1.5. 使用 OpenShift Container Platform GitOps (Argo CD)管理策略定义
已弃用: PlacementRule
基于 ArgoCD 的 OpenShift Container Platform GitOps 也可用于管理策略定义。要允许此工作流,OpenShift Container Platform GitOps 必须被授予在 Red Hat Advanced Cluster Management hub 集群中创建策略的访问权限。创建以下 ClusterRole 资源,名为 openshift-gitops-policy-admin,它有权创建、读取、更新和删除策略和放置。您的 ClusterRole 可能类似以下示例:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: openshift-gitops-policy-admin
rules:
- verbs:
- get
- list
- watch
- create
- update
- patch
- delete
apiGroups:
- policy.open-cluster-management.io
resources:
- policies
- policysets
- placementbindings
- verbs:
- get
- list
- watch
- create
- update
- patch
- delete
apiGroups:
- apps.open-cluster-management.io
resources:
- placementrules
- verbs:
- get
- list
- watch
- create
- update
- patch
- delete
apiGroups:
- cluster.open-cluster-management.io
resources:
- placements
- placements/status
- placementdecisions
- placementdecisions/status
创建一个 ClusterRoleBinding 对象,为 OpenShift Container Platform GitOps 服务帐户授予 openshift-gitops-policy-admin ClusterRole 对象的访问权限。ClusterRoleBinding 可能类似以下示例:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: openshift-gitops-policy-admin
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openshift-gitops-policy-admin
当使用 OpenShift Container Platform GitOps 部署 Red Hat Advanced Cluster Management 策略定义时,会在每个受管集群命名空间中创建策略副本。这些副本称为复制策略。要防止 OpenShift Container Platform GitOps 重复删除此复制策略,或者显示 Argo CD 应用程序 没有同步,则 Red Hat Advanced Cluster Management 策略框架中会自动设置 argocd.argoproj.io/compare-options: IgnoreExtraneous 注解。
Argo CD 使用标签和注解来跟踪对象。要使复制策略不会在 Argo CD 中都显示,您可以在 Red Hat Advanced Cluster Management 策略定义中将 spec.copyPolicyMetadata 设置为 false,以防止将这些 Argo CD 跟踪标签和注解复制到复制策略。
1.5.1. 将 Policy Generator 与 OpenShift Container Platform GitOps (ArgoCD) 集成
基于 Argo CD 的 OpenShift Container Platform GitOps 也可用于通过 GitOps 使用 Policy Generator 生成策略。因为 Policy Generator 没有预安装在 OpenShift Container Platform GitOps 容器镜像中,所以必须进行一些自定义。为了继续操作,必须在 Red Hat Advanced Cluster Management hub 集群中安装了 OpenShift Container Platform GitOps Operator,并确保登录到 hub 集群。
要使 OpenShift Container Platform GitOps 在运行 Kustomize 时有权访问 Policy Generator,需要将初始容器从 Red Hat Advanced Cluster Management Application Subscription 容器镜像复制到 OpenShift Container Platform GitOps 容器。另外,OpenShift Container Platform GitOps 必须配置为在运行 Kustomize 时提供 --enable-alpha-plugins 标志。使用以下命令开始编辑 OpenShift Container Platform GitOps argocd 对象:
oc -n openshift-gitops edit argocd openshift-gitops
然后,修改 OpenShift Container Platform GitOps argocd 对象使其包含以下额外 YAML 内容。当发布新的 Red Hat Advanced Cluster Management 主版本且您要将 Policy Generator 更新至更新的版本时,您需要更新 registry.redhat.io/busybox2/multicluster-operators-subscription-rhel8 镜像,供 Init 容器用于较新的标签。查看以下示例,将 <version> 替换为 2.9 或您所需的 Red Hat Advanced Cluster Management 版本:
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: openshift-gitops
namespace: openshift-gitops
spec:
kustomizeBuildOptions: --enable-alpha-plugins
repo:
env:
- name: KUSTOMIZE_PLUGIN_HOME
value: /etc/kustomize/plugin
initContainers:
- args:
- -c
- cp /etc/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator/PolicyGenerator
/policy-generator/PolicyGenerator
command:
- /bin/bash
image: registry.redhat.io/rhacm2/multicluster-operators-subscription-rhel8:v<version>
name: policy-generator-install
volumeMounts:
- mountPath: /policy-generator
name: policy-generator
volumeMounts:
- mountPath: /etc/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator
name: policy-generator
volumes:
- emptyDir: {}
name: policy-generator
现在,OpenShift Container Platform GitOps 可以使用 Policy Generator,OpenShift Container Platform GitOps 必须被授予在 Red Hat Advanced Cluster Management hub 集群中创建策略的访问权限。创建名为 openshift-gitops-policy-admin 的 ClusterRole 资源,其具有创建、读取、更新和删除策略和放置的访问权限。请参阅早期的 ClusterRole 示例。
额外,创建一个 ClusterRoleBinding 对象,为 OpenShift Container Platform GitOps 服务帐户授予 openshift-gitops-policy-admin ClusterRole 的访问权限。ClusterRoleBinding 可能类似以下资源:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: openshift-gitops-policy-admin
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openshift-gitops-policy-admin1.5.2. 其他资源
- 请参阅 Argo CD 文档。
