Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

第 5 章 使用 AMQ Streams Operator

使用 AMQ Streams 操作器来管理您的 Kafka 集群,以及 Kafka 主题和用户。

5.1. 使用 Cluster Operator
复制链接

Cluster Operator 用于部署 Kafka 集群和其他 Kafka 组件。

Cluster Operator 使用 YAML 安装文件进行部署。

如需有关部署 Cluster Operator 的信息,请参阅 OpenShift 指南中的 Deploying and upgrade AMQ Streams 中的 部署 Cluster Operator

有关 Kafka 可用部署选项的详情,请参考 Kafka 集群配置

注意

在 OpenShift 中,Kafka Connect 部署可以纳入 Source2Image 功能,以提供添加额外连接器的便捷方式。

5.1.1. Cluster Operator 配置
复制链接

Cluster Operator 可以通过以下支持的环境变量和日志记录配置进行配置。

STRIMZI_NAMESPACE

Operator 应操作的命名空间的逗号分隔列表。如果没有设置,设为空字符串,或设置为 *,Cluster Operator 将在所有命名空间中运行。Cluster Operator 部署可能会使用 OpenShift Downward API 自动将其设置为 Cluster Operator 部署到的命名空间。请参见以下示例: 

env:
  - name: STRIMZI_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
Copy to Clipboard Toggle word wrap
STRIMZI_FULL_RECONCILIATION_INTERVAL_MS
可选,默认为 120000 ms。定期协调之间的间隔,以毫秒为单位。
STRIMZI_OPERATION_TIMEOUT_MS
可选,默认为 300000 ms。内部操作的超时,以毫秒为单位。当在常规 OpenShift 操作需要比平时更长的集群中使用 AMQ Streams 时,这个值应该会增加(例如,因为 Docker 镜像下载速度较慢)。
STRIMZI_KAFKA_IMAGES
必需。这提供了从 Kafka 版本到相应 Docker 镜像的映射,其中包含该版本的 Kafka 代理。所需语法为空格或用逗号分开的 <version>=<image> 对。例如 2.5.0=registry.redhat.io/amq7/amq-streams-kafka-25-rhel7:1.6.7, 2.6.0=registry.redhat.io/amq7/amq-streams-kafka-26-rhel7:1.6.7。这在指定了 Kafka.spec.kafka.version 属性而不是 Kafka.spec.kafka.image 时使用,如 第 2.1.18 节 “容器镜像” 所述。
STRIMZI_DEFAULT_KAFKA_INIT_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-rhel7-operator:1.6.7。如果没有将镜像指定为 第 2.1.18 节 “容器镜像” 中的 kafka-init-image,则在代理之前启动的 init 容器的镜像名称(即机架支持)没有指定为 kafka-init-image
STRIMZI_KAFKA_CONNECT_IMAGES
必需。这提供了从 Kafka 版本到相应 Docker 镜像的映射,其中包含该版本的 Kafka 连接。所需语法为空格或用逗号分开的 <version>=<image> 对。例如 2.5.0=registry.redhat.io/amq7/amq-streams-kafka-25-rhel7:1.6.7, 2.6.0=registry.redhat.io/amq7/amq-streams-kafka-26-rhel7:1.6.7。这在指定了 KafkaConnect.spec.version 属性而不是 KafkaConnect.spec.image 时使用,如 第 B.1.6 节 “镜像 所述。
STRIMZI_KAFKA_CONNECT_S2I_IMAGES
必需。这提供了从 Kafka 版本到相应 Docker 镜像的映射,其中包含该版本的 Kafka 连接。所需语法为空格或用逗号分开的 <version>=<image> 对。例如 2.5.0=registry.redhat.io/amq7/amq-streams-kafka-25-rhel7:1.6.7, 2.6.0=registry.redhat.io/amq7/amq-streams-kafka-26-rhel7:1.6.7。这在指定 KafkaConnectS2I.spec.version 属性而不是 KafkaConnectS2I.spec.image 时使用,如 第 B.1.6 节 “镜像 所述。
STRIMZI_KAFKA_MIRROR_MAKER_IMAGES
必需。这提供了从 Kafka 版本到相应 Docker 镜像的映射,其中包含该版本的 Kafka 镜像制作器。所需语法为空格或用逗号分开的 <version>=<image> 对。例如 2.5.0=registry.redhat.io/amq7/amq-streams-kafka-25-rhel7:1.6.7, 2.6.0=registry.redhat.io/amq7/amq-streams-kafka-26-rhel7:1.6.7。这在指定了 KafkaMirrorMaker.spec.version 属性而不是 KafkaMirrorMaker.spec.image 时使用,如 第 B.1.6 节 “镜像 所述。
STRIMZI_DEFAULT_TOPIC_OPERATOR_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-rhel7-operator:1.6.7。部署主题 Operator 时要使用的镜像名称,如果没有在 Kafka 资源 第 2.1.18 节 “容器镜像” 中指定为 Kafka.spec.entityOperator.topicOperator.image 镜像名称。
STRIMZI_DEFAULT_USER_OPERATOR_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-rhel7-operator:1.6.7。部署用户 Operator 时要使用的镜像名称,如果没有在 Kafka 资源 第 2.1.18 节 “容器镜像” 中指定为 Kafka.spec.entityOperator.userOperator.image 镜像。
STRIMZI_DEFAULT_TLS_SIDECAR_ENTITY_OPERATOR_IMAGE
Optional, default registry.redhat.io/amq7/amq-streams-kafka-26-rhel7:1.6.7.部署 sidecar 容器时要使用的镜像名称,该容器为 Entity Operator 提供 TLS 支持,如果没有将镜像指定为 第 2.1.18 节 “容器镜像” 中的 Kafka.spec.entityOperator.tlsSidecar.image
STRIMZI_IMAGE_PULL_POLICY
可选。ImagePullPolicy,它将应用到由 AMQ Streams Cluster Operator 管理的所有 pod 中的容器。有效值有 AlwaysifNotPresentNever。如果未指定,则将使用 OpenShift 的默认值。更改策略会导致所有 Kafka、Kafka Connect 和 Kafka MirrorMaker 集群滚动更新。
STRIMZI_IMAGE_PULL_SECRETS
可选。以逗号分隔的 Secret 名称列表。此处引用的 secret 包含从中提取容器镜像的容器注册表的凭据。secret 在 imagePullSecrets 字段中用于 Cluster Operator 创建的所有 Pod。更改此列表会导致所有 Kafka、Kafka Connect 和 Kafka MirrorMaker 集群进行滚动更新。
STRIMZI_KUBERNETES_VERSION

可选。覆盖从 API 服务器检测到的 OpenShift 版本信息。请参见以下示例: 

env:
  - name: STRIMZI_KUBERNETES_VERSION
    value: |
           major=1
           minor=16
           gitVersion=v1.16.2
           gitCommit=c97fe5036ef3df2967d086711e6c0c405941e14b
           gitTreeState=clean
           buildDate=2019-10-15T19:09:08Z
           goVersion=go1.12.10
           compiler=gc
           platform=linux/amd64
Copy to Clipboard Toggle word wrap
KUBERNETES_SERVICE_DNS_DOMAIN

可选。覆盖默认的 OpenShift DNS 域名后缀。

默认情况下,OpenShift 集群中分配的服务的 DNS 域名使用默认的后缀 cluster.local

例如,对于代理 kafka-0

<cluster-name>-kafka-0.<cluster-name>-kafka-brokers.<namespace>.svc.cluster.local
Copy to Clipboard Toggle word wrap

DNS 域名被添加到用于主机名验证的 Kafka 代理证书中。

如果您在集群中使用不同的 DNS 域名后缀,请将 KUBERNETES_SERVICE_DNS_DOMAIN 环境变量从默认值改为您用来与 Kafka 代理建立连接的变量。

通过 ConfigMap 配置

Cluster Operator 的日志记录由 strimzi-cluster-operator ConfigMap 配置。

安装 Cluster Operator 时会创建一个包含日志配置的 ConfigMap。此 ConfigMap 在文件 install/cluster-operator/050-ConfigMap-strimzi-cluster-operator.yaml 中描述。您可以通过更改此 ConfigMap 中的 data 字段 log4j2.properties 来配置 Cluster Operator 日志。

要更新日志记录配置,您可以编辑 050-ConfigMap-strimzi-cluster-operator.yaml 文件,然后运行以下命令: 

oc apply -f install/cluster-operator/050-ConfigMap-strimzi-cluster-operator.yaml
Copy to Clipboard Toggle word wrap

或者,直接编辑 ConfigMap: 

oc edit cm strimzi-cluster-operator
Copy to Clipboard Toggle word wrap

要更改重新加载间隔的频率,请在创建的 ConfigMap 中的 monitorInterval 选项中设置一个时间(以秒为单位)。

如果在部署 Cluster Operator 时缺少 ConfigMap,则会使用默认的日志记录值。

如果在部署 Cluster Operator 后意外删除 ConfigMap,则会使用最新载入的日志配置。创建新 ConfigMap 以 加载新的日志配置。

注意

不要从 ConfigMap 中删除 monitorInterval 选项。

5.1.1.1. 定期协调
复制链接

虽然 Cluster Operator 会响应从 OpenShift 集群收到所需集群资源的所有通知,但如果操作器没有运行,或者因任何原因未收到通知,则所需的资源将与正在运行的 OpenShift 集群的状态保持同步。

为了正确处理故障切换,由 Cluster Operator 执行定期协调过程,以便它可以将所需资源的状态与当前集群部署进行比较,以便在所有这些部署中保持一致状态。您可以使用 [STRIMZI_FULL_RECONCILIATION_INTERVAL_MS] 变量为定期协调设置时间间隔。

5.1.2. 调配基于角色的访问控制(RBAC)
复制链接

要使 Cluster Operator 正常工作,需要在 OpenShift 集群中与资源(如 Kafka、Kafka Connect 等)以及受管资源(如 ConfigMap、Pod、Deployment StatefulSet 和 Services )交互。这种权限在 OpenShift 基于角色的访问控制(RBAC)资源中描述:

  • ServiceAccount
  • 角色ClusterRole
  • role binding 和 ClusterRoleBinding

除了使用 ClusterRoleBinding 在其自身 ServiceAccount 中运行外,Cluster Operator 还为需要访问 OpenShift 资源的组件管理一些 RBAC 资源。

OpenShift 还包含特权升级保护,可防止在一个 ServiceAccount 下操作的组件授予授予授权 ServiceAccount 没有的其他 ServiceAccount s 特权。因为 Cluster Operator 必须能够创建 ClusterRoleBindings,以及它管理的资源所需的 RoleBindings,所以 Cluster Operator 还必须具有相同的权限。

5.1.2.1. 委派的权限
复制链接

当 Cluster Operator 为所需的 Kafka 资源部署资源时,它还会创建 ServiceAccount、 RoleBindingsClusterRoleBindings,如下所示:

  • Kafka 代理 pod 使用一个名为 cluster-name-kafkaServiceAccount

    • 使用机架功能时,strimzi-cluster-name-kafka-init ClusterRoleBinding 用来通过 ClusterRole (名为 strimzi-kafka-broker)对集群中的节点授予这个 ServiceAccount 访问权限
    • 当不使用机架功能时,不会创建绑定
  • ZooKeeper pod 使用名为 cluster-name-zookeeperServiceAccount

  • Entity Operator pod 使用名为 cluster-name-entity-operatorServiceAccount

    • Topic Operator 生成带有状态信息的 OpenShift 事件,因此 ServiceAccount 绑定到名为 strimzi-entity-operatorClusterRole,它通过 strimzi-entity-operator RoleBinding授予此访问权限
  • KafkaConnect 和 KafkaConnect S2I 资源的 pod 使用名为 cluster-name-cluster-connectServiceAccount
  • KafkaMirrorMaker 的 pod 使用名为 cluster-name-mirror-makerServiceAccount
  • KafkaMirrorMaker2 的 pod 使用名为 cluster-name-mirrormaker2ServiceAccount
  • KafkaBridge 的 pod 使用名为 cluster-name-bridgeServiceAccount

5.1.2.2. ServiceAccount
复制链接

Cluster Operator 最好使用 ServiceAccount 运行:

Cluster Operator 的 ServiceAccount 示例

apiVersion: v1
kind: ServiceAccount
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
Copy to Clipboard Toggle word wrap

然后,Operator 的 Deployment 需要在其 spec.template.spec.serviceAccountName 中指定

Cluster Operator 部署 的部分示例

apiVersion: apps/v1
kind: Deployment
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
spec:
  replicas: 1
  selector:
    matchLabels:
      name: strimzi-cluster-operator
      strimzi.io/kind: cluster-operator
  template:
      # ...
Copy to Clipboard Toggle word wrap

注意 12 行,其中 strimzi-cluster-operator ServiceAccount 指定为 serviceAccountName

5.1.2.3. ClusterRoles
复制链接

Cluster Operator 需要使用 提供所需资源访问的 ClusterRole 运行。根据 OpenShift 集群设置,可能需要集群管理员来创建 ClusterRole。

