通过API扩展Kubernetes部署
我想从POD扩展(上下)部署。换句话说,名称空间中的pod如何发送kubernetesapi调用以扩展部署 我创建了一个角色,并将其分配给具有以下权限的服务帐户,以便发送API调用:通过API扩展Kubernetes部署,kubernetes,Kubernetes,我想从POD扩展(上下)部署。换句话说,名称空间中的pod如何发送kubernetesapi调用以扩展部署 我创建了一个角色,并将其分配给具有以下权限的服务帐户,以便发送API调用: apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2019-05-19T18:52:09Z" name: {name}-sa namespace: {name} resourceVersion: "11378025"
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-05-19T18:52:09Z"
name: {name}-sa
namespace: {name}
resourceVersion: "11378025"
selfLink: /api/v1/namespaces/{name}/serviceaccounts/{name}-sa
uid: 34606554-7a67-11e9-8e78-c6f4a9a0006a
secrets:
- name: {name}-sa-token-mgk5z
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2019-05-17T13:21:09Z"
name: {name}-{name}-api-role
namespace: {name}
resourceVersion: "10985868"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/roles/{name}-{name}-api-role
uid: a298e71a-78a6-11e9-b54a-c6f4a9a00070
rules:
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2019-05-17T13:45:46Z"
name: {name}-{name}-api-rolebind
namespace: {name}
resourceVersion: "11378111"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/rolebindings/{name}-{name}-api-rolebind
uid: 12812ea7-78aa-11e9-89ae-c6f4a9a00064
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {name}-{name}-api-role
subjects:
- kind: ServiceAccount
name: {name}-sa
namespace: {name}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
我可以使用以下命令检索部署,但找不到如何扩展它
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{name}/deployments/{name}
我尝试使用以下命令来缩放它,但失败:
curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -X PUT -d '[{ \
"op":"replace", \
"path":"/spec/replicas", \
"value": "2" \
}]'
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{name}/deployments/{name}
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "deployments.apps \"{name}\" is forbidden: User \"system:serviceaccount:{name}:default\" cannot resource \"deployments\" in API group \"apps\" in the namespace \"{name}\"",
"reason": "Forbidden",
"details": {
"name": "{name}",
"group": "apps",
"kind": "deployments"
},
"code": 403
试试这个:
API_URL="http://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale"
PAYLOAD='[{"op":"replace","path":"/spec/replicas","value":"2"}]'
curl -X PATCH -d$PAYLOAD -H 'Content-Type: application/json-patch+json' $API_URL
我终于找到了通过Kubernetes API调用从POD扩展部署的方法:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-05-19T18:52:09Z"
name: {name}-sa
namespace: {name}
resourceVersion: "11378025"
selfLink: /api/v1/namespaces/{name}/serviceaccounts/{name}-sa
uid: 34606554-7a67-11e9-8e78-c6f4a9a0006a
secrets:
- name: {name}-sa-token-mgk5z
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2019-05-17T13:21:09Z"
name: {name}-{name}-api-role
namespace: {name}
resourceVersion: "10985868"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/roles/{name}-{name}-api-role
uid: a298e71a-78a6-11e9-b54a-c6f4a9a00070
rules:
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2019-05-17T13:45:46Z"
name: {name}-{name}-api-rolebind
namespace: {name}
resourceVersion: "11378111"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/rolebindings/{name}-{name}-api-rolebind
uid: 12812ea7-78aa-11e9-89ae-c6f4a9a00064
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {name}-{name}-api-role
subjects:
- kind: ServiceAccount
name: {name}-sa
namespace: {name}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
curl-X补丁--cacert/var/run/secrets/kubernetes.io/servicecomport/ca.crt-H“授权:持有者$(cat/var/run/secrets/kubernetes.io/servicecomport/token)”\
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/extensions/v1beta1/NAMESPACE/{NAMESPACE}/deployments/{NAME}\
-H'内容类型:应用程序/战略合并修补程序+json'\
-d'{“规范”:{“副本”:1}}'
我必须创建一个新的服务帐户,并按照开头提到的那样分配角色
感谢大家的支持。在kubernetes 1.14中,我不得不这样做:
#/垃圾箱/垃圾箱
set-e
复制副本的数量=“1美元”
当前_名称空间=“$2”
部署_NAME=“$3”
KUBE_令牌=$(cat/var/run/secrets/kubernetes.io/servicecomport/TOKEN)
KUBE_CACRT_PATH=“/var/run/secrets/kubernetes.io/servicecomport/ca.crt”
有效负载=“{\'spec\':{\'replications\':$NUMBER\'u OF_replications}”
curl--cacert$KUBE\u CACRT\u路径\
-X补丁\
-H“内容类型:应用程序/战略合并修补程序+json”\
-H“授权:持票人$KUBE_代币”\
--数据“$PAYLOAD”\
https://$KUBERNETES_SERVICE_HOST/api/apps/v1/NAMESPACE/$CURRENT_NAMESPACE/deployments/$DEPLOYMENT_NAME
请注意,$KUBERNETES\u服务\u主机
由pods内的KUBERNETES自动设置
不要忘记,您需要设置一个具有修补程序部署权限的ServiceAccount,以便能够在POD内执行api调用。例如:
apiVersion:v1
种类:服务帐户
元数据:
名称:示例
---
种类:角色
apiVersion:rbac.authorization.k8s.io/v1
元数据:
名称:示例
规则:
-APIgroup:[“应用程序”]
资源:[“部署”]
动词:[“补丁”]
---
种类:RoleBinding
apiVersion:rbac.authorization.k8s.io/v1
元数据:
名称:示例
学科:
-种类:服务帐户
名称:示例
roleRef:
种类:角色
名称:示例
apiGroup:rbac.authorization.k8s.io
在GKE上使用Kubernetes v1.16.13 我发现 如果您为
deployments/scale
资源授予patch
权限,则可以执行patch/api/apps/v1/namespace/default/deployments/{name}/scale
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {name}
rules:
- apiGroups: ["apps"]
resources: ["deployments/scale"]
verbs: ["patch"]
我附加了您建议的命令,并在没有任何缩放的情况下获得了以下消息:#curl-X PATCH-d$PAYLOAD-H'内容类型:application/json PATCH+json'$API\u URL警告:二进制输出可能会弄乱您的终端。使用“-----输出”来告诉警告:不管怎样,卷发把它输出到你的终端,或者考虑“-Outlook警告:”保存到一个文件。抱歉,你能尝试HTTPS而不是HTTP吗?我得到一个403(原因:禁止)错误,它说默认的SA不能在API组“Apps\”中修补资源“部署/规模”。是否必须在命名空间中创建新的服务帐户?是的,默认服务帐户无法修补部署。实际上,从描述来看,您是否已经创建了SA?不,我还没有创建新的服务帐户,但我已将默认帐户分配给我创建的角色。那么,我应该创建新的sa并尝试一下吗?被低估的回答!我找了很久了,当部署资源从
extensions/v1beta1
移动到apps/v1
时,规则动词需要从“update”更改为“patch”,你得到了一个分数,因为你是第一个向我指出这一点的人。你在哪里找到这方面的文档?我记不太清楚,但是有来自多个来源的猜测工作,没有直接的文档。