0

我有一个项目需要使用mutating Webhook,基于namespaceselector,需要首先将特定标签添加到命名空间。

我使用了三个钩子,hook1(pre-install, pre-delete,etc)hook2(pre-install)创建RBAC以通过Jobhook3(pre-delete)为名称空间添加标签以删除Job Hook 内容的标签如下:

Hook1设置权限

# RBAC.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ns-edit
  namespace: kube-system
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,pre-delete
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ns-edit
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,pre-delete
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch", "list","update","patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: edit-ns
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,pre-delete
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ns-edit
subjects:
- kind: ServiceAccount
  name: ns-edit
  namespace: kube-system

hook2将标签添加到命名空间

# label-ns.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: label-ns
  namespace: kube-system
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "0"
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    spec:
      containers:
      - name: labeler
        image: gcr.io/google_containers/hyperkube:v1.18.0
        command:
        - kubectl
        - label
        - ns
        - kube-system
        - mutating=disabled
        - --overwrite
      restartPolicy: Never
      serviceAccountName: ns-edit

hook3从 hook2 删除标签到命名空间

# delete-ns-label.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: del-ns-label
  namespace: kube-system
  annotations:
    "helm.sh/hook": pre-delete
    "helm.sh/hook-weight": "0"
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    spec:
      containers:
      - name: labeler
        image: gcr.io/google_containers/hyperkube:v1.18.0
        command:
        - kubectl
        - label
        - ns
        - kube-system
        - mutating-
      restartPolicy: Never
      serviceAccountName: ns-edit

在图表部署期间,由于未找到服务帐户(ns-edit),hook2 和 hook3 作业都被触发并且未完成。

helm install mutating-webhook mutating-webhook-0.1.0.tgz --debug
client.go:254: [debug] Starting delete for "ns-edit" ServiceAccount
client.go:283: [debug] serviceaccounts "ns-edit" not found
client.go:108: [debug] creating 1 resource(s)
client.go:254: [debug] Starting delete for "ns-edit" ClusterRole
client.go:283: [debug] clusterroles.rbac.authorization.k8s.io "ns-edit" not found
client.go:108: [debug] creating 1 resource(s)
client.go:254: [debug] Starting delete for "edit-ns" ClusterRoleBinding
client.go:283: [debug] clusterrolebindings.rbac.authorization.k8s.io "edit-ns" not found
client.go:108: [debug] creating 1 resource(s)
client.go:108: [debug] creating 1 resource(s)
client.go:463: [debug] Watching for changes to Job label-ns with timeout of 5m0s
client.go:491: [debug] Add/Modify event for label-ns: ADDED
client.go:530: [debug] label-ns: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
client.go:491: [debug] Add/Modify event for label-ns: MODIFIED
client.go:530: [debug] label-ns: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
client.go:491: [debug] Add/Modify event for label-ns: MODIFIED
client.go:254: [debug] Starting delete for "ns-edit" ServiceAccount
client.go:254: [debug] Starting delete for "ns-edit" ClusterRole
client.go:254: [debug] Starting delete for "edit-ns" ClusterRoleBinding
client.go:254: [debug] Starting delete for "label-ns" Job
client.go:108: [debug] creating 10 resource(s)
client.go:254: [debug] Starting delete for "ns-edit" ServiceAccount
client.go:108: [debug] creating 1 resource(s)
client.go:254: [debug] Starting delete for "ns-edit" ClusterRole
client.go:108: [debug] creating 1 resource(s)
client.go:254: [debug] Starting delete for "edit-ns" ClusterRoleBinding
client.go:108: [debug] creating 1 resource(s)
client.go:254: [debug] Starting delete for "ns-edit" ServiceAccount
client.go:254: [debug] Starting delete for "ns-edit" ClusterRole
client.go:254: [debug] Starting delete for "edit-ns" ClusterRoleBinding

但是在helm2中可以正确执行,即触发hook1和hook2helm install添加命名空间标签,触发hook1和hook3helm delete --purge删除hook2添加的标签

为什么 helm2 和 helm3 在Hook上有如此巨大的差异。

请问如何修改才能实现两者的统一如果没有,在helm3中如何设计

我真的很感激这方面的任何帮助。

注:helm2 为 v2.17.0,helm3 为 v3.3.0

4

0 回答 0