Kubernetes Admission Controller(插件)和 Admission Webhook 有什么区别?
[英]What's the difference between a Kubernetes Admission Controller (Plugin) and an Admission Webhook?
问题描述
Admission Controllers (Plugins) and Admission Webhooks look very similar on the surface.
准入控制器(插件)和准入 Webhooks 从表面上看非常相似。 What is the actual, functional difference?实际的功能差异是什么?
1 个解决方案
解决方案1
2 已采纳 2021-04-09 17:54:14
Admission Controllers are conflated to mean both Admission Plugins and Admission Webhooks by experts and even the official documentation .准入控制器被专家甚至官方文档合并为准入插件和准入网络钩子。 I will call them Admission Plugins and Admission Webhooks to prevent confusion.我将它们称为准入插件和准入 Webhooks 以防止混淆。
Admission Plugins are not an API resource .准入插件不是 API 资源。 They can't be created by cluster administrators.它们不能由集群管理员创建。 They are hardcoded into the Kubernetes source code.它们被硬编码到 Kubernetes 源代码中。
Specifically, Admission Plugins are a tool with limitless power.具体来说,入场插件是一种功能无限的工具。 Since they are baked into kube-apiserver , they have the ability to simply request for resources without authentication.由于它们被烘焙到kube-apiserver中,因此它们能够简单地请求资源而无需身份验证。 They use this power to implement the DefaultStorageClass Admission Plugin, which checks all of the StorageClass es to find one with a default annotation applied to it.他们使用这种能力来实现DefaultStorageClass准入插件,该插件会检查所有StorageClass以找到一个应用了默认注释的对象。
Admission Webhooks on the other hand, are actually an implementation of an Admission Plugin , with the extra power removed.另一方面,Admission Webhooks 实际上是一个 Admission Plugin 的实现,去掉了额外的功能。 Note how a Webhook.Validator does not have the ability to access any resources besides the exact object being validated at the time.请注意,除了当时正在验证的确切 object 之外, Webhook.Validator 无法访问任何资源。 Admission Webhooks are API resources , and are usually the first thing recommended when implementing a validator for a Kubernetes Operator, or a CRD in general.准入 Webhook 是 API 资源,通常是在为 Kubernetes 运算符或一般 CRD 实现验证器时推荐的第一件事。 Despite this, signed certificates are required , which can make you abandon the whole idea.尽管如此, 签名证书是必需的,这会让你放弃整个想法。
What does this mean for the average developer?这对普通开发人员意味着什么?
To write a validator that relies on checking existing objects in the cluster, you need to go through extra steps by using the Kubernetes Golang Client API , which relies on having a service account token with the correct RBAC applied.要编写一个依赖于检查集群中现有对象的验证器,您需要使用Kubernetes Golang 客户端 API依赖于应用了正确的服务帐户的 RBAC 来通过额外的步骤 go。
You can also update your object with a Status instead , explaining the reason validation failed.你也可以 用 Status 来更新你的 object ,解释验证失败的原因。 If you are writing a Kubernetes Operator, that can be written in the reconciliation loop.如果您正在编写 Kubernetes 运算符,则可以将其写入对帐循环中。
If you have written a fancy UI for your custom resource, you should be able to read these statuses and expose them to the user in a nicer way.如果您为自定义资源编写了精美的 UI,您应该能够读取这些状态并以更好的方式将它们公开给用户。 Unfortunately, OpenShift 4.X users are not able to add fancy UIs to the OpenShift Web Console, and will have to settle for exposing Route s.不幸的是,OpenShift 4.X 用户无法将精美的 UI 添加到 OpenShift Web 控制台,并且必须满足于暴露Route 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.