注意

集群管理员权限只在创建 ClusterRole 时需要。Cluster Operator 不会在集群管理员帐户下运行。

ClusterRole 遵循最小 权限, 仅包含 Cluster Operator 运行 Kafka、Kafka Connect 和 ZooKeeper 集群所需的权限。第一组分配的权限允许 Cluster Operator 管理 OpenShift 资源,如 StatefulSetsDeploymentPodConfigMap。

Cluster Operator 使用 ClusterRole 在命名空间范围的资源级别和集群范围的资源级别授予权限:

具有 Cluster Operator 资源命名空间资源的 ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-cluster-operator-namespaced
  labels:
    app: strimzi
rules:
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions
      - serviceaccounts
    verbs:
      - get
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions
      - rolebindings
    verbs:
      - get
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to access and manage config maps for Strimzi components configuration
      - configmaps
      # The cluster operator needs to access and manage services to expose Strimzi components to network traffic
      - services
      # The cluster operator needs to access and manage secrets to handle credentials
      - secrets
      # The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data
      - persistentvolumeclaims
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      # The cluster operator runs the KafkaAssemblyOperator, which needs to access and manage Kafka resources
      - kafkas
      - kafkas/status
      # The cluster operator runs the KafkaConnectAssemblyOperator, which needs to access and manage KafkaConnect resources
      - kafkaconnects
      - kafkaconnects/status
      # The cluster operator runs the KafkaConnectS2IAssemblyOperator, which needs to access and manage KafkaConnectS2I resources
      - kafkaconnects2is
      - kafkaconnects2is/status
      # The cluster operator runs the KafkaConnectorAssemblyOperator, which needs to access and manage KafkaConnector resources
      - kafkaconnectors
      - kafkaconnectors/status
      # The cluster operator runs the KafkaMirrorMakerAssemblyOperator, which needs to access and manage KafkaMirrorMaker resources
      - kafkamirrormakers
      - kafkamirrormakers/status
      # The cluster operator runs the KafkaBridgeAssemblyOperator, which needs to access and manage BridgeMaker resources
      - kafkabridges
      - kafkabridges/status
      # The cluster operator runs the KafkaMirrorMaker2AssemblyOperator, which needs to access and manage KafkaMirrorMaker2 resources
      - kafkamirrormaker2s
      - kafkamirrormaker2s/status
      # The cluster operator runs the KafkaRebalanceAssemblyOperator, which needs to access and manage KafkaRebalance resources
      - kafkarebalances
      - kafkarebalances/status
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates
      - pods
    verbs:
      - get
      - list
      - watch
      - delete
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      # The cluster operator needs the extensions api as the operator supports Kubernetes version 1.11+
      # apps/v1 was introduced in Kubernetes 1.14
      - "extensions"
    resources:
      # The cluster operator needs to access and manage deployments to run deployment based Strimzi components
      - deployments
      - deployments/scale
      # The cluster operator needs to access replica sets to manage Strimzi components and to determine error states
      - replicasets
      # The cluster operator needs to access and manage replication controllers to manage replicasets
      - replicationcontrollers
      # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
      - networkpolicies
      # The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
      - ingresses
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "apps"
    resources:
      # The cluster operator needs to access and manage deployments to run deployment based Strimzi components
      - deployments
      - deployments/scale
      - deployments/status
      # The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components
      - statefulsets
      # The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states
      - replicasets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to be able to create events and delegate permissions to do so
      - events
    verbs:
      - create
  - apiGroups:
      # OpenShift S2I requirements
      - apps.openshift.io
    resources:
      - deploymentconfigs
      - deploymentconfigs/scale
      - deploymentconfigs/status
      - deploymentconfigs/finalizers
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      # OpenShift S2I requirements
      - build.openshift.io
    resources:
      - buildconfigs
      - builds
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - watch
      - update
  - apiGroups:
      # OpenShift S2I requirements
      - image.openshift.io
    resources:
      - imagestreams
      - imagestreams/status
    verbs:
      - create
      - delete
      - get
      - list
      - watch
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
      - networkpolicies
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - route.openshift.io
    resources:
      # The cluster operator needs to access and manage routes to expose Strimzi components for external access
      - routes
      - routes/custom-host
    verbs:
      - get
      - list
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - policy
    resources:
      # The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions
      # that a Strimzi component experiences, allowing for higher availability
      - poddisruptionbudgets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
Copy to Clipboard Toggle word wrap

