\u6211\u5728\u4e1a\u52a1\u4e2d\u4f7f\u7528Kyverno\uff0c\u4f46\u53ea\u4f7f\u7528\u4e86\u90e8\u5206\u529f\u80fd\uff0c\u5c1a\u672a\u5b8c\u5168\u638c\u63e1\u6240\u6709\u529f\u80fd\uff0c\u56e0\u6b64\u6211\u6b63\u5728\u64b0\u5199\u8fd9\u7bc7\u6587\u7ae0\u8fdb\u884c\u8c03\u67e5\u3002<\/p>\n
Kyverno\u662f\u4e13\u4e3aKubernetes\u8bbe\u8ba1\u7684\u7b56\u7565\u5f15\u64ce\u3002\u7b56\u7565\u6307\u7684\u662f\u5728\u521b\u5efak8s\u8d44\u6e90\u65f6\u7684\u89c4\u5219\u3002\u4f8b\u5982…<\/p>\n
<\/p>\n
<\/p>\n
\u6211\u8ba4\u4e3a\u4e0eOpenPolicyAgent\u76f8\u6bd4\u7684\u4e00\u4e2a\u91cd\u5927\u533a\u522b\u662f\u53ef\u4ee5\u4e0d\u4f7f\u7528\u50cfRego\u8fd9\u6837\u7684\u7279\u6b8a\u8bed\u8a00\u6765\u5b9a\u4e49\u7b56\u7565\u3002<\/p>\n
<\/p>\n
<\/p>\n
\u6211\u60f3\u8981\u5206\u522b\u4f53\u9a8c\u8fd9\u4e9b\u529f\u80fd\uff01<\/p>\n
\u7531\u65bcManifest\u5728GitHub\u4e0a\u5df2\u6e96\u5099\u597d\uff0c\u6211\u5011\u5c07\u4f7f\u7528\u5b83\u3002
\n\u9806\u4fbf\u4e00\u63d0\uff0c\u6211\u5011\u5c07\u4f7f\u7528Kyverno\u7684\u7248\u672c\u70bav1.4.1\u3002<\/p>\n
$ <\/span>kubectl apply -f<\/span> https:\/\/raw.githubusercontent.com\/kyverno\/kyverno\/v1.4.1\/definitions\/install.yaml\r\n<\/code><\/pre>\n\u78b0\u4e00\u4e0b\u8bd5\u8bd5<\/h1>\n\u4ea7\u751f\u8d44\u6e90<\/h2>\n
Generate Resources\u662f\u4e00\u4e2a\u529f\u80fd\uff0c\u7528\u4e8e\u5728\u521b\u5efa\u6216\u66f4\u65b0\u8d44\u6e90\u65f6\u89e6\u53d1\u521b\u5efa\u65b0\u8d44\u6e90\u3002\u60a8\u53ef\u4ee5\u5728\u6b64\u94fe\u63a5\u4e2d\u4e86\u89e3\u66f4\u591a\u4fe1\u606f\uff1ahttps:\/\/kyverno.io\/docs\/writing-policies\/generate\/<\/p>\n
\u5148\u8bd5\u8bd5\u770b\u5427\uff01<\/p>\n
\u6211\u8ba4\u4e3a\u5728\u4e0d\u540c\u7684\u547d\u540d\u7a7a\u95f4\u4e2d\u53ef\u80fd\u4f1a\u6709\u4f7f\u7528\u76f8\u540c\u7684\u673a\u5bc6\u4fe1\u606f\u7684\u60c5\u51b5\u3002
\n\u4e3a\u4e86\u5e94\u5bf9\u8fd9\u79cd\u60c5\u51b5\uff0c\u6211\u4f1a\u7f16\u5199\u4e00\u4e2a\u7b56\u7565\uff0c\u5f53\u547d\u540d\u7a7a\u95f4\u88ab\u521b\u5efa\u65f6\uff0c\u53ef\u4ee5\u62f7\u8d1d\u5df2\u5b58\u5728\u7684\u673a\u5bc6\u4fe1\u606f\u3002<\/p>\n
\u9996\u5148\uff0c\u5728\u9ed8\u8ba4\u547d\u540d\u7a7a\u95f4\u4e2d\u521b\u5efa\u4f5c\u4e3a\u6e90\u7684\u79d8\u5bc6\u3002<\/p>\n
apiVersion<\/span>:<\/span> v1<\/span>\r\nkind<\/span>:<\/span> Secret<\/span>\r\nmetadata<\/span>:<\/span>\r\n name<\/span>:<\/span> sample-secret<\/span>\r\n namespace<\/span>:<\/span> default<\/span>\r\ntype<\/span>:<\/span> Opaque<\/span>\r\ndata<\/span>:<\/span>\r\n password<\/span>:<\/span> aG9nZQo=<\/span> # hoge<\/span>\r\n<\/code><\/pre>\n\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u5c06\u5b9a\u4e49\u4e00\u4e2a\u590d\u5236\u6b64Secret\u7684\u7b56\u7565\u3002<\/p>\n
apiVersion<\/span>:<\/span> kyverno.io\/v1<\/span>\r\nkind<\/span>:<\/span> ClusterPolicy<\/span>\r\nmetadata<\/span>:<\/span>\r\n name<\/span>:<\/span> sync-secrets<\/span>\r\n annotations<\/span>:<\/span>\r\n policies.kyverno.io\/title<\/span>:<\/span> Sync Secrets<\/span>\r\n policies.kyverno.io\/category<\/span>:<\/span> Sample<\/span>\r\n policies.kyverno.io\/subject<\/span>:<\/span> Secret<\/span>\r\n policies.kyverno.io\/description<\/span>:<\/span> >-<\/span>\r\n copy sample secret from default namespace to requested namespace.<\/span>\r\nspec<\/span>:<\/span>\r\n background<\/span>:<\/span> false<\/span>\r\n rules<\/span>:<\/span>\r\n -<\/span> name<\/span>:<\/span> sync-sample-secret<\/span>\r\n match<\/span>:<\/span>\r\n resources<\/span>:<\/span>\r\n kinds<\/span>:<\/span>\r\n -<\/span> Namespace<\/span>\r\n generate<\/span>:<\/span>\r\n kind<\/span>:<\/span> Secret<\/span>\r\n name<\/span>:<\/span> sample-secret<\/span>\r\n namespace<\/span>:<\/span> \"<\/span>{{request.object.metadata.name}}\"<\/span>\r\n synchronize<\/span>:<\/span> true<\/span>\r\n clone<\/span>:<\/span>\r\n namespace<\/span>:<\/span> default<\/span>\r\n name<\/span>:<\/span> sample-secret<\/span>\r\n<\/code><\/pre>\n\u8ba9\u6211\u4eec\u521b\u5efa\u4e00\u4e2a\u547d\u540d\u7a7a\u95f4\u5e76\u8fdb\u884c\u64cd\u4f5c\u4ee5\u786e\u8ba4\u3002<\/p>\n
$ <\/span>kubectl create namespace test\r\n<\/span>namespace\/test created\r\n\r\n# \u95a2\u4fc2\u3042\u308b\u3068\u3053\u308d\u3060\u3051\u629c\u7c8b<\/span>\r\n$ <\/span>kubectl get secret sample-secret -o<\/span> yaml -n<\/span> test\r\n<\/span>apiVersion: v1\r\ndata:\r\n password: aG9nZQo<\/span>=<\/span>\r\nkind: Secret\r\nmetadata:\r\n name: sample-secret\r\n namespace: test\r\ntype<\/span>: Opaque\r\n<\/code><\/pre>\n\u6240\u4ee5\uff0c\u6211\u6210\u529f\u5730\u505a\u5230\u4e86\u6211\u60f3\u505a\u7684\u4e8b\u60c5\u3002<\/p>\n
\u6709\u7591\u554f<\/h3>\n
\u6211\u4f1a\u5199\u4e0b\u5c1d\u8bd5\u540e\u51fa\u73b0\u7684\u7591\u95ee\u548c\u5bf9\u5e94\u7684\u7b54\u6848\u3002<\/p>\n
spec.rules.generate.synchronize\u662f\u4ec0\u4e48\u610f\u601d\uff1f<\/h4>\n
\u5728\u8fd9\u4e2a\u793a\u4f8b\u4e2d\uff0c\u6211\u4eec\u8bbe\u7f6e\u4e86 synchronize: true\u3002\u8fd9\u5177\u4f53\u610f\u5473\u7740\u4ec0\u4e48\u5462\uff1f<\/p>\n
\u5982\u679c\u8d44\u6e90\u662f\u901a\u8fc7\u590d\u5236\u521b\u5efa\u7684\uff0c\u90a3\u4e48\u65e0\u6cd5\u8fdb\u884c\u6e90\u4ee3\u7801\u7ba1\u7406\u3002\u5982\u679c\u4f7f\u7528Yaml\u5b9a\u4e49\u6e05\u5355\u5e76\u5728Git\u4e2d\u8fdb\u884c\u7ba1\u7406\uff0c\u5e76\u4f7f\u7528GitOps\uff0c\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u76f4\u63a5\u7f16\u8f91\u8fd9\u4e9b\u8d44\u6e90\u3002\u4e3a\u4e86\u9632\u6b62\u8fd9\u79cd\u60c5\u51b5\uff0c\u5c06synchronize\u8bbe\u7f6e\u4e3atrue\uff0c\u4ee5\u4fbf\u4e0e\u590d\u5236\u7684\u8d44\u6e90\u8fdb\u884c\u540c\u6b65\u3002<\/p>\n
# \u30b3\u30d4\u30fc\u3057\u305fSecret\u30ea\u30bd\u30fc\u30b9\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u90e8\u5206\u5909\u66f4<\/span>\r\n$ <\/span>k edit secret sample-secret -n<\/span> test\r\n<\/span>secret\/sample-secret edited\r\n\r\n# \u30b3\u30d4\u30fc\u5143<\/span>\r\n$ <\/span>k get secret sample-secret -o<\/span> yaml -n<\/span> default | grep <\/span>password | head<\/span> -1<\/span>\r\n password: aG9nZQo<\/span>=<\/span>\r\n\r\n# \u30b3\u30d4\u30fc\u5148\u3002edit\u3067\u66f4\u65b0\u3057\u305f\u306e\u306b\u5143\u306b\u623b\u3063\u3066\u308b<\/span>\r\n$ <\/span>k get secret sample-secret -o<\/span> yaml -n<\/span> test<\/span> | grep <\/span>password | head<\/span> -1<\/span>\r\n password: aG9nZQo<\/span>=<\/span>\r\n<\/code><\/pre>\n\u73b0\u5728\uff0c\u521a\u624d\u6211\u4eec\u5c1d\u8bd5\u7f16\u8f91\u4e86\u590d\u5236\u7684\u5185\u5bb9\uff0c\u90a3\u4e48\u5982\u679c\u6211\u4eec\u7f16\u8f91\u539f\u59cb\u5185\u5bb9\u4f1a\u53d1\u751f\u4ec0\u4e48\u5462\uff1f<\/p>\n
# \u30b3\u30d4\u30fc\u5143\u306eSecret\u30ea\u30bd\u30fc\u30b9\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u90e8\u5206\u5909\u66f4<\/span>\r\n$ <\/span>k edit secret sample-secret -n<\/span> default\r\nsecret\/sample-secret edited\r\n\r\n# \u30b3\u30d4\u30fc\u5143<\/span>\r\n$ <\/span>k get secret sample-secret -o<\/span> yaml -n<\/span> default | grep <\/span>password | head<\/span> -1<\/span>\r\n password: YWFhCg<\/span>==<\/span>\r\n\r\n# \u30b3\u30d4\u30fc\u5148<\/span>\r\n$ <\/span>k get secret sample-secret -o<\/span> yaml -n<\/span> test<\/span> | grep <\/span>password | head<\/span> -1<\/span>\r\n password: YWFhCg<\/span>==<\/span>\r\n<\/code><\/pre>\n\u8fd9\u4e2a\u4e5f\u4f1a\u4e0e\u4e4b\u540c\u6b65\u3002\u5f88\u65b9\u4fbf\uff01<\/p>\n
\u9664\u4e86\u514b\u9686\uff08Clone\uff09\u4e4b\u5916\uff0c\u8fd8\u6709\u54ea\u4e9b\u9009\u9879\u53ef\u4f9b\u9009\u62e9\uff1f<\/h4>\n
\u8fd9\u6b21\u6211\u4eec\u4f7f\u7528\u4e86\u514b\u9686\u529f\u80fd\u3002<\/p>\n
clone<\/span>:<\/span>\r\n namespace<\/span>:<\/span> default<\/span>\r\n name<\/span>:<\/span> sample-secret<\/span>\r\n<\/code><\/pre>\n\u8fd8\u53ef\u4ee5\u76f4\u63a5\u6309\u7167\u58f0\u660e\u7684\u5b9a\u4e49\u8fdb\u884c\u4e66\u5199\u3002<\/p>\n
generate<\/span>:<\/span>\r\n synchronize<\/span>:<\/span> true<\/span>\r\n kind<\/span>:<\/span> ConfigMap<\/span>\r\n name<\/span>:<\/span> zk-kafka-address<\/span>\r\n # generate the resource in the new namespace<\/span>\r\n namespace<\/span>:<\/span> \"<\/span>{{request.object.metadata.name}}\"<\/span>\r\n data<\/span>:<\/span>\r\n kind<\/span>:<\/span> ConfigMap<\/span>\r\n metadata<\/span>:<\/span>\r\n labels<\/span>:<\/span>\r\n somekey<\/span>:<\/span> somevalue<\/span>\r\n data<\/span>:<\/span>\r\n ZK_ADDRESS<\/span>:<\/span> \"<\/span>192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181\"<\/span>\r\n KAFKA_ADDRESS<\/span>:<\/span> \"<\/span>192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092\"<\/span>\r\n<\/code><\/pre>\n\u8d44\u6e90\u53d8\u5f02<\/h2>\n
Mutate Resources\u662f\u4e00\u79cd\u9488\u5bf9\u5339\u914d\u8d44\u6e90\u5e94\u7528\u4fee\u8865\u7a0b\u5e8f\u7684\u529f\u80fd\u3002<\/p>\n
\u6211\u60f3\u5217\u4e3e\u4e00\u4e9b\u9009\u9879\uff1a
\n1. \u6211\u6253\u7b97\u7ee7\u7eed\u63a2\u8ba8\u4e0b\u53bb\u3002
\n2. \u8fd9\u6b21\u6211\u4eec\u5047\u8bbe\u7684\u573a\u666f\u662f\u5e0c\u671b\u5728\u4e00\u4e2a\u547d\u540d\u7a7a\u95f4\u7684Pod\u4e0b\u5fc5\u987b\u52a0\u8f7d\u4e00\u4e2a\u516c\u5171\u7684ConfigMap\u3002<\/p>\n
\u9996\u5148\uff0c\u6211\u4eec\u521b\u5efa\u4e00\u4e2a\u547d\u540d\u7a7a\u95f4\u3002<\/p>\n
$ <\/span>kubectl create namespace test2\r\nnamespace\/test2 created\r\n<\/code><\/pre>\n\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u5c06\u521b\u5efa\u4e00\u4e2a\u8981\u52a0\u8f7d\u7684ConfigMap\u3002<\/p>\n
apiVersion<\/span>:<\/span> v1<\/span>\r\nkind<\/span>:<\/span> ConfigMap<\/span>\r\nmetadata<\/span>:<\/span>\r\n name<\/span>:<\/span> sample-configmap<\/span>\r\n namespace<\/span>:<\/span> test2<\/span>\r\ndata<\/span>:<\/span>\r\n environment_name<\/span>:<\/span> staging<\/span>\r\n<\/code><\/pre>\n\u6211\u4eec\u9700\u8981\u5199\u4e00\u4e2a\u7b56\u7565\uff0c\u8ba9test2\u4e2d\u7684Pod\u80fd\u591f\u52a0\u8f7d\u4e0a\u8ff0\u7684ConfigMap\u3002\u4f7f\u5f97ConfigMap\u4e2d\u7684\u503c\u53ef\u4ee5\u53d8\u4e3a\u73af\u5883\u53d8\u91cf\u3002<\/p>\n
apiVersion<\/span>:<\/span> kyverno.io\/v1<\/span>\r\nkind<\/span>:<\/span>