12.7. 应用 EventPolicy

流程

1. 创建两个命名空间，在 namespace-1 中部署一个 Broker，并在每个命名空间中配置一个 PingSource，如下例所示：

   apiVersion: v1
   kind: Namespace
   metadata:
     name: namespace-1
   ---
   apiVersion: v1
   kind: Namespace
   metadata:
     name: namespace-2
   ---
   apiVersion: eventing.knative.dev/v1
   kind: Broker
   metadata:
     name: broker
     namespace: namespace-1
   ---
   # PingSource in namespace-1
   apiVersion: sources.knative.dev/v1
   kind: PingSource
   metadata:
     name: pingsource-1
     namespace: namespace-1
   spec:
     data: '{"message": "Hi from pingsource-1 from namespace-1"}'
     schedule: '*/1 * * * *'
     sink:
       ref:
         apiVersion: eventing.knative.dev/v1
         kind: Broker
         name: broker
         namespace: namespace-1
   ---
   # PingSource in namespace-2
   apiVersion: sources.knative.dev/v1
   kind: PingSource
   metadata:
     name: pingsource-2
     namespace: namespace-2
   spec:
     data: '{"message": "Hi from pingsource-2 from namespace-2"}'
     schedule: '*/1 * * * *'
     sink:
       ref:
         apiVersion: eventing.knative.dev/v1
         kind: Broker
         name: broker
         namespace: namespace-1

   Copy to Clipboard Toggle word wrap

2. 创建一个 event-display 服务来显示传入的事件，并添加 Trigger 将它连接到 Broker，如下例所示：

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: event-display
     namespace: namespace-1
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: event-display
     template:
       metadata:
         labels:
           app: event-display
       spec:
         containers:
           - name: event-display
             image: gcr.io/knative-releases/knative.dev/eventing/cmd/event_display
             ports:
             - containerPort: 8080
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: event-display
     namespace: namespace-1
   spec:
     selector:
       app: event-display
     ports:
       - name: http
         port: 80
         targetPort: 8080
   ---
   apiVersion: eventing.knative.dev/v1
   kind: Trigger
   metadata:
     name: trigger
     namespace: namespace-1
   spec:
     broker: broker
     subscriber:
       ref:
         apiVersion: v1
         kind: Service
         name: event-display

   Copy to Clipboard Toggle word wrap

   在这个阶段，因为 OIDC 被禁用且没有应用 EventPolicy，所以 event-display 服务会显示来自两个 PingSources 的事件。

3. 在 Knative Eventing 中启用 OIDC，并执行以下示例命令来创建 EventPolicy：

   $ oc -n knative-eventing patch KnativeEventing knative-eventing \
     --type merge \
     -p '{"spec":{"config":{"features":{"authentication-oidc":"enabled"}}}}'

   Copy to Clipboard Toggle word wrap

4. 启用 OIDC 后，创建一个 EventPolicy，它只授权 namespace-2 中的 PingSource，如下例所示：

   apiVersion: eventing.knative.dev/v1alpha1
   kind: EventPolicy
   metadata:
     name: event-policy
     namespace: namespace-1
   spec:
     to:
       - ref:
           apiVersion: eventing.knative.dev/v1
           kind: Broker
           name: broker
     from:
       - ref:
           apiVersion: sources.knative.dev/v1
           kind: PingSource
           name: pingsource-2
           namespace: namespace-2

   Copy to Clipboard Toggle word wrap

验证

1. 运行以下命令，验证 EventPolicy 以检查 Broker 状态：

   $ oc -n namespace-1 get broker broker -o yaml

   Copy to Clipboard Toggle word wrap

2. 运行以下命令，查看 event-display 服务的日志，以仅确认 pingsource-2 事件到达 pingsource-2 事件：

   $ oc -n namespace-1 logs -f -l app=event-display

   Copy to Clipboard Toggle word wrap

3. 运行以下命令来删除 EventPolicy：

   $ oc -n namespace-1 delete eventpolicy event-policy

   Copy to Clipboard Toggle word wrap

4. 运行以下命令，检查 Broker 状态以确认它已返回到默认的 allow-same-namespace 模式：

   $ oc -n namespace-1 get broker broker -o yaml

   Copy to Clipboard Toggle word wrap

5. 运行以下命令，查看 event-display 服务日志，以确认只有来自同一命名空间中的 pingsource-1 事件出现：

   $ oc -n namespace-1 logs -f -l app=event-display

   Copy to Clipboard Toggle word wrap