考虑以下用于创建Kubernetes资源的多文档YAML文件。该文件由第三方供应商的API生成:
# VENDOR_GENERATED_YAML.yml
---
---
---
apiVersion: v1
kind: Secret
metadata:
name: twistlock-secrets
namespace: twistlock
type: Opaque
data:
foo: bar
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: twistlock-service
namespace: twistlock
secrets:
- name: twistlock-secrets
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: twistlock-defender-ds
namespace: twistlock
spec:
selector:
matchLabels:
app: twistlock-defender
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/twistlock-defender: unconfined
labels:
app: twistlock-defender
spec:
serviceAccountName: twistlock-service
restartPolicy: Always
containers:
- name: twistlock-defender
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: defender
namespace: twistlock
labels:
app: twistlock-defender
spec:
ports:
- port: 443
targetPort: 9998
selector:
app: twistlock-defender
注意:空文档是由供应商的API
生成的YAML的一部分。现在考虑有一个只需要应用于以下类型的补丁:守护资源:
# our patch
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: twistlock-defender-ds
spec:
template:
spec:
tolerations:
- operator: Exists
将Ansible中的这些项目合并到单个YAML文档中最干净的方法是什么?
我能够得到两个变量,一个包含除了守护进程之外的所有资源,另一个包含"补丁"。DeamonSet资源。
- name: Load defender YAML into list of dicts
debug:
msg: "{{ lookup('file', VENDOR_GENERATED_YAML.yml) | from_yaml_all | list | difference(empty_list)}}"
register: defender_yaml
- name: Register Defender YAML with the exception of the DaemonSet
debug:
msg: " {{ item }}"
loop: "{{ defender_yaml.msg }}"
when: "'twistlock-defender-ds' not in item.metadata.name"
register: defender_yaml_nods
- name: Merge and register Defender DaemonSet YAML with our patch
debug:
msg: "{{ lookup('template', 'defender_yaml_patch.yml') | from_yaml | combine(item, recursive=True) }}"
loop: "{{ defender_yaml.msg }}"
when: "'twistlock-defender-ds' in item.metadata.name"
register: defender_yaml_ds
然而,现在我仍然有一个资源中的字典列表,第二个资源中的字典列表。问题是,Ansible中的k8s模块只能接受单一的、连续的资源定义。
在我看来应该有一个"easy"在Ansible中做这件事的方式,我可能在这里遗漏了一些东西。否则,我将简单地使用kubectl,并使用它来应用包含两个yaml的定制文件。
不是你真正想要的答案,但是解决你特定问题的最好方法是使用Prisma Cloud Compute Operator
您将完成以下步骤:
- 创建扭锁命名空间
- 创建secret,如下所示:
apiVersion: v1
kind: Secret
metadata:
name: pcc-credentials
namespace: twistlock
data:
accessToken: <base64 encoded access token>
license: <base64 encoded license key>
password: <base64 encoded password>
username: <base64 encoded username>
- 克隆操作符并将资源应用到您的集群:
git clone https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator.git
kubectl apply -k prisma-cloud-compute-operator/config/deploy
- 根据这个定义部署控制台和防御器:
---
apiVersion: pcc.paloaltonetworks.com/v1alpha1
kind: ConsoleDefender
metadata:
name: pcc-consoledefender
namespace: twistlock
spec:
namespace: twistlock
orchestrator: kubernetes
version: '21_08_520'
consoleConfig:
serviceType: ClusterIP
defenderConfig:
docker: false