第二个包括集群范围资源所需的权限。

为 Cluster Operator 带有集群范围资源的 ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-cluster-operator-global
  labels:
    app: strimzi
rules:
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to create and manage cluster role bindings in the case of an install where a user
      # has specified they want their cluster role bindings generated
      - clusterrolebindings
    verbs:
      - get
      - create
      - delete
      - patch
      - update
      - watch
  - apiGroups:
      - storage.k8s.io
    resources:
      # The cluster operator requires "get" permissions to view storage class details
      # This is because only a persistent volume of a supported storage class type can be resized
      - storageclasses
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      # The cluster operator requires "list" permissions to view all nodes in a cluster
      # The listing is used to determine the node addresses when NodePort access is configured
      # These addresses are then exposed in the custom resource states
      - nodes
    verbs:
      - list
Copy to Clipboard Toggle word wrap

The strimzi-kafka-broker ClusterRole 代表 Kafka pod 中 init 容器所需的访问权限,用于机架功能。如 委派的特权 部分所述,Cluster Operator 还需要此角色才能委派此访问权限。

Cluster Operator 的 ClusterRole,允许它将 OpenShift 节点的访问权限委派给 Kafka 代理 pod

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-kafka-broker
  labels:
    app: strimzi
rules:
  - apiGroups:
      - ""
    resources:
      # The Kafka Brokers require "get" permissions to view the node they are on
      # This information is used to generate a Rack ID that is used for High Availability configurations
      - nodes
    verbs:
      - get
Copy to Clipboard Toggle word wrap

The strimzi-topic-operator ClusterRole 代表 Topic Operator 所需的访问权限。如 委派的特权 部分所述,Cluster Operator 还需要此角色才能委派此访问权限。

Cluster Operator 的 ClusterRole,允许它将对事件的访问委托给主题 Operator

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-entity-operator
  labels:
    app: strimzi
rules:
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      # The entity operator runs the KafkaTopic assembly operator, which needs to access and manage KafkaTopic resources
      - kafkatopics
      - kafkatopics/status
      # The entity operator runs the KafkaUser assembly operator, which needs to access and manage KafkaUser resources
      - kafkausers
      - kafkausers/status
    verbs:
      - get
      - list
      - watch
      - create
      - patch
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      # The entity operator needs to be able to create events
      - create
  - apiGroups:
      - ""
    resources:
      # The entity operator user-operator needs to access and manage secrets to store generated credentials
      - secrets
    verbs:
      - get
      - list
      - create
      - patch
      - update
      - delete
Copy to Clipboard Toggle word wrap

The strimzi-kafka-client ClusterRole 代表组件所需的访问,这些客户端使用客户端机架感知能力。如 委派的特权 部分所述,Cluster Operator 还需要此角色才能委派此访问权限。

Cluster Operator 的 ClusterRole,允许它将对 OpenShift 节点的访问委托给基于 Kafka 客户端的 pod

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-kafka-client
  labels:
    app: strimzi
rules:
  - apiGroups:
      - ""
    resources:
      # The Kafka clients (Connect, Mirror Maker, etc.) require "get" permissions to view the node they are on
      # This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest
      # replicas when enabled
      - nodes
    verbs:
      - get
Copy to Clipboard Toggle word wrap

5.1.2.4. ClusterRoleBindings
复制链接

Operator 需要 ClusterRoleBindingsRoleBindings,它们将其 ClusterRole 与其 ServiceAccount 相关联:包含集群范围资源的 ClusterRole 需要 ClusterRoleBinding

Cluster Operator 的 ClusterRoleBinding 示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-cluster-operator-global
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

委派 所需的 ClusterRole 还需要 ClusterRoleBinding

Kafka 代理 rack-awarness 的 Cluster Operator 的 Cluster RoleBinding 示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator-kafka-broker-delegation
  labels:
    app: strimzi
# The Kafka broker cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Kafka brokers.
# This must be done to avoid escalating privileges which would be blocked by Kubernetes.
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-kafka-broker
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

Kafka 客户端 rack-awarness 的 Cluster Operator 的 Cluster RoleBinding 示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator-kafka-client-delegation
  labels:
    app: strimzi
# The Kafka clients cluster role must be bound to the cluster operator service account so that it can delegate the
# cluster role to the Kafka clients using it for consuming from closest replica.
# This must be done to avoid escalating privileges which would be blocked by Kubernetes.
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-kafka-client
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

包含有命名空间资源的 ClusterRole 只会使用 RoleBindings 绑定。 

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-cluster-operator-namespaced
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator-entity-operator-delegation
  labels:
    app: strimzi
# The Entity Operator cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Entity Operator.
# This must be done to avoid escalating privileges which would be blocked by Kubernetes.
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-entity-operator
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat