如何在 GKE 集群上启用 DefaultStorageClass 准入控制器?
[英]How to enable DefaultStorageClass admission controllers on a GKE cluster?
问题描述
There are some great admission controllers such as DefaultStorageClass , StorageObjectInUseProtection, PersistentVolumeClaimResize that enfoce some k8s best practices to your cluster.
有一些很棒的准入控制器,例如DefaultStorageClass 、StorageObjectInUseProtection、PersistentVolumeClaimResize,它们将一些 k8s 最佳实践强加到您的集群中。
In order to enable admission controller you must have admin access to the k8s api-server, but on GKE you don't have.为了启用 admission controller,您必须具有对 k8s api-server 的管理员访问权限,但在 GKE 上您没有。
So how we can enable these admission controller in GKE?那么我们如何在 GKE 中启用这些 admission controller 呢?
Note: I saw few related questions raised in the past but with no answers like question3 and question4 .注意:我看到过去提出的相关问题很少,但没有像question3和question4这样的答案。
1 个解决方案
解决方案1
2 2020-08-19 10:34:22
It's not possible to modify enabled admission controllers, as that would require modifying the --enable-admission-plugins API server configuration option, and that is not possible on GKE, nor are there any alternative ways to set this option at the moment.无法修改已启用的准入控制器,因为这需要修改--enable-admission-plugins API 服务器配置选项,而这在 GKE 上是不可能的,目前也没有其他方法可以设置此选项。
Now, looking at each of the individual controllers mentioned:现在,查看提到的每个单独的控制器:
DefaultStorageClass - this admission controller is enabled in GKE.
DefaultStorageClass - 这个准入 controller 在 GKE 中启用。 You can check that the standard pre-created storage class has the storageclass.kube.netes.io/is-default-class: "true"annotation.您可以检查标准预创建存储 class 是否具有storageclass.kube.netes.io/is-default-class: "true"注释。 In order to use different SC as default, remove this annotation from the standard storage class, and add it to the SC of your choice.为了默认使用不同的 SC,请从标准存储 class 中删除此注释,并将其添加到您选择的 SC。StorageObjectInUseProtection - this admission controller is enabled in GKE, you can observe that that
kube.netes.io/pv-protectionandkube.netes.io/pvc-protectionfinalizersare added to PVs, resp.StorageObjectInUseProtection - 这个 admission controller 在 GKE 中启用,你可以观察到kube.netes.io/pv-protection和kube.netes.io/pvc-protectionfinalizers被添加到 PVs,resp。 PVCs, in use, preventing their deletion.正在使用的 PVC,防止它们被删除。PersistentVolumeClaimResize - this admission controller is also enabled in GKE.
PersistentVolumeClaimResize - 这个准入 controller 也在 GKE 中启用。 You can verify this by creating a storage class with allowVolumeExpansion: falseannotation 1 (note the standard SC does allow expansion), create a PVC and try to increase it's size.您可以通过使用allowVolumeExpansion: false注释1创建存储 class 来验证这一点(注意标准 SC 确实允许扩展),创建 PVC 并尝试增加它的大小。 You'll receive an error such as:您将收到如下错误:error: persistentvolumeclaims "my-pvc" could not be patched: persistentvolumeclaims "my-pvc" is forbidden: only dynamically provisioned pvc can be resized and the storageclass that provisions the pvc must support resize
At last, if you would want to enable a controller that is actually not enabled on GKE, you would need to reimplement and deploy this as a standalone service into your cluster and use K8s' ValidatingWebhookConfiguration or MutatingWebhookConfiguration to connect K8s API your service via webhook 2 .最后,如果您想要启用 GKE 上实际上未启用的 controller,您需要将其作为独立服务重新实现并部署到您的集群中,并使用 K8s 的ValidatingWebhookConfiguration或MutatingWebhookConfiguration通过 webhook 2连接 K8s API 您的服务. Apart from implementing this from scratch, there are many projects that can help, OPA Gatekeeper 3 and Metacontroller 4 to list some examples.除了从头开始实施之外,还有许多项目可以提供帮助,OPA Gatekeeper 3和 Metacontroller 4列出了一些示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.