通过API扩展Kubernetes部署

时间:2019-05-19 06:25:54

标签: kubernetes

我想从POD扩展(上下)部署。换句话说,命名空间中的POD如何发送Kubernetes API调用以扩展部署?

我已经创建了一个角色,并将其分配给具有以下特权的服务帐户,以便发送API调用:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-05-19T18:52:09Z"
  name: {name}-sa
  namespace: {name}
  resourceVersion: "11378025"
  selfLink: /api/v1/namespaces/{name}/serviceaccounts/{name}-sa
  uid: 34606554-7a67-11e9-8e78-c6f4a9a0006a
secrets:
- name: {name}-sa-token-mgk5z



apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    creationTimestamp: "2019-05-17T13:21:09Z"
    name: {name}-{name}-api-role
    namespace: {name}
    resourceVersion: "10985868"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/roles/{name}-{name}-api-role
    uid: a298e71a-78a6-11e9-b54a-c6f4a9a00070
  rules:
  - apiGroups:
    - extensions
    - apps
    resources:
    - deployments
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    creationTimestamp: "2019-05-17T13:45:46Z"
    name: {name}-{name}-api-rolebind
    namespace: {name}
    resourceVersion: "11378111"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/rolebindings/{name}-{name}-api-rolebind
    uid: 12812ea7-78aa-11e9-89ae-c6f4a9a00064
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: {name}-{name}-api-role
  subjects:
  - kind: ServiceAccount
    name: {name}-sa
    namespace: {name}
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

我可以使用以下命令来检索部署,但是找不到扩展规模的方法。

https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{name}/deployments/{name}

我尝试了以下命令以对其进行缩放,但失败了:

curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"  -X PUT  -d '[{ \
    "op":"replace", \
    "path":"/spec/replicas", \
    "value": "2" \
  }]'
 https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{name}/deployments/{name}

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "deployments.apps \"{name}\" is forbidden: User \"system:serviceaccount:{name}:default\" cannot  resource \"deployments\" in API group \"apps\" in the namespace \"{name}\"",
  "reason": "Forbidden",
  "details": {
    "name": "{name}",
    "group": "apps",
    "kind": "deployments"
  },
  "code": 403

4 个答案:

答案 0 :(得分:2)

在GKE上使用Kubernetes v1.16.13。

我发现 如果您授予patch资源deployments/scale的权限,则可以进行PATCH /apis/apps/v1/namespaces/default/deployments/{name}/scale

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {name}
rules:
- apiGroups: ["apps"]
  resources: ["deployments/scale"]
  verbs: ["patch"]

答案 1 :(得分:0)

尝试一下:

API_URL="http://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale"
PAYLOAD='[{"op":"replace","path":"/spec/replicas","value":"2"}]'
curl -X PATCH -d$PAYLOAD -H 'Content-Type: application/json-patch+json' $API_URL

答案 2 :(得分:0)

我终于设法找到了通过Kubernetes API调用从POD扩展部署的方法:

curl -X PATCH --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/extensions/v1beta1/namespaces/{NAMESPACE}/deployments/{NAME} \ -H 'Content-Type: application/strategic-merge-patch+json' \ -d '{"spec":{"replicas":1}}'

我必须创建一个新的服务帐户并按照开始所述分配角色。

感谢大家的支持。

答案 3 :(得分:0)

在kubernetes 1.14中,我必须这样做:

#!/bin/sh

set -e

NUMBER_OF_REPLICAS="$1"
CURRENT_NAMESPACE="$2"
DEPLOYMENT_NAME="$3"

KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_CACRT_PATH="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

PAYLOAD="{\"spec\":{\"replicas\":$NUMBER_OF_REPLICAS}}"

curl --cacert $KUBE_CACRT_PATH \
     -X PATCH \
     -H "Content-Type: application/strategic-merge-patch+json" \
     -H "Authorization: Bearer $KUBE_TOKEN" \
     --data "$PAYLOAD" \
     https://$KUBERNETES_SERVICE_HOST/apis/apps/v1/namespaces/$CURRENT_NAMESPACE/deployments/$DEPLOYMENT_NAME

请注意,$KUBERNETES_SERVICE_HOST是由Pod内的kubernetes自动设置的。

并且不要忘记,您需要设置一个ServiceAccount并具有对部署进行修补的权限,以便能够在pod内进行api调用。示例:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example
subjects:
  - kind: ServiceAccount
    name: example
roleRef:
  kind: Role
  name: example
  apiGroup: rbac.authorization.k8s.io
相关问题
最新问题