红帽ACMs Managedcluster生命周期在行动

最新推荐文章于 2023-03-17 19:25:43 发布

weixin_26705651

最新推荐文章于 2023-03-17 19:25:43 发布

阅读量295

点赞数

文章标签： python

原文链接：https://medium.com/@randybruno424/red-hat-acms-managedcluster-lifecycle-in-action-85422e05150b

版权

Red Hat’s Advanced Cluster Management (ACM) gives user’s the ability to manage cloud-based services and data on Kubernetes clusters across multiple cloud providers from a single control plane. ACM leverages the Kubernetes API to deploy its own custom resources and provide additional management capabilities within “imported” clusters. The “managedCluster” resource allows for greater visibility of cost and performance while giving users a new tool to leverage against their own hybrid environments, from the context of a “hub” cluster.

红帽的高级集群管理(ACM)使用户能够从一个控制平面跨多个云提供商管理Kubernetes集群上的基于云的服务和数据。 ACM利用Kubernetes API部署自己的自定义资源，并在“导入的”群集中提供其他管理功能。 “ managedCluster”资源可提供更高的成本和性能可视性，同时为用户提供一种新工具，以利用“集线器”集群的环境来针对自己的混合环境。

In the blog I will cover the lifecycle of a managedCluster, namely this is a review of the import, update and deletion of a managedCluster system. This review covers ACM’s 2.0 release, and may not be applicable to future releases.

在博客中，我将介绍managedCluster的生命周期，即这是对managedCluster系统的导入，更新和删除的回顾。该评论涵盖ACM的2.0版本，并且可能不适用于将来的版本。

This blog is intended to be of value to engineers who are interested in multicloud management solutions for Kubernetes’ clusters (for industry or otherwise), are already leveraging Red Hat’s multicloud management solution against their own cloud environments, or are planning to contribute to this technology; much of which is already open sourced.

该博客旨在为对Kubernetes集群的多云管理解决方案感兴趣的工程师(针对行业或其他方面)，已经在自己的云环境中利用Red Hat的多云管理解决方案，或计划对该技术做出贡献的工程师提供有价值的信息。 ; 其中许多已经开源。

As an illustrative tool, I have segmented the lifecycle into a three-act structure, beginning with import; though there are many scenarios this particular sequence of use (i.e. import, followed by general usage of managedCluster including update, and finally deletion of managedCluster) may not apply to your own usage.

作为说明性工具，我从导入开始将生命周期细分为三个作用的结构。尽管在很多情况下，这种特定的使用顺序(即导入，然后是managedCluster的一般用法，包括更新，最后删除 managedCluster)可能不适用于您自己的用法。

Terminology/Component Glossary:

术语/组成词汇：

hub cluster: A Kubernetes, OpenShift Container Platform (OCP), cluster with Advanced Cluster Management installed, capable of managing subordinate clusters using its managedCluster custom api resource.
中心集群 ：安装了高级集群管理的Kubernetes，OpenShift容器平台(OCP)集群，能够使用其managedCluster自定义api资源管理下级集群。

Edit: A hub can only be created with an OCP cluster.

编辑：只能使用OCP群集创建集线器。

imported cluster: A Kubernetes cluster that has installed klusterlet and klusterlet-addon resources, and is working as a subordinate to a hub cluster. Klusterlet and klusterlet-addons are can be installed on AKS, EKS, GKE, IKS and OCP clusters.
导入的集群 ： Kubernetes集群，已安装klusterlet和klusterlet-addon资源，并作为中心集群的下属。 Klusterlet和klusterlet附加组件可以安装在AKS，EKS，GKE，IKS和OCP群集上。

Edit: Thus, AKS, EKS, GKE, IKS and OCP clusters are all capable of being managed by an OCP hub cluster.

编辑：因此，AKS，EKS，GKE，IKS和OCP集群都能够由OCP集线器集群进行管理。

managedCluster: A custom Kubernetes api resource used to represent the status of an imported cluster from the context of a hub cluster.
managedCluster ：定制的Kubernetes api资源，用于表示从中心集群的上下文中导入的集群的状态。
managedCluster-import-controller: The controller on the hub cluster responsible for coordinating import on the hub cluster, as well as for reconciling over the state of the managedClusters.
managedCluster导入控制器 ：集线器群集上的控制器负责协调集线器群集上的导入，并协调managedClusters的状态。
klusterlet: The controller on the imported cluster responsible for launching and updating klusterlet-registration-controller and the klusterlet-work-agent.
klusterlet ：导入群集上的控制器，负责启动和更新klusterlet-registration-controller和klusterlet-work-agent。
klusterlet-addon-operator: The controller on the imported cluster responsible for deploying and reconciling the state of klusterlet-addons.
klusterlet-addon-operator ：导入群集上的控制器负责部署和协调klusterlet插件的状态。
klusterlet-work-agent (work-agent): The controller on the imported cluster responsible for reconciling manifestWork, and updating the klusterlet.
klusterlet-work-agent(工作代理) ：导入的群集上的控制器负责协调manifestWork和更新klusterlet。
klusterlet-addon-controller (registration-controller): The controller on the hub responsible for creating and reconciling the certificate signing request between the the hub and imported cluster.
klusterlet-addon-controller(注册控制器) ：集线器上的控制器，负责在集线器和导入的集群之间创建和协调证书签名请求。
manifestWork: An api resource for defining and executing jobs on a cluster.
manifestWork ：用于在集群上定义和执行作业的api资源。
finalizer: A label added to prevent the deletion of a resource; it is used to coordinate graceful tear-downs of cluster applications.
finalizer ：为防止资源删除而添加的标签；它用于协调群集应用程序的正常拆除。

进口 (Import)

Act one: User Initializes Import
行动一：用户初始化导入

The user initializes the import of a managed cluster from the hub cluster’s ACM console. *(see image below)

用户初始化从集线器群集的ACM控制台导入托管群集的操作。 *(见下图)

From the console of a hub cluster, users have the ability to monitor their imported clusters, import already existing clusters to their hub or create a cluster and import it automatically.

通过集线器群集的控制台，用户可以监视其导入的群集，将已经存在的群集导入其集线器或创建群集并自动将其导入。

Image for post — ACM console, cluster view

2. Console begins work

2. 控制台 开始工作

On the hub cluster, after “Generate command” is pressed, the UI will create the cluster namespace and managedCluster resource, both are assigned the same name provided by the user for the cluster.* The UI will also create the “klusterletAddonConfig” (the CRD for the klusterlet-addon resource).

在集线器集群上，按下“ Generate command”(生成命令)后，UI将创建集群名称空间和managedCluster资源，二者均分配有用户为集群提供的相同名称。* UI还将创建“ klusterletAddonConfig”( klusterlet附加资源的CRD)。

The UI then adds a finalizer to the managedCluster resource spec and assigns its key, HubAcceptsClient, a value of “true”, signifying that the hub cluster accepts the join of a new managedCluster.* It also creates a “bootstrap” service account that will allow for the initial registration between the hub and and it’s new managedCluster.

然后，UI将终结器添加到managedCluster资源规范，并为其键HubAcceptsClient分配值“ true”，表示集线器群集接受新的managedCluster的加入。*它还创建了一个“ bootstrap”服务帐户，该帐户将允许在集线器和它的新的managedCluster之间进行初始注册。

metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`


	// Spec represents a desired configuration for the agent on the managed cluster.
	Spec ManagedClusterSpec `json:"spec"`


	// Status represents the current status of joined managed cluster
	// +optional
	Status ManagedClusterStatus `json:"status,omitempty"`
}


// ManagedClusterSpec provides the information to securely connect to a remote server
// and verify its identity.
type ManagedClusterSpec struct {
	// ManagedClusterClientConfigs represents a list of the apiserver address of the managed cluster.
	// If it is empty, managed cluster has no accessible address to be visited from hub.
	// +optional
	ManagedClusterClientConfigs []ClientConfig `json:"managedClusterClientConfigs,omitempty"`


	// hubAcceptsClient represents that hub accepts the join of Klusterlet agent on
	// the managed cluster to the hub. The default value is false, and can only be set
	// true when the user on hub has an RBAC rule to UPDATE on the virtual subresource
	// of managedclusters/accept.
	// When the value is set true, a namespace whose name is same as the name of ManagedCluster
	// is created on hub representing the managed cluster, also role/rolebinding is created on
	// the namespace to grant the permision of access from agent on managed cluster.
	// When the value is set false, the namespace representing the managed cluster is
	// deleted.
	// +required
	HubAcceptsClient bool `json:"hubAcceptsClient"`


	// LeaseDurationSeconds is used to coordinate the lease update time of Klusterlet agents on the managed cluster.
	// If its value is zero, the Klusterlet agent will update its lease every 60s by default
	// +optional
	LeaseDurationSeconds int32 `json:"leaseDurationSeconds,omitempty"`
}

The managedCluster-import-controller then creates the import manifest secret.*

然后，managedCluster-import-controller创建导入清单密钥 。*

3. User applies the import manifest

3. 用户应用导入清单

The content of the newly created secret is a base64 encoded custom resource definition for klusterlet. The console presents the encoded definition to the user within a kubectl apply command.* The user will take the command and apply it on their soon-to-be imported cluster. It will trigger the creation of the klusterlet on that managedCluster.

新创建的密钥的内容是klusterlet的base64编码的自定义资源定义。控制台会在kubectl apply命令中向用户显示已编码的定义。*用户将接受该命令并将其应用到他们即将导入的集群中。它将触发在该managedCluster上创建klusterlet。

4. Enter: The klusterlet

4. 输入：klusterlet

On the managed cluster, klusterlet will rollout the deployment of the registration-controller, followed by the work-agent.

在托管集群上，klusterlet将首先部署注册控制器 ，然后部署work-agent 。

The registration-controller creates a certificate signing request which is shortly thereafter approved by the hub cluster’s managedCluster-import-controller.

注册控制器创建一个证书签名请求，此请求不久后由集线器集群的managedCluster-import-controller批准。

The managedCluster-import-controller will then create manifestWork sets to deploy klusterlet-addon-controller. When the controller is up and running, it will then create its own manifestWorks (managed by an addon-work-manger) to launch addon applications for monitoring, search, IAM policy and certificate regulation features for the imported cluster.*

然后，managedCluster-import-controller将创建manifestWork集以部署klusterlet-addon-controller。控制器启动并运行后，它将创建自己的manifestWorks(由addon-work-manger管理)，以启动用于监视，搜索，IAM策略和证书监管功能的插件应用程序。*

5. End of Act I: work-agent

5. 第一幕结束：工作代理人

The work-agent will continue to reconcile manifestWork states over the lifespan of the managedCluster.

工作代理将继续在managedCluster的生命周期内协调manifestWork状态。

At this point the user should have a running managedCluster resource in their hub cluster, and a klusterlet and klusterlet-addon-operator running in their imported cluster. Regular usage of ACM features can begin after the import process has succeeded.

此时，用户应该在其中心群集中具有一个正在运行的managedCluster资源，并且在其导入的群集中具有一个klusterlet和klusterlet-addon-operator。导入过程成功后，即可开始正常使用ACM功能。

升级 (Upgrade)

Act II: User Initializes Upgrade
第二幕：用户初始化升级

The user has the option to upgrade a managedCluster’s klusterlet can be initiated by the user from the context of a cluster hub’s web console. *

用户可以选择从群集集线器的Web控制台的上下文中启动升级ManagedCluster的klusterlet的选项。 *

2. Update to manifest work

2. 体现工作

Once “Upgrade Cluster” is selected, the managedCluster-import-controller will update the import manifest secret and the manifestWork of the klusterlet.

选择“升级集群”后，managedCluster-import-controller将更新导入清单清单秘密和klusterlet的manifestWork。

3. Update Components

3. 更新组件

The imported cluster’s work-agent will reconcile the changes in manifestWork by beginning work to upgrade the klusterlet. Once complete, the klusterlet will upgrade the registration controller and the work-agent.

导入的集群的工作代理将通过开始升级klusterlet来协调manifestWork中的更改。完成后，klusterlet将升级注册控制器和工作代理。

删除中 (Deletion)

Final Act: User Initializes managedCluster deletion
最后行动：用户初始化managedCluster删除

Deletion of a managedCluster will also be user-initiated.*

删除managedCluster也将由用户启动。*

2. managedCluster-import-controller triggers work-agent reconcile — work-agent deletes klusterlet.

2.managedCluster-import-controller触发工作代理协调—工作代理删除klusterlet。

When prompted by the “Destroy” command, the managedCluster-import-controller will delete the manifestWork for the klusterlet. The work-agent’s reconciler will respond to the deletion of ManifestWork by deleting the klusterlet.

当出现“销毁”命令提示时，managedCluster-import-controller将删除klusterlet的manifestWork。工作代理的协调人将通过删除klusterlet来响应ManifestWork的删除。

3. Final Scene: managedCluster-import-controller deletes ManagedCluster resource and cluster namespace

3. 最终场景： managedCluster-import-controller删除ManagedCluster资源和集群名称空间

The managedCluster-import-controller will then wait for the ManagedCluster to go offline — which is indicated to the controller via the managedCluster resource spec, “ManagedClusterConditionAvailable", which represents the availability of the managedCluster.* At this juncture, when the spec is set to “Unknown” or “False” the managedCluster-import-controller will remove all the manifestWork resources in the managedCluster namespace.

然后，managedCluster导入控制器将等待ManagedCluster脱机-这是通过managedCluster资源规范“ ManagedClusterConditionAvailable”指示给控制器的，该规范表示managedCluster的可用性。*在此时刻，设置了规范如果设置为“ Unknown”或“ False”，则managedCluster-import-controller将删除managedCluster命名空间中的所有manifestWork资源。

const (
	// ManagedClusterConditionJoined means the managed cluster has successfully joined the hub
	ManagedClusterConditionJoined string = "ManagedClusterJoined"
	// ManagedClusterConditionHubAccepted means the request to join the cluster is
	// approved by cluster-admin on hub
	ManagedClusterConditionHubAccepted string = "HubAcceptedManagedCluster"
	// ManagedClusterConditionHubDenied means the request to join the cluster is denied by
	// cluster-admin on hub
	ManagedClusterConditionHubDenied string = "HubDeniedManagedCluster"
	// ManagedClusterConditionAvailable means the managed cluster is available, if a managed
	// cluster is available, the kube-apiserver is healthy and the Klusterlet agent is
	// running with the minimum deployment on this managed cluster
	ManagedClusterConditionAvailable string = "ManagedClusterConditionAvailable"
)

Finally, the managedCluster-import-controller’s removes the managedCluster’s finalizer, deletes the managedCluster resource and concludes the deletion process by removing the managedCluster’s namespace. This marks the end of a managedCluster’s lifecycle.

最后，managedCluster-import-controller的删除了managedCluster的终结器，删除了managedCluster资源，并通过删除managedCluster的命名空间结束了删除过程。这标志着managedCluster生命周期的结束。

发布脚本 (Post Script)

For more details on what can be accomplished with an imported cluster, see ACM’s product page or the Open-Cluster-Management organization on Github.

有关导入群集可以完成的操作的更多详细信息，请参阅ACM的产品页面或Github上的Open-Cluster-Management组织。

I want to offer a tremendous thank you to Hao Liu, Dominique Vernier, Hanqiu Zhang, and Leena Jawale, Brandi Swope and Mikela Dockery for their input on this blog!

在此感谢刘浩， Dominique Vernier ， Hanqiu Zhan g和Leena Jawale ，Brandi Swope和Mikela Dockery在此博客上的投入！