Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

6.2. 使用 Cluster Operator

Cluster Operator 用于部署 Kafka 集群和其他 Kafka 组件。

如需有关部署 Cluster Operator 的信息,请参阅 部署 Cluster Operator

6.2.1. Cluster Operator 配置
复制链接

您可以使用支持的环境变量以及日志记录配置来配置 Cluster Operator。

环境变量与部署 Cluster Operator 镜像的容器配置相关。有关 镜像 配置的详情请参考 第 12.1.6 节 “image

STRIMZI_NAMESPACE

Operator 应该操作的、以逗号分隔的命名空间列表。如果没有设置,则 Cluster Operator 将在所有命名空间中运行空字符串,或设置为 *。Cluster Operator 部署可能会使用 OpenShift Downward API 自动将其设置为 Cluster Operator 部署的命名空间。

Cluster Operator 命名空间配置示例

env:
  - name: STRIMZI_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
Copy to Clipboard Toggle word wrap

STRIMZI_FULL_RECONCILIATION_INTERVAL_MS
可选,默认为 120000 ms。定期协调之间的间隔(以毫秒为单位)。
STRIMZI_OPERATION_TIMEOUT_MS
可选,默认为 300000 ms。内部操作的超时时间,以毫秒为单位。使用常规 OpenShift 操作的时间比平等时间使用 AMQ Streams 时,应该增加这个值(例如,下载 Docker 镜像会较慢)。
STRIMZI_ZOOKEEPER_ADMIN_SESSION_TIMEOUT_MS
可选,默认为 10000 ms。

Cluster Operator 的 ZooKeeper 管理客户端的会话超时(以毫秒为单位)。如果来自 Cluster Operator 的 ZooKeeper 请求会因为超时问题而定期失败,则该值应该提高。通过 maxSessionTimeout 配置,ZooKeeper 服务器端设置最大允许的会话时间。默认情况下,此会话最大值是默认 tickTime (默认为 2000)的 20 倍,因此 40000 ms。如果您需要更高的超时,则需要更改 maxSessionTimeout ZooKeeper 服务器配置值。

STRIMZI_OPERATIONS_THREAD_POOL_SIZE
可选,默认 10 个 worker 线程池大小,用于集群操作器运行的各种异步和阻塞操作。
STRIMZI_OPERATOR_NAMESPACE

运行 AMQ Streams Cluster Operator 的命名空间的名称。不要手动配置此变量。使用 OpenShift Downward API。 

env:
  - name: STRIMZI_OPERATOR_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
Copy to Clipboard Toggle word wrap
STRIMZI_OPERATOR_NAMESPACE_LABELS

可选。运行 AMQ Streams Cluster Operator 的命名空间的标签。命名空间标签用于在网络策略中配置命名空间选择器,以允许 AMQ Streams Cluster Operator 只能使用这些标签从命名空间中访问操作对象。如果没有设置,网络策略中的命名空间选择器配置为允许从 OpenShift 集群中的任何命名空间中访问 AMQ Streams Cluster Operator。 

env:
  - name: STRIMZI_OPERATOR_NAMESPACE_LABELS
    value: label1=value1,label2=value2
Copy to Clipboard Toggle word wrap
STRIMZI_LABELS_EXCLUSION_PATTERN

可选,默认的 regex 模式是 ^app.kubernetes.io/(?!part-of)*。指定用于过滤主自定义资源的标签的 regex 排除模式到其子资源。labels exclusion 过滤器不适用于 template 部分中的标签,如 spec.kafka.template.pod.metadata.labels

env:
  - name: STRIMZI_LABELS_EXCLUSION_PATTERN
    value: "^key1.*"
Copy to Clipboard Toggle word wrap
STRIMZI_CUSTOM_{COMPONENT_NAME}_LABELS

可选。一个或多个自定义标签应用到由 {COMPONENT_NAME} 自定义资源创建的所有 pod。当创建自定义资源或进行下一个协调时,Cluster Operator 会标记 pod。

以下组件存在环境变量:

  • KAFKA
  • KAFKA_CONNECT
  • KAFKA_CONNECT_BUILD
  • ZOOKEEPER
  • ENTITY_OPERATOR
  • KAFKA_MIRROR_MAKER2
  • KAFKA_MIRROR_MAKER
  • CRUISE_CONTROL
  • KAFKA_BRIDGE
  • KAFKA_EXPORTER
STRIMZI_CUSTOM_RESOURCE_SELECTOR

可选。指定用于过滤 Operator 处理的自定义资源的标签选择器。Operator 只会针对那些设置指定标签的自定义资源进行操作。没有这些标签的资源不会被操作员查看。标签选择器适用于 Kafka, KafkaConnect, KafkaBridge, KafkaMirrorMaker, 和 KafkaMirrorMaker2 资源。仅当对应的 Kafka 和 Kafka Connect 集群有匹配的标签时,才会执行 KafkaRebalanceKafkaConnector 资源。 

env:
  - name: STRIMZI_CUSTOM_RESOURCE_SELECTOR
    value: label1=value1,label2=value2
Copy to Clipboard Toggle word wrap
STRIMZI_KAFKA_IMAGES
必需。这可让您从 Kafka 版本映射到包含该版本的 Kafka 代理的对应 Docker 镜像。所需语法是空格或逗号分隔 < version> = &lt;image> 对。例如 3.1.0=registry.redhat.io/amq7/amq-streams-kafka-31-rhel8:2.2.2, 3.2.3=registry.redhat.io/amq7/amq-streams-kafka-32-rhel8:2.2.2。当指定了属性 Kafka.spec.kafka.version 但没有在 Kafka 资源的 Kafka.spec.kafka.image 时使用这个。
STRIMZI_DEFAULT_KAFKA_INIT_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-rhel8-operator:2.2.2。在进行初始配置正常工作的代理之前(即机架支持)用作 init 容器的默认镜像名称(如果没有将镜像指定为 Kafka 资源中的 kafka-init-image )。
STRIMZI_KAFKA_CONNECT_IMAGES
必需。这可让您将 Kafka 版本映射到包含该版本的 Kafka 连接对应的 Docker 镜像。所需语法是空格或逗号分隔 < version> = &lt;image> 对。例如 3.1.0=registry.redhat.io/amq7/amq-streams-kafka-31-rhel8:2.2.2, 3.2.3=registry.redhat.io/amq7/amq-streams-kafka-32-rhel8:2.2.2。当指定了 KafkaConnect.spec.version 属性但未指定 KafkaConnect.spec.image 时,会使用此设置。
STRIMZI_KAFKA_MIRROR_MAKER_IMAGES
必需。这可让您将 Kafka 版本映射到包含该版本的 Kafka 镜像制作器的对应 Docker 镜像。所需语法是空格或逗号分隔 < version> = &lt;image> 对。例如 3.1.0=registry.redhat.io/amq7/amq-streams-kafka-31-rhel8:2.2.2, 3.2.3=registry.redhat.io/amq7/amq-streams-kafka-32-rhel8:2.2.2。当指定 KafkaMirrorMaker.spec.version 属性,但没有 KafkaMirrorMaker.spec.image 时会使用这个属性。
STRIMZI_DEFAULT_TOPIC_OPERATOR_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-rhel8-operator:2.2.2。如果没有在 Kafka 资源中将 Kafka.spec.entityOperator.topicOperator.image 指定在部署主题 operator 时用作默认 镜像名称
STRIMZI_DEFAULT_USER_OPERATOR_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-rhel8-operator:2.2.2。如果没有将镜像指定为 Kafka.spec.entityOperator.userOperator.image,则部署用户 operator 时用作默认 镜像名称
STRIMZI_DEFAULT_TLS_SIDECAR_ENTITY_OPERATOR_IMAGE
可选,默认 registry.redhat.io/amq7/amq-streams-kafka-32-rhel8:2.2.2。如果没有将镜像指定为 Kafka.spec.entityOperator.tlsSidecar.image,在 Kafka 资源中为 Entity Operator 提供 TLS 支持时要使用的 镜像名称
STRIMZI_IMAGE_PULL_POLICY
可选。ImagePullPolicy 将应用到由 AMQ Streams Cluster Operator 管理的所有 pod 中的容器。有效值为 Always,IfNotPresent, Never。如果未指定,则使用 OpenShift 默认值。更改策略将导致所有 Kafka、Kafka Connect 和 Kafka MirrorMaker 集群滚动更新。
STRIMZI_IMAGE_PULL_SECRETS
可选。以逗号分隔的 Secret 名称列表。此处引用的 secret 包含从中拉取容器镜像的容器 registry 的凭证。secret 在 imagePullSecrets 字段中用于 Cluster Operator 创建的所有 Pod。更改此列表会导致所有 Kafka、Kafka Connect 和 Kafka MirrorMaker 集群的滚动更新。
STRIMZI_KUBERNETES_VERSION

可选。覆盖从 API 服务器检测到的 OpenShift 版本信息。

OpenShift 版本覆盖配置示例

env:
  - name: STRIMZI_KUBERNETES_VERSION
    value: |
           major=1
           minor=16
           gitVersion=v1.16.2
           gitCommit=c97fe5036ef3df2967d086711e6c0c405941e14b
           gitTreeState=clean
           buildDate=2019-10-15T19:09:08Z
           goVersion=go1.12.10
           compiler=gc
           platform=linux/amd64
Copy to Clipboard Toggle word wrap

KUBERNETES_SERVICE_DNS_DOMAIN

可选。覆盖默认的 OpenShift DNS 域名后缀。

默认情况下,OpenShift 集群中分配的服务具有使用默认后缀 cluster.local 的 DNS 域名。

例如,对于 broker kafka-0: 

<cluster-name>-kafka-0.<cluster-name>-kafka-brokers.<namespace>.svc.cluster.local
Copy to Clipboard Toggle word wrap

DNS 域名添加到用于主机名验证的 Kafka 代理证书中。

如果您在集群中使用不同的 DNS 域名后缀,请将 KUBERNETES_SERVICE_DNS_DOMAIN 环境变量从默认环境变量改为您要用来与 Kafka 代理建立连接。

STRIMZI_CONNECT_BUILD_TIMEOUT_MS
可选,默认为 300000 ms。以毫秒为单位构建新 Kafka Connect 镜像的超时时间。使用 AMQ Streams 构建包含许多连接器或使用较慢的容器 registry 的容器镜像时,应提高这个值。
STRIMZI_NETWORK_POLICY_GENERATION
可选,默认 true。控制 AMQ Streams 是否生成网络策略资源。网络策略允许 Kafka 组件间的连接。

将此环境变量设置为 false 可禁用网络策略生成。例如,您可能想要使用自定义网络策略。自定义网络策略可让更多地控制组件间的连接。

STRIMZI_DNS_CACHE_TTL
可选,默认 30。本地 DNS 解析器中缓存成功名称查找的秒数。任何负值都意味着每次缓存。零表示不要缓存。由于应用了较长的缓存策略,这可用于避免连接错误。
STRIMZI_POD_SET_RECONCILIATION_ONLY
可选,默认 false。当设置为 true 时,Cluster Operator 只协调 StrimziPodSet 资源,以及对其他自定义资源(KafkaKafkaConnect 等等)的任何更改。这个模式有助于确保根据需要重新创建 Pod,但不会对集群进行其他更改。
STRIMZI_FEATURE_GATES
可选。启用或禁用由 功能门 控制的功能和功能。

6.2.1.1. ConfigMap 的日志记录配置
复制链接

Cluster Operator 的日志记录由 strimzi-cluster-operator ConfigMap 配置。

安装 Cluster Operator 时会创建包含日志记录配置的 ConfigMap。此 ConfigMapinstall/cluster-operator/050-ConfigMap-strimzi-cluster-operator.yaml 文件中描述。您可以通过更改此 ConfigMap 中的数据字段 log4j2.properties 来配置 Cluster Operator 日志记录。

要更新日志记录配置,您可以编辑 050-ConfigMap-strimzi-cluster-operator.yaml 文件,然后运行以下命令: 

oc create -f install/cluster-operator/050-ConfigMap-strimzi-cluster-operator.yaml
Copy to Clipboard Toggle word wrap

或者,直接编辑 ConfigMap

oc edit configmap strimzi-cluster-operator
Copy to Clipboard Toggle word wrap

要更改重新加载间隔的频率,请在所创建 ConfigMapmonitorInterval 选项中设置一个时间(以秒为单位)。

如果部署 Cluster Operator 时缺少 ConfigMap,则会使用默认的日志记录值。

如果在部署 Cluster Operator 后意外删除 ConfigMap,则会使用最近加载的日志配置。创建新的 ConfigMap 来加载新的日志记录配置。

注意

不要从 ConfigMap 中删除 monitorInterval 选项。

6.2.1.2. 使用网络策略限制 Cluster Operator 访问
复制链接

Cluster Operator 可以在与它管理的资源相同的命名空间中运行,或者在单独的命名空间中运行。默认情况下,STRIMZI_OPERATOR_NAMESPACE 环境变量被配置为使用 OpenShift Downward API 来查找 Cluster Operator 在其中运行的命名空间。如果 Cluster Operator 与资源在同一命名空间中运行,则只需要本地访问,并且AMQ Streams 允许。

如果 Cluster Operator 在单独的命名空间中运行到其管理的资源,则 OpenShift 集群中的任何命名空间都可以访问 Cluster Operator,除非配置了网络策略。使用可选的 STRIMZI_OPERATOR_NAMESPACE_LABELS 环境变量使用命名空间标签为 Cluster Operator 建立网络策略。通过添加命名空间标签,对 Cluster Operator 的访问仅限于指定的命名空间。

为 Cluster Operator 部署配置的网络策略

#...
env:
  # ...
  - name: STRIMZI_OPERATOR_NAMESPACE_LABELS
    value: label1=value1,label2=value2
  #...
Copy to Clipboard Toggle word wrap

6.2.1.3. 定期协调
复制链接

虽然 Cluster Operator 会响应有关从 OpenShift 集群接收的所需集群资源的所有通知,但如果操作器没有运行,或者因为任何原因未收到通知,则所需的资源将不与正在运行的 OpenShift 集群的状态同步。

为了正确处理故障转移,Cluster Operator 会执行定期协调过程,以便它可以将所需资源的状态与当前集群部署进行比较,以便在所有节点上具有一致状态。您可以使用 [STRIMZI_FULL_RECONCILIATION_INTERVAL_MS] 变量为定期协调设置时间间隔。

6.2.1.4. 基于角色的访问控制(RBAC)
复制链接

要使 Cluster Operator 正常工作,需要 OpenShift 集群中的权限,以便与 KafkaKafkaConnect 等资源交互,以及受管资源,如 ConfigMapPodDeploymentStatefulSet 和服务。这些权限包括在 OpenShift 基于角色的访问控制(RBAC)资源中:

  • ServiceAccount
  • 角色和 ClusterRole
  • RolebindingClusterRoleBinding

除了在带有 ClusterRoleBindingServiceAccount 下运行,Cluster Operator 还为需要访问 OpenShift 资源的组件管理一些 RBAC 资源。

