在联邦中设置放置策略

此页面显示如何使用外部策略引擎对联邦资源强制执行基于策略的放置决策。

您需要一个正在运行的 Kubernetes 集群(它被引用为主机集群)。有关您的平台的安装说明,请参阅指南。

可以使用 kubefed init 部署联邦控制平面。

Deploying 联邦控制平面之后,必须在联邦 API 服务器中配置一个准入控制器,该控制器强制执行从外部策略引擎接收到的放置决策。

下图是准入控制器的 ConfigMap 示例:

ConfigMap 包含三个文件:

  • config.yml 指定 调度策略 准入控制器配置文件的位置。
  • scheduling-policy-config.yml 指定与外部策略引擎联系所需的 kubeconfig 文件的位置。 该文件还可以包含一个 retryBackoff 值,该值以毫秒为单位控制初始重试 backoff 延迟。
  • opa-kubeconfig 是一个标准的 kubeconfig,包含联系外部策略引擎所需的 URL 和凭证。
  1. kubectl -n federation-system edit deployment federation-apiserver

更新 Federation API 服务器命令行参数以启用准入控制器, 并将 ConfigMap 挂载到容器中。如果存在现有的 -enable-admissionplugins 参数,则追加 SchedulingPolicy 而不是添加另一行。

  1. --enable-admission-plugins=SchedulingPolicy
  2. --admission-control-config-file=/etc/kubernetes/admission/config.yml

将以下卷添加到联邦 API 服务器 pod:

  1. - name: admission-config
  2.   configMap:
  3.     name: admission

添加以下卷挂载联邦 API 服务器的 apiserver 容器:

Open Policy Agent (OPA) 是一个开源的通用策略引擎, 您可以使用它在联邦控制平面中执行基于策略的放置决策。

在主机群集中创建服务以联系外部策略引擎:

  1. kubectl create -f policy-engine-service.yaml

下面显示的是 OPA 的示例服务。

使用联邦控制平面在主机群集中创建部署:

  1. kubectl create -f policy-engine-deployment.yaml

外部策略引擎将发现在 Federation API 服务器的 kube-federation-scheduling-policy 命名空间中创建的放置策略。

如果命名空间尚不存在,请创建它:

配置一个示例策略来测试外部策略引擎:

  1. # OPA supports a high-level declarative language named Rego for authoring and
  2. # enforcing policies. For more information on Rego, visit
  3. # http://openpolicyagent.org.
  5. # Rego policies are namespaced by the "package" directive.
  6. package kubernetes.placement
  8. # Imports provide aliases for data inside the policy engine. In this case, the
  9. # policy simply refers to "clusters" below.
  10. import data.kubernetes.clusters
  12. # The "annotations" rule generates a JSON object containing the key
  13. # "federation.kubernetes.io/replica-set-preferences" mapped to <preferences>.
  14. # The preferences values is generated dynamically by OPA when it evaluates the
  15. # rule.
  16. #
  17. # The SchedulingPolicy Admission Controller running inside the Federation API
  18. # server will merge these annotations into incoming Federated resources. By
  19. # setting replica-set-preferences, we can control the placement of Federated
  20. # ReplicaSets.
  21. #
  22. # Rules are defined to generate JSON values (booleans, strings, objects, etc.)
  23. # When OPA evaluates a rule, it generates a value IF all of the expressions in
  24. # the body evaluate successfully. All rules can be understood intuitively as
  25. # <head> if <body> where <body> is true if <expr-1> AND <expr-2> AND ...
  26. # <expr-N> is true (for some set of data.)
  27. annotations["federation.kubernetes.io/replica-set-preferences"] = preferences {
  28.     input.kind = "ReplicaSet"
  29.     value = {"clusters": cluster_map, "rebalance": true}
  30.     json.marshal(value, preferences)
  31. }
  33. # This "annotations" rule generates a value for the "federation.alpha.kubernetes.io/cluster-selector"
  34. # annotation.
  35. #
  36. # that are not annotated with "criticality=low" MUST be placed on clusters
  37. # labelled with "on-premises=true".
  38. annotations["federation.alpha.kubernetes.io/cluster-selector"] = selector {
  39.     input.metadata.namespace = "production"
  40.     not input.metadata.annotations.criticality = "low"
  41.     json.marshal([{
  42.         "operator": "=",
  43.         "key": "on-premises",
  44.         "values": "[true]",
  45.     }], selector)
  46. }
  48. # Generates a set of cluster names that satisfy the incoming Federated
  49. # ReplicaSet's requirements. In this case, just PCI compliance.
  50. replica_set_clusters[cluster_name] {
  51.     clusters[cluster_name]
  52.     not insufficient_pci[cluster_name]
  53. }
  55. # Generates a set of clusters that must not be used for Federated ReplicaSets
  56. # that request PCI compliance.
  57. insufficient_pci[cluster_name] {
  58.     clusters[cluster_name]
  59.     input.metadata.annotations["requires-pci"] = "true"
  60.     not pci_clusters[cluster_name]
  61. }
  63. # Generates a set of clusters that are PCI certified. In this case, we assume
  64. # clusters are annotated to indicate if they have passed PCI compliance audits.
  65. pci_clusters[cluster_name] {
  66.     clusters[cluster_name].metadata.annotations["pci-certified"] = "true"
  67. }
  69. # Helper rule to generate a mapping of desired clusters to weights. In this
  70. # case, weights are static.
  71. cluster_map[cluster_name] = {"weight": 1} {
  72.     replica_set_clusters[cluster_name]
  73. }

下面显示的是创建示例策略的命令:

  1. kubectl --context=federation -n kube-federation-scheduling-policy create configmap scheduling-policy --from-file=policy.rego

这个示例策略说明了一些关键思想:

  • 位置策略可以引用联邦资源中的任何字段。
  • 放置策略可以利用外部上下文(例如,集群元数据)来做出决策。
  • 管理策略可以集中管理。
  • 策略可以定义简单的接口(例如 requirements -pci 注解),以避免在清单中重复逻辑。

注释其中一个集群以表明它是经过 PCI 认证的。

  1. kubectl --context=federation annotate clusters cluster-name-1 pci-certified=true

部署联邦副本来测试放置策略。

检查副本集以确认已应用适当的注解: