欢迎关注我的公众号:

目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

istio多集群探秘,部署了50次多集群后我得出的结论

istio多集群链路追踪,附实操视频

istio防故障利器,你知道几个,istio新手不要读,太难!

istio业务权限控制,原来可以这么玩

istio实现非侵入压缩,微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

————————————————

type ReconcileOptions struct {//reconcile结构体PrintFlags             *genericclioptions.PrintFlagsFilenameOptions        *resource.FilenameOptionsDryRun                 boolRemoveExtraPermissions boolRemoveExtraSubjects    boolVisitor         resource.VisitorRBACClient      rbacv1client.RbacV1InterfaceNamespaceClient corev1client.CoreV1InterfacePrintObject printers.ResourcePrinterFuncgenericclioptions.IOStreams
}
func NewReconcileOptions(ioStreams genericclioptions.IOStreams) *ReconcileOptions {return &ReconcileOptions{//初始化结构体FilenameOptions: &resource.FilenameOptions{},PrintFlags:      genericclioptions.NewPrintFlags("reconciled").WithTypeSetter(scheme.Scheme),IOStreams:       ioStreams,}
}
//创建reconcile命令
func NewCmdReconcile(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command {o := NewReconcileOptions(streams)//初始化结构体cmd := &cobra.Command{//创建cobra命令Use:                   "reconcile -f FILENAME",DisableFlagsInUseLine: true,Short:                 "Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects",Long:                  reconcileLong,Example:               reconcileExample,Run: func(cmd *cobra.Command, args []string) {cmdutil.CheckErr(o.Complete(cmd, f, args))//准备cmdutil.CheckErr(o.Validate())//校验cmdutil.CheckErr(o.RunReconcile())//运行},}o.PrintFlags.AddFlags(cmd)//打印选项cmdutil.AddFilenameOptionFlags(cmd, o.FilenameOptions, "identifying the resource to reconcile.")//文件选项cmd.Flags().BoolVar(&o.DryRun, "dry-run", o.DryRun, "If true, display results but do not submit changes")//干跑选项cmd.Flags().BoolVar(&o.RemoveExtraPermissions, "remove-extra-permissions", o.RemoveExtraPermissions, "If true, removes extra permissions added to roles")//删除多余权限选项cmd.Flags().BoolVar(&o.RemoveExtraSubjects, "remove-extra-subjects", o.RemoveExtraSubjects, "If true, removes extra subjects added to rolebindings")//删除多余主体选项return cmd
}
//准备
func (o *ReconcileOptions) Complete(cmd *cobra.Command, f cmdutil.Factory, args []string) error {if err := o.FilenameOptions.RequireFilenameOrKustomize(); err != nil {//文件选项是必须的return err}if len(args) > 0 {//不能有参数return errors.New("no arguments are allowed")}namespace, enforceNamespace, err := f.ToRawKubeConfigLoader().Namespace()//获取namespace和enforceNamespaceif err != nil {return err}r := f.NewBuilder().WithScheme(scheme.Scheme, scheme.Scheme.PrioritizedVersionsAllGroups()...).ContinueOnError().NamespaceParam(namespace).DefaultNamespace().FilenameParam(enforceNamespace, o.FilenameOptions).Flatten().Do()//构造result对象if err := r.Err(); err != nil {return err}o.Visitor = r//设置visitorclientConfig, err := f.ToRESTConfig()//获取restconfigif err != nil {return err}o.RBACClient, err = rbacv1client.NewForConfig(clientConfig)//通过restconfig获取rbacclientif err != nil {return err}o.NamespaceClient, err = corev1client.NewForConfig(clientConfig)//通过restconfig获取namespaceCientif err != nil {return err}if o.DryRun {//准备干跑o.PrintFlags.Complete("%s (dry run)")}printer, err := o.PrintFlags.ToPrinter()//printflag转printerif err != nil {return err}o.PrintObject = printer.PrintObj//设置printObj函数return nil
}
//校验
func (o *ReconcileOptions) Validate() error {if o.Visitor == nil {//visitor不能为空return errors.New("ReconcileOptions.Visitor must be set")}if o.RBACClient == nil {// rbacclient不能为空return errors.New("ReconcileOptions.RBACClient must be set")}if o.NamespaceClient == nil {//namespaceClient不能为空return errors.New("ReconcileOptions.NamespaceClient must be set")}if o.PrintObject == nil {//printObject不能为空return errors.New("ReconcileOptions.Print must be set")}if o.Out == nil {//out不能为空return errors.New("ReconcileOptions.Out must be set")}if o.ErrOut == nil {//errout不能为空return errors.New("ReconcileOptions.Err must be set")}return nil
}
//运行
func (o *ReconcileOptions) RunReconcile() error {return o.Visitor.Visit(func(info *resource.Info, err error) error {//visit resultif err != nil {//有错误直接返回return err}switch t := info.Object.(type) {//判断info的object类型case *rbacv1.Role://如果是rolereconcileOptions := reconciliation.ReconcileRoleOptions{//创建reconcileOptions Confirm:                !o.DryRun,RemoveExtraPermissions: o.RemoveExtraPermissions,Role:                   reconciliation.RoleRuleOwner{Role: t},Client: reconciliation.RoleModifier{NamespaceClient: o.NamespaceClient.Namespaces(),Client:          o.RBACClient,},}result, err := reconcileOptions.Run()//执行reconcileif err != nil {return err}o.printResults(result.Role.GetObject(), nil, nil, result.MissingRules, result.ExtraRules, result.Operation, result.Protected)//打印结果case *rbacv1.ClusterRole://如果是clusterrolereconcileOptions := reconciliation.ReconcileRoleOptions{//创建reconcileOptions Confirm:                !o.DryRun,RemoveExtraPermissions: o.RemoveExtraPermissions,Role:                   reconciliation.ClusterRoleRuleOwner{ClusterRole: t},Client: reconciliation.ClusterRoleModifier{Client: o.RBACClient.ClusterRoles(),},}result, err := reconcileOptions.Run()//执行reconcileif err != nil {return err}o.printResults(result.Role.GetObject(), nil, nil, result.MissingRules, result.ExtraRules, result.Operation, result.Protected)//打印结果case *rbacv1.RoleBinding://如果是rolebindingreconcileOptions := reconciliation.ReconcileRoleBindingOptions{//创建reconcileOptions Confirm:             !o.DryRun,RemoveExtraSubjects: o.RemoveExtraSubjects,RoleBinding:         reconciliation.RoleBindingAdapter{RoleBinding: t},Client: reconciliation.RoleBindingClientAdapter{Client:          o.RBACClient,NamespaceClient: o.NamespaceClient.Namespaces(),},}result, err := reconcileOptions.Run()//执行reconcileif err != nil {return err}o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)//打印结果case *rbacv1.ClusterRoleBinding://如果是clusterrolebindingreconcileOptions := reconciliation.ReconcileRoleBindingOptions{//创建reconcileOptions Confirm:             !o.DryRun,RemoveExtraSubjects: o.RemoveExtraSubjects,RoleBinding:         reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: t},Client: reconciliation.ClusterRoleBindingClientAdapter{Client: o.RBACClient.ClusterRoleBindings(),},}result, err := reconcileOptions.Run()//执行reconcileif err != nil {return err}o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)//打印结果case *rbacv1beta1.Role,*rbacv1beta1.RoleBinding,*rbacv1beta1.ClusterRole,*rbacv1beta1.ClusterRoleBinding,*rbacv1alpha1.Role,*rbacv1alpha1.RoleBinding,*rbacv1alpha1.ClusterRole,*rbacv1alpha1.ClusterRoleBinding:return fmt.Errorf("only rbac.authorization.k8s.io/v1 is supported: not %T", t)//返回错误default:klog.V(1).Infof("skipping %#v", info.Object.GetObjectKind())// skip ignored resources}return nil})
}
//打印结果
func (o *ReconcileOptions) printResults(object runtime.Object,missingSubjects, extraSubjects []rbacv1.Subject,missingRules, extraRules []rbacv1.PolicyRule,operation reconciliation.ReconcileOperation,protected bool) {o.PrintObject(object, o.Out)//打印对象caveat := ""if protected {//受保护信息caveat = ", but object opted out (rbac.authorization.kubernetes.io/autoupdate: false)"}switch operation {//判断操作类型case reconciliation.ReconcileNone://如果是nono直接返回returncase reconciliation.ReconcileCreate://如果是创建fmt.Fprintf(o.ErrOut, "\treconciliation required create%s\n", caveat)case reconciliation.ReconcileUpdate://如果是更新fmt.Fprintf(o.ErrOut, "\treconciliation required update%s\n", caveat)case reconciliation.ReconcileRecreate://如果是重建fmt.Fprintf(o.ErrOut, "\treconciliation required recreate%s\n", caveat)}if len(missingSubjects) > 0 {//打印丢失的主体fmt.Fprintf(o.ErrOut, "\tmissing subjects added:\n")for _, s := range missingSubjects {fmt.Fprintf(o.ErrOut, "\t\t%+v\n", s)}}if o.RemoveExtraSubjects {if len(extraSubjects) > 0 {//打印多余的主体fmt.Fprintf(o.ErrOut, "\textra subjects removed:\n")for _, s := range extraSubjects {fmt.Fprintf(o.ErrOut, "\t\t%+v\n", s)}}}if len(missingRules) > 0 {//打印丢失的权限fmt.Fprintf(o.ErrOut, "\tmissing rules added:\n")for _, r := range missingRules {fmt.Fprintf(o.ErrOut, "\t\t%+v\n", r)}}if o.RemoveExtraPermissions {//打印多余的权限if len(extraRules) > 0 {fmt.Fprintf(o.ErrOut, "\textra rules removed:\n")for _, r := range extraRules {fmt.Fprintf(o.ErrOut, "\t\t%+v\n", r)}}}
}

kubectl源码分析之auth reconcile相关推荐

  1. Django源码分析6:auth认证及登陆保持

    django源码分析 本文环境python3.5.2,django1.10.x系列 1.这次分析django框架中登陆认证与接口权限检查. 2.在后端开发中,难免会对接口进行权限验证,其中对于接口是否 ...

  2. kubectl源码分析之config delete-context

    欢迎关注我的公众号: 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下: istio多集群探秘,部署了50次多集群后我得出的结论 istio多集群链路追踪,附实操视频 istio防故障利器,你 ...

  3. kubectl源码分析之cordon and uncordon

    欢迎关注我的公众号: 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下: istio多集群探秘,部署了50次多集群后我得出的结论 istio多集群链路追踪,附实操视频 istio防故障利器,你 ...

  4. kubectl源码分析之taint

    欢迎关注我的公众号: 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下: istio多集群探秘,部署了50次多集群后我得出的结论 istio多集群链路追踪,附实操视频 istio防故障利器,你 ...

  5. istio源码分析——pilot-agent如何管理envoy生命周期

    原文:istio源码分析--pilot-agent如何管理envoy生命周期 声明 分析的源码为0.7.1版本 环境为k8s 由于没有C++ 基础,所以源码分析止步于 C++,但也学到很多东西 pil ...

  6. kazoo源码分析:服务器交互的实现细节

    kazoo源码分析 kazoo-2.6.1 kazoo客户端与服务器概述 上文start概述中,只是简单的概述了kazoo客户端初始化之后,调用了start方法,本文继续详细的了解相关的细节. kaz ...

  7. kazoo源码分析:Zookeeper客户端start概述

    kazoo源码分析 kazoo-2.6.1 kazoo客户端 kazoo是一个由Python编写的zookeeper客户端,实现了zookeeper协议,从而提供了Python与zookeeper服务 ...

  8. celery源码分析-定时任务

    celery源码分析 本文环境python3.5.2,celery4.0.2,django1.10.x系列 celery的定时任务与Django配置 celery也可以执行定时任务来执行相关操作,ce ...

  9. Django源码分析5:session会话中间件分析

    django源码分析 本文环境python3.5.2,django1.10.x系列 1.这次分析django框架中的会话中间件. 2.会话保持是目前框架都支持的一个功能,因为http是无状态协议,无法 ...

最新文章

  1. VScode使用python的yapf库
  2. 一周要回审9000万条视频,内容审核师能被AI拯救吗?
  3. 世界上最遥远的距离(泰戈尔)
  4. jdeveloper_适用于JDeveloper 11gR2的Glassfish插件
  5. light task schedule的定时任务实现源码解析
  6. 大话设计模式之原型模式
  7. 数学与计算机教学设计,数学和信息技术整合的思考 教案教学设计
  8. mysql时区代码_mysql时区设置为东八区
  9. SQL Server中全角和半角字符的比较问题
  10. oracle 查看最大连接数与当前连接数
  11. 解决办法:configure: error: C compiler cannot create executables错误
  12. php基础:变量命名、传值、检测、类型转换、动态变量名
  13. ORACLE 查询表空间使用情况
  14. IE下载时中文文件名乱码解决
  15. 团购幸存者:团购是个苦生意
  16. golang_微信公众号网页授权
  17. Typora+PicGo+Gitee
  18. JS偏函数、组合函数、缓存函数
  19. Android RrecyclerView条目跳转到指定位置
  20. 深度学习:loss损失不下降

热门文章

  1. 2021计算机维修工,2021年计算机维修工职业资格考试模拟要求.doc
  2. 2015移动安全漏洞年报
  3. C语言--读书笔记(二)
  4. Sa(sinc)函数的傅里叶变换
  5. java虚拟机工作原理图_超“强”的图文详解-JVM虚拟机底层原理与调优实战
  6. 用Matlab编写的经典电力系统经济调度程序(完整代码分享)
  7. 水平触发LT、边缘触发ET
  8. word文档和图片转pdf格式
  9. laravel-excel文档翻译笔记详细
  10. 流程圣经:流程绩效管理