kubectl源码分析之create clusterrole
秋和雅
发布一个k8s部署视频:https://edu.csdn.net/course/detail/26967
课程内容:各种k8s部署方式。包括minikube部署,kubeadm部署,kubeasz部署,rancher部署,k3s部署。包括开发测试环境部署k8s,和生产环境部署k8s。
腾讯课堂连接地址https://ke.qq.com/course/478827?taid=4373109931462251&tuin=ba64518
第二个视频发布 https://edu.csdn.net/course/detail/27109
腾讯课堂连接地址https://ke.qq.com/course/484107?tuin=ba64518
介绍主要的k8s资源的使用配置和命令。包括configmap,pod,service,replicaset,namespace,deployment,daemonset,ingress,pv,pvc,sc,role,rolebinding,clusterrole,clusterrolebinding,secret,serviceaccount,statefulset,job,cronjob,podDisruptionbudget,podSecurityPolicy,networkPolicy,resourceQuota,limitrange,endpoint,event,conponentstatus,node,apiservice,controllerRevision等。
第三个视频发布:https://edu.csdn.net/course/detail/27574
详细介绍helm命令,学习helm chart语法,编写helm chart。深入分析各项目源码,学习编写helm插件
第四个课程发布:https://edu.csdn.net/course/detail/28488
本课程将详细介绍k8s所有命令,以及命令的go源码分析,学习知其然,知其所以然
————————————————--------------------------------------------------------------
type CreateClusterRoleOptions struct {//clusterrole结构体
*CreateRoleOptions//继承role结构体
NonResourceURLs []string//非资源url
AggregationRule map[string]string//组合角色规则
}//创建create clusterrole命令
func NewCmdCreateClusterRole(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
c := &CreateClusterRoleOptions{//初始化clusterrole结构体
CreateRoleOptions: NewCreateRoleOptions(ioStreams),
AggregationRule: map[string]string{},
}
cmd := &cobra.Command{//创建cobra命令
Use: "clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run]",
DisableFlagsInUseLine: true,
Short: clusterRoleLong,
Long: clusterRoleLong,
Example: clusterRoleExample,
Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(c.Complete(f, cmd, args))//准备运行
cmdutil.CheckErr(c.Validate())//校验参数
cmdutil.CheckErr(c.RunCreateRole())//运行逻辑
},
}
c.PrintFlags.AddFlags(cmd)//设置print选项
cmdutil.AddApplyAnnotationFlags(cmd)//设置save-config选项
cmdutil.AddValidateFlags(cmd)//设置validate选项
cmdutil.AddDryRunFlag(cmd)//设置dry-run选项
cmd.Flags().StringSliceVar(&c.Verbs, "verb", c.Verbs, "Verb that applies to the resources contained in the rule")//设置verb选项
cmd.Flags().StringSliceVar(&c.NonResourceURLs, "non-resource-url", c.NonResourceURLs, "A partial url that user should have access to.")//设置non-resource-url选项
cmd.Flags().StringSlice("resource", []string{}, "Resource that the rule applies to")//设置resource选项
cmd.Flags().StringArrayVar(&c.ResourceNames, "resource-name", c.ResourceNames, "Resource in the white list that the rule applies to, repeat this flag for multiple items")//设置resource-name选项
cmd.Flags().Var(cliflag.NewMapStringString(&c.AggregationRule), "aggregation-rule", "An aggregation label selector for combining ClusterRoles.")//设置aggregation-rule选项
return cmd
}//运行准备函数
func (c *CreateClusterRoleOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error {
// Remove duplicate nonResourceURLs
nonResourceURLs := []string{}
for _, n := range c.NonResourceURLs {//non-resource-url去重
if !arrayContains(nonResourceURLs, n) {
nonResourceURLs = append(nonResourceURLs, n)
}
}
c.NonResourceURLs = nonResourceURLs
return c.CreateRoleOptions.Complete(f, cmd, args)//运行role的complete方法
}//运行role的complete方法
func (o *CreateRoleOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error {
name, err := NameFromCommandArgs(cmd, args)//获取资源名称
if err != nil {
return err
}
o.Name = name//设置资源名称
// Remove duplicate verbs.
verbs := []string{}
for _, v := range o.Verbs {
// VerbAll respresents all kinds of verbs.
if v == "*" {//如果是*,则verbs是*,并break
verbs = []string{"*"}
break
}
if !arrayContains(verbs, v) {//去重
verbs = append(verbs, v)
}
}
o.Verbs = verbs//设置verbs
// Support resource.group pattern. If no API Group specified, use "" as core API Group.
// e.g. --resource=pods,deployments.extensions
resources := cmdutil.GetFlagStringSlice(cmd, "resource")//获取resource选项
for _, r := range resources {
sections := strings.SplitN(r, "/", 2)//用/分割字符
resource := &ResourceOptions{}
if len(sections) == 2 {
resource.SubResource = sections[1]//设置子资源
}
parts := strings.SplitN(sections[0], ".", 2)//用.分割字符
if len(parts) == 2 {
resource.Group = parts[1]//设置group
}
resource.Resource = parts[0]//设置资源
if resource.Resource == "*" && len(parts) == 1 && len(sections) == 1 {
o.Resources = []ResourceOptions{*resource}//如果资源是*,则设置资源为*,并break
break
}
o.Resources = append(o.Resources, *resource)//添加资源
}
// Remove duplicate resource names.
resourceNames := []string{}
for _, n := range o.ResourceNames {//resource-name去重
if !arrayContains(resourceNames, n) {
resourceNames = append(resourceNames, n)
}
}
o.ResourceNames = resourceNames//设置resource-name
// Complete other options for Run.
o.Mapper, err = f.ToRESTMapper()//设置mapper
if err != nil {
return err
}
o.DryRun = cmdutil.GetDryRunFlag(cmd)//设置干跑
o.OutputFormat = cmdutil.GetFlagString(cmd, "output")//设置output
if o.DryRun {
o.PrintFlags.Complete("%s (dry run)")
}
printer, err := o.PrintFlags.ToPrinter()//把print flag转化为printer
if err != nil {
return err
}
o.PrintObj = func(obj runtime.Object) error {//设置printObj函数
return printer.PrintObj(obj, o.Out)
}
o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace()//获取namespace
if err != nil {
return err
}
clientset, err := f.KubernetesClientSet()//获取clientset
if err != nil {
return err
}
o.Client = clientset.RbacV1()//设置client
return nil
}//运行校验函数
func (c *CreateClusterRoleOptions) Validate() error {
if c.Name == "" {//name为空报错
return fmt.Errorf("name must be specified")
}
if len(c.AggregationRule) > 0 {//AggregationRule不能和下面选项共存
if len(c.NonResourceURLs) > 0 || len(c.Verbs) > 0 || len(c.Resources) > 0 || len(c.ResourceNames) > 0 {
return fmt.Errorf("aggregation rule must be specified without nonResourceURLs, verbs, resources or resourceNames")
}
return nil
}
// validate verbs.
if len(c.Verbs) == 0 {//verb不能为空
return fmt.Errorf("at least one verb must be specified")
}
if len(c.Resources) == 0 && len(c.NonResourceURLs) == 0 {//resource和non-resource-url不能都未空
return fmt.Errorf("one of resource or nonResourceURL must be specified")
}
// validate resources
if len(c.Resources) > 0 {
for _, v := range c.Verbs {
if !arrayContains(validResourceVerbs, v) {//判断verb是否有效
return fmt.Errorf("invalid verb: '%s'", v)
}
}
if err := c.validateResource(); err != nil {//校验资源
return err
}
}
//validate non-resource-url
if len(c.NonResourceURLs) > 0 {//如果non-rsource-url不为空
for _, v := range c.Verbs {
if !arrayContains(validNonResourceVerbs, v) {//校验verb是否有效
return fmt.Errorf("invalid verb: '%s' for nonResourceURL", v)
}
}
for _, nonResourceURL := range c.NonResourceURLs {
if nonResourceURL == "*" {
continue
}
if nonResourceURL == "" || !strings.HasPrefix(nonResourceURL, "/") {
return fmt.Errorf("nonResourceURL should start with /")//non-resource-url必须/开头
}
if strings.ContainsRune(nonResourceURL[:len(nonResourceURL)-1], '*') {//*只能出现在末尾
return fmt.Errorf("nonResourceURL only supports wildcard matches when '*' is at the end")
}
}
}
return nil
}//调用role的validate方法
func (o *CreateRoleOptions) validateResource() error {
for _, r := range o.Resources {
if len(r.Resource) == 0 {//资源不能为空
return fmt.Errorf("resource must be specified if apiGroup/subresource specified")
}
if r.Resource == "*" {
return nil
}
resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
groupVersionResource, err := o.Mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
if err == nil {
resource = groupVersionResource
}
for _, v := range o.Verbs {
if groupResources, ok := specialVerbs[v]; ok {//如果是特殊动作
match := false
for _, extra := range groupResources {//如果特殊动作的资源包含现在的资源
if resource.Resource == extra.Resource && resource.Group == extra.Group {
match = true
err = nil
break
}
}
if !match {
return fmt.Errorf("can not perform '%s' on '%s' in group '%s'", v, resource.Resource, resource.Group)
}
}
}
if err != nil {
return err
}
}
return nil
}//执行逻辑
func (c *CreateClusterRoleOptions) RunCreateRole() error {
clusterRole := &rbacv1.ClusterRole{//创建一个clusterrole对象
// this is ok because we know exactly how we want to be serialized
TypeMeta: metav1.TypeMeta{APIVersion: rbacv1.SchemeGroupVersion.String(), Kind: "ClusterRole"},
}
clusterRole.Name = c.Name//设置clusterrole名称
var err error
if len(c.AggregationRule) == 0 {//如果aggregation-rule没值
rules, err := generateResourcePolicyRules(c.Mapper, c.Verbs, c.Resources, c.ResourceNames, c.NonResourceURLs)//构造policy
if err != nil {
return err
}
clusterRole.Rules = rules//设置policy
} else {
clusterRole.AggregationRule = &rbacv1.AggregationRule{//构造aggregationRule
ClusterRoleSelectors: []metav1.LabelSelector{
{
MatchLabels: c.AggregationRule,
},
},
}
}
// Create ClusterRole.
if !c.DryRun {//非干跑
clusterRole, err = c.Client.ClusterRoles().Create(clusterRole)//创建clusterrole
if err != nil {
return err
}
}
return c.PrintObj(clusterRole)//打印结果
}//构造policy
func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resources []ResourceOptions, resourceNames []string, nonResourceURLs []string) ([]rbacv1.PolicyRule, error) {
// groupResourceMapping is a apigroup-resource map. The key of this map is api group, while the value
// is a string array of resources under this api group.
// E.g. groupResourceMapping = {"extensions": ["replicasets", "deployments"], "batch":["jobs"]}
groupResourceMapping := map[string][]string{}
// This loop does the following work:
// 1. Constructs groupResourceMapping based on input resources.
// 2. Prevents pointing to non-existent resources.
// 3. Transfers resource short name to long name. E.g. rs.extensions is transferred to replicasets.extensions
for _, r := range resources {//遍历资源
resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
groupVersionResource, err := mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
if err == nil {
resource = groupVersionResource
}设置资源
if len(r.SubResource) > 0 {//如果有子资源则加上子资源
resource.Resource = resource.Resource + "/" + r.SubResource
}
if !arrayContains(groupResourceMapping[resource.Group], resource.Resource) {//如果资源不再map里则放入
groupResourceMapping[resource.Group] = append(groupResourceMapping[resource.Group], resource.Resource)
}
}
// Create separate rule for each of the api group.
rules := []rbacv1.PolicyRule{}//构造policyRule slice
for _, g := range sets.StringKeySet(groupResourceMapping).List() {//遍历map
rule := rbacv1.PolicyRule{}//构造policyrule对象
rule.Verbs = verbs//设置verbs
rule.Resources = groupResourceMapping[g]//设置资源
rule.APIGroups = []string{g}//设置apiGroup
rule.ResourceNames = resourceNames//设置资源名称
rules = append(rules, rule)//把rule加到slice中
}
if len(nonResourceURLs) > 0 {//如果non-resource-url有值
rule := rbacv1.PolicyRule{}构造policyrule对象
rule.Verbs = verbs//设置verb
rule.NonResourceURLs = nonResourceURLs//设置non-resource-url
rules = append(rules, rule)//添加rule到slice
}
return rules, nil
}
类似资料: