[英]Scale Kubernetes deployments via API
我想从 POD 扩展(向上和向下)部署。 换句话说,命名空间中的 POD 将如何发送 Kubernetes API 调用以扩展部署?
我创建了一个角色并将其分配给具有以下权限的服务帐户,以便发送 API 调用:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-05-19T18:52:09Z"
name: {name}-sa
namespace: {name}
resourceVersion: "11378025"
selfLink: /api/v1/namespaces/{name}/serviceaccounts/{name}-sa
uid: 34606554-7a67-11e9-8e78-c6f4a9a0006a
secrets:
- name: {name}-sa-token-mgk5z
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2019-05-17T13:21:09Z"
name: {name}-{name}-api-role
namespace: {name}
resourceVersion: "10985868"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/roles/{name}-{name}-api-role
uid: a298e71a-78a6-11e9-b54a-c6f4a9a00070
rules:
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2019-05-17T13:45:46Z"
name: {name}-{name}-api-rolebind
namespace: {name}
resourceVersion: "11378111"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/{name}/rolebindings/{name}-{name}-api-rolebind
uid: 12812ea7-78aa-11e9-89ae-c6f4a9a00064
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {name}-{name}-api-role
subjects:
- kind: ServiceAccount
name: {name}-sa
namespace: {name}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
我可以使用以下命令检索部署,但找不到如何扩展它。
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{name}/deployments/{name}
我尝试了以下命令来扩展它,但失败了:
curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -X PUT -d '[{ \
"op":"replace", \
"path":"/spec/replicas", \
"value": "2" \
}]'
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{name}/deployments/{name}
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "deployments.apps \"{name}\" is forbidden: User \"system:serviceaccount:{name}:default\" cannot resource \"deployments\" in API group \"apps\" in the namespace \"{name}\"",
"reason": "Forbidden",
"details": {
"name": "{name}",
"group": "apps",
"kind": "deployments"
},
"code": 403
在 GKE 上使用 Kubernetes v1.16.13。
我发现如果你为deployments/scale
资源提供patch
权限,你可以做PATCH /apis/apps/v1/namespaces/default/deployments/{name}/scale
。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {name}
rules:
- apiGroups: ["apps"]
resources: ["deployments/scale"]
verbs: ["patch"]
我终于找到了通过 Kubernetes API 调用从 POD 扩展部署的方法:
curl -X PATCH --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \\ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/extensions/v1beta1/namespaces/{NAMESPACE}/deployments/{NAME} \\ -H 'Content-Type: application/strategic-merge-patch+json' \\ -d '{"spec":{"replicas":1}}'
我必须创建一个新的服务帐户并分配开头提到的角色。
感谢大家的支持。
在 kubernetes 1.14 中,我必须这样做:
#!/bin/sh
set -e
NUMBER_OF_REPLICAS="$1"
CURRENT_NAMESPACE="$2"
DEPLOYMENT_NAME="$3"
KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_CACRT_PATH="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
PAYLOAD="{\"spec\":{\"replicas\":$NUMBER_OF_REPLICAS}}"
curl --cacert $KUBE_CACRT_PATH \
-X PATCH \
-H "Content-Type: application/strategic-merge-patch+json" \
-H "Authorization: Bearer $KUBE_TOKEN" \
--data "$PAYLOAD" \
https://$KUBERNETES_SERVICE_HOST/apis/apps/v1/namespaces/$CURRENT_NAMESPACE/deployments/$DEPLOYMENT_NAME
请注意, $KUBERNETES_SERVICE_HOST
由 Pod 内的$KUBERNETES_SERVICE_HOST
自动设置。
并且不要忘记,您需要设置一个具有修补部署权限的 ServiceAccount,以便能够在 pod 内执行 api 调用。 例子:
apiVersion: v1
kind: ServiceAccount
metadata:
name: example
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example
subjects:
- kind: ServiceAccount
name: example
roleRef:
kind: Role
name: example
apiGroup: rbac.authorization.k8s.io
尝试这个:
API_URL="http://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale"
PAYLOAD='[{"op":"replace","path":"/spec/replicas","value":"2"}]'
curl -X PATCH -d$PAYLOAD -H 'Content-Type: application/json-patch+json' $API_URL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.