OpenShift 还包括特权升级保护,防止一个 ServiceAccount 下运行的组件授予授予 ServiceAccount 不具有的其他 ServiceAccount 权限。因为 Cluster Operator 必须能够创建 ClusterRoleBindings 和它管理的资源所需的 RoleBindings,所以 Cluster Operator 还必须具有同样的权限。

6.2.1.5. 委派的权限
复制链接

当 Cluster Operator 为所需的 Kafka 资源部署资源时,它还会创建 ServiceAccountsRoleBindingsClusterRoleBindings,如下所示:

  • Kafka 代理 pod 使用一个名为 cluster-name-kafkaServiceAccount

    • 当使用 rack 功能时,会使用 strimzi-cluster-name-kafka-init ClusterRoleBinding 通过名为 strimzi-kafka-brokerClusterRole 授予这个 ServiceAccount 访问权限
    • 如果不使用机架功能,且集群不会通过 nodeport 公开,则不会创建绑定
  • ZooKeeper pod 使用一个名为 cluster-name-zookeeperServiceAccount

  • Entity Operator pod 使用一个名为 cluster-name-entity-operatorServiceAccount

    • Topic Operator 生成带有状态信息的 OpenShift 事件,因此 ServiceAccount 绑定到一个名为 strimzi-entity-operatorClusterRole,它通过 strimzi-entity-operator RoleBinding授予此访问权限
  • KafkaConnect 资源的 pod 使用一个名为 cluster-name-cluster-connectServiceAccount
  • KafkaMirrorMaker 的 pod 使用一个名为 cluster-name-mirror-makerServiceAccount
  • KafkaMirrorMaker2 的 pod 使用一个名为 cluster-name-mirrormaker2ServiceAccount
  • KafkaBridge 的 pod 使用一个名为 cluster-name-bridgeServiceAccount

6.2.1.6. ServiceAccount
复制链接

Cluster Operator 最好使用 ServiceAccount 运行:

Cluster Operator 的 ServiceAccount 示例

apiVersion: v1
kind: ServiceAccount
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
Copy to Clipboard Toggle word wrap

然后,Operator 的 Deployment 需要在其 spec.template.spec.serviceAccountName 中指定:

Cluster Operator 的 Deployment 的部分示例

apiVersion: apps/v1
kind: Deployment
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
spec:
  replicas: 1
  selector:
    matchLabels:
      name: strimzi-cluster-operator
      strimzi.io/kind: cluster-operator
  template:
      # ...
Copy to Clipboard Toggle word wrap

注意第 12 行,其中 strimzi-cluster-operator ServiceAccount 被指定为 serviceAccountName

6.2.1.7. ClusterRoles
复制链接

Cluster Operator 需要使用允许访问所需资源的 ClusterRole 来运行。根据 OpenShift 集群设置,集群管理员可能需要创建 ClusterRole

注意

只有创建 ClusterRoles 时需要集群管理员权限。Cluster Operator 不会在集群管理员帐户下运行。

ClusterRole 遵循最小权限 原则,并只包含 Cluster Operator 运行 Kafka、Kafka Connect 和 ZooKeeper 集群所需的权限。分配的第一个权限允许 Cluster Operator 管理 OpenShift 资源,如 StatefulSetsDeploymentPodConfigMap

Cluster Operator 使用 ClusterRole 在命名空间范围的资源级别和集群范围资源级别授予权限:

具有 Cluster Operator 的命名空间资源的 ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-cluster-operator-namespaced
  labels:
    app: strimzi
rules:
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions
      - rolebindings
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to access and manage roles to grant the entity operator permissions
      - roles
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates
      - pods
      # The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions
      - serviceaccounts
      # The cluster operator needs to access and manage config maps for Strimzi components configuration
      - configmaps
      # The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic
      - services
      - endpoints
      # The cluster operator needs to access and manage secrets to handle credentials
      - secrets
      # The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data
      - persistentvolumeclaims
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      # The cluster operator runs the KafkaAssemblyOperator, which needs to access and manage Kafka resources
      - kafkas
      - kafkas/status
      # The cluster operator runs the KafkaConnectAssemblyOperator, which needs to access and manage KafkaConnect resources
      - kafkaconnects
      - kafkaconnects/status
      # The cluster operator runs the KafkaConnectorAssemblyOperator, which needs to access and manage KafkaConnector resources
      - kafkaconnectors
      - kafkaconnectors/status
      # The cluster operator runs the KafkaMirrorMakerAssemblyOperator, which needs to access and manage KafkaMirrorMaker resources
      - kafkamirrormakers
      - kafkamirrormakers/status
      # The cluster operator runs the KafkaBridgeAssemblyOperator, which needs to access and manage BridgeMaker resources
      - kafkabridges
      - kafkabridges/status
      # The cluster operator runs the KafkaMirrorMaker2AssemblyOperator, which needs to access and manage KafkaMirrorMaker2 resources
      - kafkamirrormaker2s
      - kafkamirrormaker2s/status
      # The cluster operator runs the KafkaRebalanceAssemblyOperator, which needs to access and manage KafkaRebalance resources
      - kafkarebalances
      - kafkarebalances/status
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "core.strimzi.io"
    resources:
      # The cluster operator uses StrimziPodSets to manage the Kafka and ZooKeeper pods
      - strimzipodsets
      - strimzipodsets/status
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      # The cluster operator needs the extensions api as the operator supports Kubernetes version 1.11+
      # apps/v1 was introduced in Kubernetes 1.14
      - "extensions"
    resources:
      # The cluster operator needs to access and manage deployments to run deployment based Strimzi components
      - deployments
      - deployments/scale
      # The cluster operator needs to access replica sets to manage Strimzi components and to determine error states
      - replicasets
      # The cluster operator needs to access and manage replication controllers to manage replicasets
      - replicationcontrollers
      # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
      - networkpolicies
      # The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
      - ingresses
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "apps"
    resources:
      # The cluster operator needs to access and manage deployments to run deployment based Strimzi components
      - deployments
      - deployments/scale
      - deployments/status
      # The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components
      - statefulsets
      # The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states
      - replicasets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to be able to create events and delegate permissions to do so
      - events
    verbs:
      - create
  - apiGroups:
      # Kafka Connect Build on OpenShift requirement
      - build.openshift.io
    resources:
      - buildconfigs
      - buildconfigs/instantiate
      - builds
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
      - networkpolicies
      # The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
      - ingresses
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - route.openshift.io
    resources:
      # The cluster operator needs to access and manage routes to expose Strimzi components for external access
      - routes
      - routes/custom-host
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - policy
    resources:
      # The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions
      # that a Strimzi component experiences, allowing for higher availability
      - poddisruptionbudgets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
Copy to Clipboard Toggle word wrap

第二个包含集群范围的资源所需的权限。

Cluster Operator 的带有集群范围资源的 ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-cluster-operator-global
  labels:
    app: strimzi
rules:
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to create and manage cluster role bindings in the case of an install where a user
      # has specified they want their cluster role bindings generated
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - storage.k8s.io
    resources:
      # The cluster operator requires "get" permissions to view storage class details
      # This is because only a persistent volume of a supported storage class type can be resized
      - storageclasses
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      # The cluster operator requires "list" permissions to view all nodes in a cluster
      # The listing is used to determine the node addresses when NodePort access is configured
      # These addresses are then exposed in the custom resource states
      - nodes
    verbs:
      - list
Copy to Clipboard Toggle word wrap

strimzi-kafka-broker ClusterRole 代表 Kafka pod 中 init 容器用于机架功能所需的访问。如 委派的特权 部分中所述,Cluster Operator 还需要此角色,以便能委派此访问权限。

Cluster Operator 的 ClusterRole 允许您将访问权限委派给 Kafka 代理 pod

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-kafka-broker
  labels:
    app: strimzi
rules:
  - apiGroups:
      - ""
    resources:
      # The Kafka Brokers require "get" permissions to view the node they are on
      # This information is used to generate a Rack ID that is used for High Availability configurations
      - nodes
    verbs:
      - get
Copy to Clipboard Toggle word wrap

strimzi-topic-operator ClusterRole 代表主题 Operator 所需的访问。如 委派的特权 部分中所述,Cluster Operator 还需要此角色,以便能委派此访问权限。

Cluster Operator 的 ClusterRole,允许它将访问权限委派给主题 Operator

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-entity-operator
  labels:
    app: strimzi
rules:
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      # The entity operator runs the KafkaTopic assembly operator, which needs to access and manage KafkaTopic resources
      - kafkatopics
      - kafkatopics/status
      # The entity operator runs the KafkaUser assembly operator, which needs to access and manage KafkaUser resources
      - kafkausers
      - kafkausers/status
    verbs:
      - get
      - list
      - watch
      - create
      - patch
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      # The entity operator needs to be able to create events
      - create
  - apiGroups:
      - ""
    resources:
      # The entity operator user-operator needs to access and manage secrets to store generated credentials
      - secrets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
Copy to Clipboard Toggle word wrap

strimzi-kafka-client ClusterRole 代表组件基于使用客户端 rack-awareness 的 Kafka 客户端所需的访问。如 委派的特权 部分中所述,Cluster Operator 还需要此角色,以便能委派此访问权限。

Cluster Operator 的 ClusterRole 允许您将访问权限委派给基于 Kafka 客户端的 pod

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: strimzi-kafka-client
  labels:
    app: strimzi
rules:
  - apiGroups:
      - ""
    resources:
      # The Kafka clients (Connect, Mirror Maker, etc.) require "get" permissions to view the node they are on
      # This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest
      # replicas when enabled
      - nodes
    verbs:
      - get
Copy to Clipboard Toggle word wrap

6.2.1.8. ClusterRoleBindings
复制链接

Operator 需要 ClusterRoleBindingsRoleBindings,它将其 ClusterRoleServiceAccount 相关联:包含集群范围资源的 ClusterRole 需要ClusterRoleBinding

Cluster Operator 的 ClusterRoleBinding 示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-cluster-operator-global
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

ClusterRoleBindings 也需要,ClusterRoles 需要用于委托。

Kafka 代理机架-awareness Cluster Operator 的 ClusterRoleBinding 示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator-kafka-broker-delegation
  labels:
    app: strimzi
# The Kafka broker cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Kafka brokers.
# This must be done to avoid escalating privileges which would be blocked by Kubernetes.
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-kafka-broker
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

Kafka 客户端的 Cluster Operator 的 ClusterRoleBinding 示例

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator-kafka-client-delegation
  labels:
    app: strimzi
# The Kafka clients cluster role must be bound to the cluster operator service account so that it can delegate the
# cluster role to the Kafka clients using it for consuming from closest replica.
# This must be done to avoid escalating privileges which would be blocked by Kubernetes.
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-kafka-client
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

仅包含 命名空间资源的 ClusterRole 仅使用 RoleBindings 进行绑定。 

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-cluster-operator-namespaced
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator-entity-operator-delegation
  labels:
    app: strimzi
# The Entity Operator cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Entity Operator.
# This must be done to avoid escalating privileges which would be blocked by Kubernetes.
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: myproject
roleRef:
  kind: ClusterRole
  name: strimzi-entity-operator
  apiGroup: rbac.authorization.k8s.io
Copy to Clipboard Toggle word wrap

6.2.2. 使用默认代理设置配置 Cluster Operator
复制链接

如果您在 HTTP 代理后运行 Kafka 集群,您仍然可以在集群内和移出数据。例如,您可以使用连接器运行 Kafka Connect,从代理外推送和拉取数据。或者,您可以使用代理与授权服务器连接。

配置 Cluster Operator 部署以指定代理环境变量。Cluster Operator 接受标准代理配置(HTTP_PROXYHTTPS_PROXYNO_PROXY)作为环境变量。代理设置适用于所有 AMQ Streams 容器。

代理地址的格式是 http://IP-ADDRESS:PORT-NUMBER。要使用名称和密码设置代理,格式为 http://USERNAME:PASSWORD@IP-ADDRESS:PORT-NUMBER

先决条件

此流程需要使用 OpenShift 用户帐户来创建 CustomResourceDefinitionsClusterRolesClusterRoleBindings。在 OpenShift 集群中使用 Role Base Access Control (RBAC)通常意味着创建、编辑和删除这些资源的权限仅限于 OpenShift 集群管理员,如 system:admin

流程

  1. 要在 Cluster Operator 中添加代理环境变量,请更新其 Deployment 配置(install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml)。

    Cluster Operator 的代理配置示例

    apiVersion: apps/v1
kind: Deployment
spec:
  # ...
  template:
    spec:
      serviceAccountName: strimzi-cluster-operator
      containers:
        # ...
        env:
        # ...
        - name: "HTTP_PROXY"
          value: "http://proxy.com"
    1 
    
        - name: "HTTPS_PROXY"
          value: "https://proxy.com"
    2 
    
        - name: "NO_PROXY"
          value: "internal.com, other.domain.com"
    3 
    
  # ...
    Copy to Clipboard Toggle word wrap

    1
    代理服务器的地址。
    2
    代理服务器的安全地址。
    3
    作为代理服务器例外访问的服务器地址。URL 是用逗号分开的。

    或者,直接编辑 Deployment

    oc edit deployment strimzi-cluster-operator
    Copy to Clipboard Toggle word wrap

  2. 如果您更新了 YAML 文件而不是直接编辑 Deployment,请应用更改: 

    oc create -f install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml
    Copy to Clipboard Toggle word wrap

6.2.3. 在 Cluster Operator 中配置 FIPS 模式
复制链接

联邦信息处理标准(FIPS)是计算机安全性和互操作性的标准。当在启用了 FIPS 的 OpenShift 集群上运行 AMQ Streams 时,AMQ Streams 容器镜像中使用的 OpenJDK 会自动切换到 FIPS 模式。这可防止 AMQ Streams 在集群中运行。将 AMQ Streams 部署到集群时,您会看到类似如下的错误: 

Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: An error has occurred.
	...
Caused by: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
	...
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
	...
Copy to Clipboard Toggle word wrap

如果要在启用了 FIPS 的集群中运行 AMQ Streams,您可以通过将 Cluster Operator 部署配置中禁用 FIPS_MODE 环境变量 来禁用 OpenJDK FIPS 模式。AMQ Streams 部署不兼容 FIPS,但 AMQ Streams 操作器及其操作对象都可以在启用了 FIPS 的 OpenShift 集群上运行。

流程

  1. 要在 Cluster Operator 中禁用 FIPS 模式,请更新其 Deployment 配置(install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml)并添加 FIPS_MODE 环境变量。

    Cluster Operator 的 FIPS 配置示例

    apiVersion: apps/v1
kind: Deployment
spec:
  # ...
  template:
    spec:
      serviceAccountName: strimzi-cluster-operator
      containers:
        # ...
        env:
        # ...
        - name: "FIPS_MODE"
          value: "disabled"
    1 
    
  # ...
    Copy to Clipboard Toggle word wrap

    1
    禁用 FIPS 模式。

    或者,直接编辑 Deployment

    oc edit deployment strimzi-cluster-operator
    Copy to Clipboard Toggle word wrap

  2. 如果您更新了 YAML 文件而不是直接编辑 Deployment,请应用更改: 

    oc apply -f install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml
    Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat