CN114595035A - Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology - Google Patents
Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology Download PDFInfo
- Publication number
- CN114595035A CN114595035A CN202210227297.XA CN202210227297A CN114595035A CN 114595035 A CN114595035 A CN 114595035A CN 202210227297 A CN202210227297 A CN 202210227297A CN 114595035 A CN114595035 A CN 114595035A
- Authority
- CN
- China
- Prior art keywords
- webhook
- resource
- cluster
- user
- resources
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012217 deletion Methods 0.000 title claims abstract description 37
- 230000037430 deletion Effects 0.000 title claims abstract description 37
- 238000005516 engineering process Methods 0.000 title claims abstract description 18
- 230000008569 process Effects 0.000 claims description 13
- 238000013461 design Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of cloud computing, and provides a method for realizing customized scheduling and deletion protection of container resources based on a Webhook technology, which can realize the following steps: automatically scheduling container resources to a designated node for creation, and ensuring that resources on a tenant side cannot occupy resources on a management side during creation; adding protection annotation to the resource when creating the resource object; when the cluster key resources are deleted, whether the resources can be deleted is determined according to whether the protection characteristics are started or not so as to realize the resource deletion protection, and the method has the advantages that: the customized scheduling of container resources is realized, and the resources on the management side can be protected from being occupied by the resources on the tenant side without manual change; deleting protection is carried out on key resources in the cluster, and the cluster unavailability caused by mistaken deletion of the key resources of the cluster is prevented; and the tenant side is supported to specify the nodes for installing the containers, and the user-defined scheduling is met.
Description
Technical Field
The patent relates to the technical field of cloud computing, in particular to a method for achieving customized scheduling and deletion protection of container resources based on a Webhook technology.
Background
In Kubernetes, a user-defined resource type and a user-defined controller are provided for expanding functions, and dynamic admission control is also provided, namely the admission control is realized through Webhook, and the Kubernetes are divided into two types: admissible Webhook (validating Admission Webhook) of the nature and amendable Webhook (modifying Admission Webhook). The calling principle of Webhook in kubernets is that firstly an advertisement Webhook (Validating/Validating) is registered in a kubernets cluster, and after a request of a user reaches the kubernets Apiserver, the Apiserver configures according to the Validating Webhook configuration and the Validating Webhook configuration. The method comprises the steps of calling the multimedia webhookconfiguration to modify the configuration file requested by the user, and finally calling the multimedia webhookconfiguration to verify whether the modified configuration file is legal or not. When the resources are created or deleted, the configured Webhook is called to modify or verify, and finally the configured Webhook is persisted into the ETCD. Admission Webhook is an HTTP callback that receives an Admission request and does some processing. While the Validating Webhook may reject requests but may not modify objects obtained in the admission request, the Validating Webhook may modify objects by creating patches before returning an admission response, and if Webhook rejects a request, an error may be returned to the user.
With the wide application of custom resource types, the resource types in the cluster become five-fold, and for an operator who is not familiar with the cluster resources, there is a risk that the cluster is hung up due to the fact that key resources of the cluster are easily deleted by mistake, so a resource deletion protection mechanism is needed to ensure the security and the stability of the cluster.
Disclosure of Invention
The invention aims to provide a method for realizing customized scheduling and deletion protection of container resources based on a Webhook technology, so as to solve the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme:
a method for realizing customized scheduling and deletion protection of container resources based on a Webhook technology designs a protection mechanism for deleting custom cloud resources, and supports scheduling to a designated node during creation aiming at a container under a tenant-side naming space;
setting parameters for the Webhook server to use through a parameter configurator;
when creating protected resources in a cluster, a protected annotation (mute method) is automatically added, and when receiving a request for creating the resources, a mute controller automatically adds the protected annotation to the resources to be created;
when a container creating request under a tenant side namespace is received, automatically adding a node selector to schedule container resources to a designated node for creating;
refusing to delete the protected resource (valid method) after the protection annotation exists, and controlling whether to refuse the deletion request according to whether the protection characteristic is enabled and whether the protection annotation exists when the Validating controller processes the request for deleting the cluster key resource;
the method for customizing scheduling and deleting protection of the container resource comprises the following steps:
step one, configuring a Kubernets cluster to support an Admission Webhook plug-in function:
step two, deploying the Webhook server and enabling the function of the Webhook:
and step three, deleting protection and customizing a scheduling function by using Webhook.
Preferably, the custom cloud resource includes: the system comprises a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group and a user-defined assembly upgrading group.
Preferably, the management-side namespace includes: and (3) setting up a namespace of important clusters such as a k8s cluster, a network cluster, a storage cluster, a monitoring cluster, an openstack cluster and the like necessary for the platform, wherein the namespace on the non-management side is the namespace on the tenant side and supports the configuration of the namespace on the management side to the ManagedNaSpace.
Preferably, the configured value of the TenantNodeSelectors is assigned to the nodeselector field of the corresponding resource when creating the resources of DaemonSet, deplonymt, repliaset, Pod, stateful set, Job, and CronJob in the tenant-side namespace.
Preferably, the step one of configuring the Kubernetes cluster to support the advertisement Webhook plug-in function includes:
s1: ensuring that the Kubernetes APIServer opens the MutatingAdmissionWebhook and the ValidatingAdmissionWebhook, and viewing the starting parameters of the Apiserver, wherein the following configuration is available:
--enable-admission-plugins=MutatingAdmissionWebhook,ValidatingAdmissionWebhook;
s2: check if the admission registration API is enabled in the cluster:
$kubectl api-versions|grep admission
admissionregistration.k8s.io/${version};
s3: creating an RBAC, wherein a serviceAccount needs to be created independently because the resources are modified by Webhook, and the serviceAccount can be created directly in a Kubernets cluster;
s4: certificate authentication, wherein a Kubernetes cluster is defaulted to HTTPS communication, and the process of using Apiserver to call Webhook is also HTTPS, so that certificate authentication is needed, namely, the certificate authentication is used for authenticating a domain name of Service, the domain name of the Service is put into an authentication request server.csr file, then a K8S certificate signing request resource CertificateSignigRequest is created, the APIServer signs the certificate and generates server-cert.pem, and then the initially created private key server-key.pem and the signed certificate server-cert.pem are put into a Secret for calling by a Delploymet;
s5: creating a Service, wherein the certificate is issued to the domain name of the Service;
s6: admission Deployment, serviceAccount and Secret are created in the above two steps in sequence, a certificate stored by the Secret is mounted, and the mirror image is an Admission mirror image generated by compiling.
Preferably, the process of deploying the Webhook Server and enabling the Webhook function in the step two includes:
d1: ensuring that the Webhook service is operated, and receiving a request from Apiserver;
d2: deploying the Validating Webhook, configuring a yaml file of the Validating Webhook configuration, paying attention to the fact that a path in the clientConfig is/validate, configuring some RBAC rules according to needs, creating a Validating Webhook configuration object in a cluster, dynamically adding the Webhook to a Webhook chain, and intercepting a request and calling Webhook service once resources are deleted;
d3: deploying the muteg Webhook, needing to configure a yaml file of the muteg Webhook configuration, needing to pay attention to the fact that a path in the clientConfig is/multicast, configuring some RBAC rules according to needs, creating a muteg Webhook configuration object in the cluster, dynamically adding the Webhook to a Webhook chain, and once a resource is created, intercepting a request and then calling Webhook service.
Preferably, the process of deleting protection and customizing the scheduling function by using Webhook in step three includes:
n1: use of a delete protection function;
deploying a user-defined virtual machine resource which can be protected in a cluster, checking that a protected annotation exists in a manifest file after the creation is successful, wherein the resource type exists in an enabledValidator parameter of the Admission, and then deleting the user-defined virtual machine resource can be rejected;
n2: customizing a scheduling function using container resources;
setting a named node selector gate of Admission as true, configuring a name space of a management side by using a manager namespace, storing a node tag by using a TenantNodeSelectors, wherein the node is required to be created by scheduling resources, creating a pod in a cluster, and the name space of the pod does not belong to the name space of the management side and can be automatically scheduled to the node with the specified tag.
Preferably, the Webhook server is an HTTP service with TLS authentication, and is deployed in the cluster in a Deployment manner;
verifying the Validating Webhook and the verifying Mutating Webhook by monitoring two different HTTP paths (valid and mute), deserializing an AdmissionView object from the request after receiving the HTTP request, performing some basic content verification, calling corresponding methods of the Validating and the Validating according to the URL paths, and serializing the AdmissionView object.
Preferably, the Validating controller checks whether the resource object needs to delete protection;
setting a resource type requiring to start a deletion protection characteristic through an EnableValidator parameter, when the resource type requiring to be deleted is a key resource in a cluster, such as a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined component upgrading resource, a user-defined component group, a user-defined component upgrading group and the like; if the user has a protected annotation, the user refuses to delete the annotation, writes a failure reason in the response, and receives the information of deletion failure.
Preferably, when the multicasting controller processes the request for creating resources;
when the mutenodeselectorgate is set to true, the container resource customized scheduling characteristic is started; if the resource type is one of Pod, DaemonSet, Deploymet, ReplicaSet, StateUfSet, Job and CronJob, checking whether the namespace of the resource belongs to the management side namespace stored in the ManagedNameSpace; if the name space is the management side name space, no control is performed; if the tenant side namespace is obtained, a node selector is required to be automatically set to schedule a container to a designated node; and if the resource type is a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group, a user-defined assembly upgrading group and the like, adding a protection annotation to the user-defined resource.
Compared with the prior art, the invention has the beneficial effects that:
the method realizes the automatic scheduling of the container at the tenant side to the designated node by adopting the customized scheduling and deletion protection of the container resources, and protects the resources at the management side from being occupied; deleting protection is carried out on resource types such as a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined component upgrading resource, a user-defined component group, a user-defined component upgrading group and the like, and the cluster unavailability caused by mistaken deletion of cluster key resources is prevented; and the node resources of the installation container under the tenant side naming space are supported, and user-defined scheduling is met.
Drawings
FIG. 1 is a system flow diagram of the present invention;
FIG. 2 is a diagram of a parameter configurator according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1 to 2, the present invention provides a technical solution:
the invention designs a method for realizing customized scheduling and deletion protection of container resources based on a Webhook technology, which is used for writing codes in the Validating to set a verification rule and checking whether a request is legal by automatically adding some special configurations without the help of a user by using a reporting mechanism of an Admission Webhook, and aims to realize the creation of container resources to a specified node and the deletion protection of cluster key resources by automatically scheduling the container resources at a tenant side.
The overall design scheme is as follows:
setting parameters for the Webhook server to use through a parameter configurator;
when creating protected resources in a cluster, a protected annotation (mute method) is automatically added, and when receiving a request for creating the resources, a mute controller automatically adds the protected annotation to the resources to be created;
when a container creating request under a tenant side namespace is received, automatically adding a node selector to schedule container resources to a designated node for creating;
when the protection annotation exists, the deletion of the protected resource is refused (valid method), and when the deletion of the cluster key resource request is processed, the Validating controller controls whether to refuse the deletion request according to whether the protection characteristic is enabled and whether the protection annotation exists.
The main parameter meanings are as follows:
EnabledValidator: the parameter sets cluster key resources needing deletion protection, such as user-defined virtual machine resources, user-defined cluster resources and the like;
mutenodeselectorgate: the parameter setting is whether a container resource customization scheduling function is started or not;
ManagedNamespace: the parameter is meaningful only when the mutenodeSelectorGate is started, and the name space of the cluster management side is stored;
TenantNodeSectors: the parameter is only meaningful when the mutenodeselectorgate is enabled, and the cluster tenant side specifies the label of the node to which scheduling is desired.
The Webhook server design scheme is as follows:
the Webhook server is an HTTP service with TLS authentication, is deployed in a cluster in a Delpoyment mode, carries out Validate and mute verification by monitoring two different HTTP paths (valid and mute), deserializes an AdmissionReview object from a request after receiving an HTTP request, executes some basic content verification, calls corresponding alteration and Validation methods according to the URL paths, and serializes the AdmissionReview object.
The design scheme of the Validating controller is as follows:
the Validating controller checks whether the resource object needs to delete protection;
setting the resource type needing to start the deletion protection characteristic through an EnabldValidator parameter, and when the resource type needing to be deleted is a key resource in a cluster, such as a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group, a user-defined assembly upgrading group and the like, if the resource type is provided with a protected annotation, rejecting deletion, writing a failure reason in a response, and receiving information of deletion failure by a final user.
The design scheme of the multitating controller is as follows:
when the multicast controller processes the request for creating resources;
when the mutenodeselector gate is set to true, it indicates that the container resource customized scheduling feature is enabled;
if the resource type is one of Pod, DaemonSet, Deploymet, ReplicaSet, StateUfSet, Job and CronJob, checking whether the namespace of the resource belongs to the management side namespace stored in the ManagedNameSpace; if the name space is the management side name space, no control is performed; if the tenant-side namespace is obtained, a node selector is required to be automatically set to schedule the container to a specified node; and if the resource type is a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group, a user-defined assembly upgrading group and the like, adding a protection annotation to the user-defined resource.
The method for customizing, scheduling and deleting the container resources designs a protection mechanism for deleting the custom cloud resources, supports scheduling to a designated node during creation aiming at the container under the tenant side naming space, realizes automatic scheduling of the tenant side container to the designated node, and protects the management side resources from being occupied; deleting protection is carried out on resource types such as a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined component upgrading resource, a user-defined component group, a user-defined component upgrading group and the like, and the cluster unavailability caused by mistaken deletion of cluster key resources is prevented; and the node resources of the installation container under the tenant side naming space are supported, and user-defined scheduling is met.
The method for customizing scheduling and deleting protection of the container resource comprises the following steps:
step one, configuring a Kubernetes cluster to support an Admission Webhook plug-in function:
s1: ensuring that the Kubernetes APIServer opens the MutatingAdmissionWebhook and the ValidatingAdmissionWebhook, and viewing the starting parameters of the Apiserver, wherein the following configuration is available:
--enable-admission-plugins=MutatingAdmissionWebhook,ValidatingAdmissionWebhook;
s2: check if the admission registration API is enabled in the cluster:
$kubectl api-versions|grep admission
admissionregistration.k8s.io/${version};
s3: creating an RBAC, wherein the Webhook can modify resources so as to need to create a serviceAccount independently, and the resource is directly created in a Kubernets cluster;
s4: certificate authentication, wherein a Kubernetes cluster defaults to HTTPS communication, a process that Apiserver calls Webhook is also HTTPS, so that certificate authentication is needed, the certificate authentication is equivalent to authentication of a domain name of Service, the domain name of the Service is put into an authentication request server.csr file, then a K8S certificate signing request resource CertificateSignigRequest is created, the APIServer signs the certificate and generates a server-cert.pem, and then the initially created private key server-key.pem and the signed certificate server-cert.pem are put into a Secret for calling by a Deploymet;
s5: creating a Service, wherein the certificate is issued to the domain name of the Service;
s6: admission Deployment, serviceAccount and Secret are created in the above two steps in sequence, a certificate stored by the Secret is mounted, and the mirror image is an Admission mirror image generated by compiling.
Step two, deploying the Webhook server and enabling the function of the Webhook:
d1: ensuring that the Webhook service is operated, and receiving a request from Apiserver;
d2: deploying the Validating Webhook, configuring a yaml file of the Validating Webhook configuration, paying attention to the fact that a path in the clientConfig is/validate, configuring some RBAC rules according to needs, creating a Validating Webhook configuration object in a cluster, dynamically adding the Webhook to a Webhook chain, and intercepting a request and calling Webhook service once resources are deleted;
d3: deploying the muteg Webhook, needing to configure a yaml file of the muteg Webhook configuration, needing to pay attention to the fact that a path in the clientConfig is/multicast, configuring some RBAC rules according to needs, creating a muteg Webhook configuration object in the cluster, dynamically adding the Webhook to a Webhook chain, and once a resource is created, intercepting a request and then calling Webhook service.
Thirdly, deleting protection and customizing a scheduling function by using Webhook:
n1: use of a delete protection function;
deploying a user-defined virtual machine resource which can be protected in a cluster, checking that a protected annotation exists in a manifest file after the creation is successful, wherein the resource type exists in an enabledValidator parameter of the Admission, and then deleting the user-defined virtual machine resource can be rejected;
n2: customizing a scheduling function using container resources;
setting Admission's muteNodeSelectorGate to true, managing namespace configuration management side namespace, TenantNodeSelectors stores a node label, the node is created by scheduling resources, a pod is created in the cluster, the namespace does not belong to the namespace of the management side, and the node with the assigned label can be automatically scheduled
The customized cloud resources comprise: the system comprises a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group and a user-defined assembly upgrading group.
Managing the side namespace includes: and (3) setting up the namespaces of important clusters such as a k8s cluster, a network cluster, a storage cluster, a monitoring cluster and an openstack cluster which are necessary for the platform, wherein the namespace on the non-management side is the namespace on the tenant side, and the configuration from the namespace on the management side to the ManagedNaSpace is supported.
And when DaemonSet, Delpoyment, ReplicaSet, Pod, StatefUlSet, Job and CronJob resources under the tenant side namespace are created, the configured value of TenantNodeSelectors is assigned to the nodeselector field of the corresponding resource.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (10)
1. A method for realizing customized scheduling and deletion protection of container resources based on a Webhook technology is characterized by comprising the following steps: the method for customizing, scheduling and deleting protection of the container resources designs a protection mechanism for deleting custom cloud resources, and supports scheduling to a designated node during creation aiming at the container under the tenant side name space;
setting parameters for the Webhook server to use through a parameter configurator;
when creating protected resources in a cluster, a protected annotation (mute method) is automatically added, and when receiving a request for creating the resources, a mute controller automatically adds the protected annotation to the resources to be created;
when a container creating request under a tenant side namespace is received, automatically adding a node selector to schedule container resources to a designated node for creating;
refusing to delete the protected resource (valid method) after the protection annotation exists, and controlling whether to refuse the deletion request according to whether the protection characteristic is enabled and whether the protection annotation exists when the Validating controller processes the request for deleting the cluster key resource;
the method for customizing scheduling and deleting protection of the container resource comprises the following steps:
step one, configuring a Kubernetes cluster to support an Admission Webhook plug-in function:
step two, deploying the Webhook server and enabling the function of the Webhook:
and step three, deleting protection and customizing a scheduling function by using Webhook.
2. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: the custom cloud resources comprise: the system comprises a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group and a user-defined assembly upgrading group.
3. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: the management-side namespace includes: the method comprises the steps of building a k8s cluster, a network cluster, a storage cluster, a monitoring cluster, an openstack cluster and other important clusters necessary for a platform, wherein a non-management side namespace is a tenant side namespace and supports configuration from a management side namespace to a ManagedNaMeSpace.
4. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: and when creating resources aiming at DaemonSet, Deploymet, ReplicaSet, Pod, Stateful Set, Job and CronJob under the tenant side name space, assigning the configured value of the TenantNodeSelectors to the nodesector field of the corresponding resource.
5. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: step one, the process of configuring the Kubernetes cluster to support the Admission Webhook plug-in function includes:
s1: ensuring that the Kubernetes APIServer opens the MutatingAdmissionWebhook and the ValidatingAdmissionWebhook, and viewing the starting parameters of the Apiserver, wherein the following configuration is available:
--enable-admission-plugins=MutatingAdmissionWebhook,ValidatingAdmissionWebhook;
s2: check if the admission registration API is enabled in the cluster:
$kubectl api-versions|grep admission
admissionregistration.k8s.io/${version};
s3: creating an RBAC, wherein the Webhook can modify resources, so that a serviceAccount needs to be created independently and can be created directly in a Kubernets cluster;
s4: certificate authentication, wherein a Kubernetes cluster is defaulted to HTTPS communication, and the process of using Apiserver to call Webhook is also HTTPS, so that certificate authentication is needed, namely, the certificate authentication is used for authenticating a domain name of Service, the domain name of the Service is put into an authentication request server.csr file, then a K8S certificate signing request resource CertificateSignigRequest is created, the APIServer signs the certificate and generates server-cert.pem, and then the initially created private key server-key.pem and the signed certificate server-cert.pem are put into a Secret for calling by a Delploymet;
s5: creating a Service, wherein the certificate is issued to the domain name of the Service;
s6: admission Deployment, serviceAccount and Secret are created in the above two steps in sequence, a certificate stored by the Secret is mounted, and the mirror image is an Admission mirror image generated by compiling.
6. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: the process of deploying the Webhook Server and enabling the function of the Webhook in the step two comprises the following steps:
d1: ensuring that the Webhook service is operated, and receiving a request from Apiserver;
d2: deploying the Validating Webhook, configuring a yaml file of the Validating Webhook configuration, paying attention to the fact that a path in the clientConfig is/validate, configuring some RBAC rules according to needs, creating a Validating Webhook configuration object in a cluster, dynamically adding the Webhook to a Webhook chain, and intercepting a request and calling Webhook service once resources are deleted;
d3: deploying the muteg Webhook, needing to configure a yaml file of the muteg Webhook configuration, needing to pay attention to the fact that a path in the clientConfig is/multicast, configuring some RBAC rules according to needs, creating a muteg Webhook configuration object in the cluster, dynamically adding the Webhook to a Webhook chain, and once a resource is created, intercepting a request and then calling Webhook service.
7. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: the process of deleting protection and customizing the scheduling function by using the Webhook in the step three comprises the following steps:
n1: use of a delete protection function;
deploying a user-defined virtual machine resource which can be protected in a cluster, checking that a protected annotation exists in a manifest file after the creation is successful, wherein the resource type exists in an enabledValidator parameter of the Admission, and then deleting the user-defined virtual machine resource can be rejected;
n2: customizing a scheduling function using container resources;
setting a named node selector gate of Admission as true, configuring a name space of a management side by using a manager namespace, storing a node tag by using a TenantNodeSelectors, wherein the node is required to be created by scheduling resources, creating a pod in a cluster, and the name space of the pod does not belong to the name space of the management side and can be automatically scheduled to the node with the specified tag.
8. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: the Webhook server is an HTTP service with TLS authentication and is deployed in a cluster in a Deployment mode;
verifying the Validating Webhook and the verifying Mutating Webhook by monitoring two different HTTP paths (valid and mute), deserializing an AdmissionView object from the request after receiving the HTTP request, performing some basic content verification, calling corresponding methods of the Validating and the Validating according to the URL paths, and serializing the AdmissionView object.
9. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: the Validating controller checks whether the resource object needs to delete protection;
setting a resource type needing to start a deletion protection characteristic through an EnabldValidator parameter, and when the resource type needing to be deleted is a key resource in a cluster, such as a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group, a user-defined assembly upgrading group and the like; if the user has a protected annotation, the user refuses to delete the annotation, writes a failure reason in the response, and receives the information of deletion failure.
10. The method for implementing customized scheduling and deletion protection of container resources based on Webhook technology as claimed in claim 1, wherein: when the multicast controller processes a request for creating resources;
when the mutenodeselectorgate is set to true, the container resource customized scheduling characteristic is started; if the resource type is one of Pod, DaemonSet, Deploymet, ReplicaSet, StateUfSet, Job and CronJob, checking whether the namespace of the resource belongs to the management side namespace stored in the ManagedNameSpace; if the name space is the management side name space, no control is performed; if the tenant side namespace is obtained, a node selector is required to be automatically set to schedule a container to a designated node; and if the resource type is a user-defined virtual machine resource, a user-defined cluster resource, a user-defined node resource, a user-defined assembly upgrading resource, a user-defined assembly group, a user-defined assembly upgrading group and the like, adding a protection annotation to the user-defined resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210227297.XA CN114595035A (en) | 2022-03-08 | 2022-03-08 | Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210227297.XA CN114595035A (en) | 2022-03-08 | 2022-03-08 | Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114595035A true CN114595035A (en) | 2022-06-07 |
Family
ID=81808917
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210227297.XA Pending CN114595035A (en) | 2022-03-08 | 2022-03-08 | Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114595035A (en) |
-
2022
- 2022-03-08 CN CN202210227297.XA patent/CN114595035A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019184116A1 (en) | Method and device for automatically building kubernetes main node, terminal device and computer-readable storage medium | |
| CN108370328B (en) | Management method and device of NFV MANO policy descriptor | |
| CN109669690B (en) | Business workflow generation method, device, equipment and computer readable storage medium | |
| US11799946B2 (en) | Method and apparatus for cloud service management, and readable storage medium | |
| US20130311631A1 (en) | Integrated cloud data center management | |
| WO2021027532A1 (en) | Authority verification method and device for smart contract | |
| US11245577B2 (en) | Template-based onboarding of internet-connectible devices | |
| CN111245634B (en) | Virtualization management method and device | |
| WO2020134329A1 (en) | Gateway service implementation method, control device, and gateway | |
| US20100011408A1 (en) | Implementing Organization-Specific Policy During Establishment of an Autonomous Connection Between Computer Resources | |
| CN113505996A (en) | Authority management method and device | |
| CN115934202A (en) | Data management method, system, data service gateway and storage medium | |
| CN110750780B (en) | User role permission fusion method, device and equipment based on multi-service system | |
| CN113542033B (en) | Many-to-many mapping method and system for alliance chain foundation establishment and management platform | |
| CN115658085A (en) | Deployment method of cloud native application | |
| CN113992406A (en) | Authority access control method for alliance chain cross-chain | |
| CN114595035A (en) | Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology | |
| CN109992298B (en) | Examination and approval platform expansion method and device, examination and approval platform and readable storage medium | |
| CN110351719B (en) | Wireless network management method, system, electronic equipment and storage medium | |
| US11425172B2 (en) | Application security for service provider networks | |
| CN114564530A (en) | Database access method, device, equipment and storage medium | |
| KR101087145B1 (en) | Provision management system and method for bulk setting provision profile in the system | |
| CN114157581A (en) | Method, apparatus, storage medium, and electronic device for providing blockchain service | |
| CN112148429A (en) | Information processing method and device for managing container arrangement engine cluster | |
| CN110716764A (en) | Sharing method and device of public configuration, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |