AFAIK,准入控制器是提交到数据库之前的最后一次通过。
然而,我不知道哪一个是启用的,有办法知道哪一种正在生效吗?
谢谢。
kube apiserver正在您的kube apiserver-<example.com>容器。该应用程序目前没有获取启用的准入插件的get方法,但您可以从其命令行获取启动参数。
kubectl -n kube-system describe po kube-apiserver-example.com
另一种方法是查看容器中的内容:不幸的是,容器中没有"ps"命令,但您可以从/proc中获得初始进程命令参数,类似于
kubectl -n kube-system exec kube-apiserver-example.com -- sed 's/--/n/g' /proc/1/cmdline
它可能会像:
启用准入插件=NodeRestriction
kubectl中没有直接公开的admissionscontroller k8s对象。
要获得招生控制器列表,您必须使用您的k8安装支持的正确版本直接访问k8主API:
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq
对于我们的环境,我们运行开放政策代理作为招生控制器,我们可以在这里看到webhook对象:
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq '.items[] | select(.metadata.name=="open-policy-agent-latest-helm-opa")'
哪个输出JSON对象:
{
"metadata": {
"name": "open-policy-agent-latest-helm-opa",
"selfLink": "/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/open-policy-agent-latest-helm-opa",
"uid": "02139b9e-b282-4ef9-8017-d698bb13882c",
"resourceVersion": "150373119",
"generation": 93,
"creationTimestamp": "2021-03-18T06:22:54Z",
"labels": {
"app": "open-policy-agent-latest-helm-opa",
"app.kubernetes.io/managed-by": "Helm",
"chart": "opa-1.14.6",
"heritage": "Helm",
"release": "open-policy-agent-latest-helm-opa"
},
"annotations": {
"meta.helm.sh/release-name": "open-policy-agent-latest-helm-opa",
"meta.helm.sh/release-namespace": "open-policy-agent-latest"
},
"managedFields": [
{
"manager": "Go-http-client",
"operation": "Update",
"apiVersion": "admissionregistration.k8s.io/v1beta1",
"time": "2021-03-18T06:22:54Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:meta.helm.sh/release-name": {},
"f:meta.helm.sh/release-namespace": {}
},
"f:labels": {
".": {},
"f:app": {},
"f:app.kubernetes.io/managed-by": {},
"f:chart": {},
"f:heritage": {},
"f:release": {}
}
},
"f:webhooks": {
".": {},
"k:{"name":"webhook.openpolicyagent.org"}": {
".": {},
"f:admissionReviewVersions": {},
"f:clientConfig": {
".": {},
"f:caBundle": {},
"f:service": {
".": {},
"f:name": {},
"f:namespace": {},
"f:port": {}
}
},
"f:failurePolicy": {},
"f:matchPolicy": {},
"f:name": {},
"f:namespaceSelector": {
".": {},
"f:matchExpressions": {}
},
"f:objectSelector": {},
"f:rules": {},
"f:sideEffects": {},
"f:timeoutSeconds": {}
}
}
}
}
]
},
"webhooks": [
{
"name": "webhook.openpolicyagent.org",
"clientConfig": {
"service": {
"namespace": "open-policy-agent-latest",
"name": "open-policy-agent-latest-helm-opa",
"port": 443
},
"caBundle": "LS0BLAH="
},
"rules": [
{
"operations": [
"*"
],
"apiGroups": [
"*"
],
"apiVersions": [
"*"
],
"resources": [
"namespaces"
],
"scope": "*"
}
],
"failurePolicy": "Ignore",
"matchPolicy": "Exact",
"namespaceSelector": {
"matchExpressions": [
{
"key": "openpolicyagent.org/webhook",
"operator": "NotIn",
"values": [
"ignore"
]
}
]
},
"objectSelector": {},
"sideEffects": "Unknown",
"timeoutSeconds": 20,
"admissionReviewVersions": [
"v1beta1"
]
}
]
}
你可以在k8s中的clientConfig端点上方看到,这是录取有效载荷发送到的地方。跟踪为该端点服务的pod的日志,你会看到你的录取请求正在处理中。
要获得变异的webhook,请再次点击感兴趣的API版本:
# get v1 mutating webhook configurations
kubectl get --raw /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations | jq
这是官方解释:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#which-插件默认启用
注意:您应该通过容器中的exec获取stdout
kubectl exec-it kube apiserver您的机器名称-n kube system--kube apiserver-h|grep启用准入插件
您可以在文档中找到默认启用的准入控制器列表:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options,搜索"--启用准入插件";或等效地在代码中:https://github.com/kubernetes/kubernetes/blob/master/pkg/kubeapiserver/options/plugins.go#L131-L145
对于自定义的,您可以在任何主节点中运行cmd:cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep -E "(enable|disable)-admission-plugins"。
ImagePolicyWebhook使用配置文件为后端的行为设置选项
通过运行kubectl create -f examples/<name>.yaml创建其中一个pod。在这种情况下,您可以通过检查日志来验证pod运行的用户id,例如:
$ kubectl create -f examples/pod-with-defaults.yaml
$ kubectl logs pod-with-defaults
不确定为什么之前没有说明,但它甚至在kubernetes文档中:
kubectl exec -it kube-apiserver-<your-machine-name> -n kube-system -- kube-apiserver -h | grep enable-admission-plugins
它正是你想要的。