violations detected in namespace `kube-public`, there are 0 users violations and 1 groups violations compliant: NonCompliant
更改策略规则和策略逻辑,为您的策略控制器引入新规则。完成以下步骤:
通过更新
SamplePolicySpec
在 YAML 文件中添加新字段 。您的规格应该和以下类似:spec: description: SamplePolicySpec defines the desired state of SamplePolicy properties: labelSelector: additionalProperties: type: string type: object maxClusterRoleBindingGroups: type: integer maxClusterRoleBindingUsers: type: integer maxRoleBindingGroupsPerNamespace: type: integer maxRoleBindingUsersPerNamespace: type: integer
-
使用
新字段
更新 samplepolicy_controller.go 中的 SamplePolicySpec 结构。 -
使用新的路径更新
samplepolicy_controller.go
文件中的PeriodicallyExecSamplePolicies
函数来运行策略控制器。查看PeriodicallyExecSamplePolicies
字段的示例,请参阅 stolostron/multicloud-operators-policy-controller。 - 重新编译并运行策略控制器。请参阅编写策略控制器
您的策略控制器可以正常工作。