AFAIK,准入控制器是登顶数据库之前的最后一遍, 但是我不知道启用了哪一个,那么我们是否有办法知道哪个正在生效?
谢谢
答案 0 :(得分:1)
kube-apiserver在您的kube-apiserver-
kubectl -n kube-system describe po kube-apiserver-example.com
另一种查看容器中内容的方法:不幸的是,容器中没有“ ps”命令,但是您可以从/ proc获得初始过程命令参数,如下所示:
kubectl -n kube-system exec kube-apiserver-example.com -- sed 's/--/\n/g' /proc/1/cmdline
可能类似于:
enable-admission-plugins = NodeRestriction
答案 1 :(得分:1)
没有直接在 kubectl 中公开的admissionscontroller k8s 对象。
要获取准入控制器列表,您必须使用 k8s 安装支持的正确版本直接访问 k8s 主 API:
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq
对于我们的环境,我们将开放策略代理作为准入控制器运行,我们可以在这里看到 webhook 对象:
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq '.items[] | select(.metadata.name=="open-policy-agent-latest-helm-opa")'
输出 JSON 对象:
{
"metadata": {
"name": "open-policy-agent-latest-helm-opa",
"selfLink": "/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/open-policy-agent-latest-helm-opa",
"uid": "02139b9e-b282-4ef9-8017-d698bb13882c",
"resourceVersion": "150373119",
"generation": 93,
"creationTimestamp": "2021-03-18T06:22:54Z",
"labels": {
"app": "open-policy-agent-latest-helm-opa",
"app.kubernetes.io/managed-by": "Helm",
"chart": "opa-1.14.6",
"heritage": "Helm",
"release": "open-policy-agent-latest-helm-opa"
},
"annotations": {
"meta.helm.sh/release-name": "open-policy-agent-latest-helm-opa",
"meta.helm.sh/release-namespace": "open-policy-agent-latest"
},
"managedFields": [
{
"manager": "Go-http-client",
"operation": "Update",
"apiVersion": "admissionregistration.k8s.io/v1beta1",
"time": "2021-03-18T06:22:54Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:meta.helm.sh/release-name": {},
"f:meta.helm.sh/release-namespace": {}
},
"f:labels": {
".": {},
"f:app": {},
"f:app.kubernetes.io/managed-by": {},
"f:chart": {},
"f:heritage": {},
"f:release": {}
}
},
"f:webhooks": {
".": {},
"k:{\"name\":\"webhook.openpolicyagent.org\"}": {
".": {},
"f:admissionReviewVersions": {},
"f:clientConfig": {
".": {},
"f:caBundle": {},
"f:service": {
".": {},
"f:name": {},
"f:namespace": {},
"f:port": {}
}
},
"f:failurePolicy": {},
"f:matchPolicy": {},
"f:name": {},
"f:namespaceSelector": {
".": {},
"f:matchExpressions": {}
},
"f:objectSelector": {},
"f:rules": {},
"f:sideEffects": {},
"f:timeoutSeconds": {}
}
}
}
}
]
},
"webhooks": [
{
"name": "webhook.openpolicyagent.org",
"clientConfig": {
"service": {
"namespace": "open-policy-agent-latest",
"name": "open-policy-agent-latest-helm-opa",
"port": 443
},
"caBundle": "LS0BLAH="
},
"rules": [
{
"operations": [
"*"
],
"apiGroups": [
"*"
],
"apiVersions": [
"*"
],
"resources": [
"namespaces"
],
"scope": "*"
}
],
"failurePolicy": "Ignore",
"matchPolicy": "Exact",
"namespaceSelector": {
"matchExpressions": [
{
"key": "openpolicyagent.org/webhook",
"operator": "NotIn",
"values": [
"ignore"
]
}
]
},
"objectSelector": {},
"sideEffects": "Unknown",
"timeoutSeconds": 20,
"admissionReviewVersions": [
"v1beta1"
]
}
]
}
您可以从 k8s 中的 clientConfig 端点上方看到准入负载发送到的端点。跟踪为该端点提供服务的 pod 的日志,您将看到您的准入请求正在处理中。
要获得变异的 webhooks,请再次点击感兴趣的 API 版本:
# get v1 mutating webhook configurations
kubectl get --raw /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations | jq
答案 2 :(得分:0)
您可以在doc中找到默认启用的准入控制器的列表: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options,搜索“ --enable-admission-plugins”; 或等效的代码: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubeapiserver/options/plugins.go#L131-L145
对于定制的,可以在任何主节点上运行cmd:
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep -E "(enable|disable)-admission-plugins"。
答案 3 :(得分:0)
ImagePolicyWebhook使用配置文件来设置后端行为的选项
通过运行kubectl create -f examples/<name>.yaml创建其中一个Pod。在这种情况下,您可以通过检查日志来验证运行Pod的用户ID,例如:
$ kubectl create -f examples/pod-with-defaults.yaml
$ kubectl logs pod-with-defaults