etcd 启动分析_kube-apiserver 源码分析

最新推荐文章于 2024-04-03 10:44:46 发布
最新推荐文章于 2024-04-03 10:44:46 发布
阅读量329 收藏
点赞数
文章标签: etcd 启动分析
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_42527401/article/details/112192025
版权

de029b9b08549a71fa503e7cce88f45b.png

kube-apiserver 是 Kubernetes 最重要的核心组件之一,主要提供以下的功能:

  • 提供集群管理的 REST API 接口,包括认证授权、数据校验以及集群状态变更等
  • 提供其他模块之间的数据交互和通信的枢纽(其他模块通过 API Server 查询或修改数据,只有 API Server 能直接操作 etcd)

注:

  • 以下代码分析基于 kubernetes release-1.14 cmd/kube-apiserver
  • 代表省略的代码,只展现主要逻辑代码。

编译

make WHAT=cmd/kube-apiserver

可以自行编译一下,编译完的 binary 可在 ./_output/bin/ 下找到。

main 函数

k8s 各组件程序的入口位于 cmd 目录下,我们来看看 kube-apiserver 的源码:

cmd/kube-apiserver/apiserver.go

func main() {
    ...

    // 初始化命令
    command := app.NewAPIServerCommand(server.SetupSignalHandler())

    ...

    // Execute
    if err := command.Execute(); err != nil {
        fmt.Fprintf(os.Stderr, "error: %vn", err)
        os.Exit(1)
    }
}

这里主要用到了 Cobra CLI 框架。

另外,注意到,main 包同级目录还有个 app 包,其中包含了创建 cobra CLI 具体实现代码,所以 main 包三俩行就结束了,至于为什么要这样设计呢?

如果你看看 cmd/hyperkube/main.go 的源码,你就会明白。hyperkube 把所有的 Command 都聚合到一起了,这样我们编译一个 hyperkube,就可以拥有 k8s 所有组件的能力。另外,由于各组件创建 Cobra CLI 的逻辑都在 app 包下,那么当组件更新时,hyperkube 重新编译也能获取更新,所以提取 app 包做到了解耦。

构造 CLI

app.NewAPIServerCommand() 返回 *cobra.Command, 执行 command.Execute() 最终会调用 *cobra.Command 的 RunE 字段的函数。

我们来看看 app.NewAPIServerCommand() 是如何构造 *cobra.Command 的:

// NewAPIServerCommand creates a *cobra.Command object with default parameters
func NewAPIServerCommand(stopCh <-chan struct{}) *cobra.Command {
    s := options.NewServerRunOptions()
    // 构造 Command
    cmd := &cobra.Command{
        Use: "kube-apiserver",
        ...
        RunE: func(cmd *cobra.Command, args []string) error {
            ...

            return Run(completedOptions, stopCh)
        },
    }

    // 参数解析
    fs := cmd.Flags()
    namedFlagSets := s.Flags()
    verflag.AddFlags(namedFlagSets.FlagSet("global"))
    globalflag.AddGlobalFlags(namedFlagSets.FlagSet("global"), cmd.Name())
    options.AddCustomGlobalFlags(namedFlagSets.FlagSet("generic"))
    for _, f := range namedFlagSets.FlagSets {
        fs.AddFlagSet(f)
    }

    // 构造 usage 和 help
    usageFmt := "Usage:n  %sn"
    cols, _, _ := term.TerminalSize(cmd.OutOrStdout())
    cmd.SetUsageFunc(func(cmd *cobra.Command) error {
        fmt.Fprintf(cmd.OutOrStderr(), usageFmt, cmd.UseLine())
        cliflag.PrintSections(cmd.OutOrStderr(), namedFlagSets, cols)
        return nil
    })
    cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
        fmt.Fprintf(cmd.OutOrStdout(), "%snn"+usageFmt, cmd.Long, cmd.UseLine())
        cliflag.PrintSections(cmd.OutOrStdout(), namedFlagSets, cols)
    })

    return cmd
}

启动 Http 服务

通过 CreateServerChain() 创建 server,经过 PrepareRun() 返回 preparedGenericAPIServer 并最终调用其 Run() 方法。

// Run runs the specified APIServer.  This should never exit.
func Run(completeOptions completedServerRunOptions, stopCh <-chan struct{}) error {
    ...

    // 创建 server
    server, err := CreateServerChain(completeOptions, stopCh)
    if err != nil {
        return err
    }

    return server.PrepareRun().Run(stopCh)
}

进入 server.PrepareRun().Run():

// Run spawns the secure http server. It only returns if stopCh is closed
// or the secure port cannot be listened on initially.
func (s preparedGenericAPIServer) Run(stopCh <-chan struct{}) error {
    err := s.NonBlockingRun(stopCh)
    if err != nil {
        return err
    }

    <-stopCh

    err = s.RunPreShutdownHooks()
    if err != nil {
        return err
    }

    // Wait for all requests to finish, which are bounded by the RequestTimeout variable.
    s.HandlerChainWaitGroup.Wait()

    return nil
}

Run 函数调用了 s.NonBlockingRun(),看下 NonBlockingRun() 的实现:

// NonBlockingRun spawns the secure http server. An error is
// returned if the secure port cannot be listened on.
func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
    ...

    // Use an internal stop channel to allow cleanup of the listeners on error.
    internalStopCh := make(chan struct{})
    var stoppedCh <-chan struct{}
    if s.SecureServingInfo != nil && s.Handler != nil {
        var err error
        stoppedCh, err = s.SecureServingInfo.Serve(s.Handler, s.ShutdownTimeout, internalStopCh)
        if err != nil {
            close(internalStopCh)
            return err
        }
    }

    ...

    return nil
}

其中又继续调用了 s.SecureServingInfo.Serve() 来启动 http 服务器,继续深入:

func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) (<-chan struct{}, error) {
    ...

    // 构造 http.Server
    secureServer := &http.Server{
        Addr:           s.Listener.Addr().String(),
        Handler:        handler,
        ...
    }

    ...

    return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh)
}

其中构造了 http.Server,里面包含处理 http 请求的 handler,并继续调用了 RunServer(),继续深入,

代码大致逻辑:

  • 前一个 goroutine 在 <-stopCh 这里阻塞,如果这个 channel 被关闭,那么就会停止阻塞并执行退出逻辑的代码,实现了优雅退出。
  • 后一个 goroutine 中调用了 server.Serve() 来启动 http 服务。
// RunServer listens on the given port if listener is not given,
// then spawns a go-routine continuously serving until the stopCh is closed.
// It returns a stoppedCh that is closed when all non-hijacked active requests
// have been processed.
// This function does not block
// TODO: make private when insecure serving is gone from the kube-apiserver
func RunServer(
    server *http.Server,
    ln net.Listener,
    shutDownTimeout time.Duration,
    stopCh <-chan struct{},
) (<-chan struct{}, error) {
    ...

    // Shutdown server gracefully.
    stoppedCh := make(chan struct{})
    go func() {
        defer close(stoppedCh)
        <-stopCh
        ctx, cancel := context.WithTimeout(context.Background(), shutDownTimeout)
        server.Shutdown(ctx)
        cancel()
    }()

    go func() {
        ...

        err := server.Serve(listener)

        msg := fmt.Sprintf("Stopped listening on %s", ln.Addr().String())
        select {
        case <-stopCh:
            klog.Info(msg)
        default:
            panic(fmt.Sprintf("%s due to error: %v", msg, err))
        }
    }()

    return stoppedCh, nil
}

构造 kube-apiserver

回到 CreateServerChain() 继续看如何构造 kube-apiserver:

// CreateServerChain creates the apiservers connected via delegation.
func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan struct{}) (*genericapiserver.GenericAPIServer, error) {
    ...

    // 创建扩展的 API server
    apiExtensionsServer, err := createAPIExtensionsServer(apiExtensionsConfig, genericapiserver.NewEmptyDelegate())
    if err != nil {
        return nil, err
    }

    // 创建核心的 kubeAPIServer
    kubeAPIServer, err := CreateKubeAPIServer(kubeAPIServerConfig, apiExtensionsServer.GenericAPIServer, admissionPostStartHook)
    if err != nil {
        return nil, err
    }

    ...

    // 聚合 server 的配置和创建
    aggregatorServer, err := createAggregatorServer(aggregatorConfig, kubeAPIServer.GenericAPIServer, apiExtensionsServer.Informers)
    if err != nil {
        // we don't need special handling for innerStopCh because the aggregator server doesn't create any go routines
        return nil, err
    }

    ...

    return aggregatorServer.GenericAPIServer, nil
}

先看下 CreateKubeAPIServer():

  • 根据传递的 kubeAPIServerConfig 来创建一个 kube-apiserver 对象
  • 创建过程中会涉及到将遗留 API 和标准 restful API 对象注册到 restful.Container 中
// CreateKubeAPIServer creates and wires a workable kube-apiserver
func CreateKubeAPIServer(kubeAPIServerConfig *master.Config, delegateAPIServer genericapiserver.DelegationTarget, admissionPostStartHook genericapiserver.PostStartHookFunc) (*master.Master, error) {
    kubeAPIServer, err := kubeAPIServerConfig.Complete().New(delegateAPIServer)
    if err != nil {
        return nil, err
    }

    ...

    return kubeAPIServer, nil
}

进入 kubeAPIServerConfig.Complete().New(),涉及到 kube-apiserver 的创建及 API 的注册过程,

代码大致逻辑:

  • 创建一个 kube-apiserver 对象,并放到 Master 结构体中
  • 配置 legacy API 接口并注册到 kube-apiserver 的 restful.Container 中去
  • 配置标准的 restful API 接口并注册到 kube-apiserver 的 restful.Container 中去

这些代码遵循 go-restful 的设计模式,即:

  • 将处理方法注册到 Route 中去,同一个根路径下的 Route 注册到 WebService 中去,WebService append 到 Container.webServices 中。
  • 访问的过程为 Container -> WebService -> Route。
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*Master, error) {
    ...

    // 创建 kube-apiserver
    s, err := c.GenericConfig.New("kube-apiserver", delegationTarget)
    if err != nil {
        return nil, err
    }

    m := &Master{
        GenericAPIServer: s,
    }

    // install legacy rest storage
    // 将 /api 开头的路由注册到 restful.Container
    if c.ExtraConfig.APIResourceConfigSource.VersionEnabled(apiv1.SchemeGroupVersion) {
        legacyRESTStorageProvider := corerest.LegacyRESTStorageProvider{
            StorageFactory:              c.ExtraConfig.StorageFactory,
            ProxyTransport:              c.ExtraConfig.ProxyTransport,
            KubeletClientConfig:         c.ExtraConfig.KubeletClientConfig,
            EventTTL:                    c.ExtraConfig.EventTTL,
            ServiceIPRange:              c.ExtraConfig.ServiceIPRange,
            ServiceNodePortRange:        c.ExtraConfig.ServiceNodePortRange,
            LoopbackClientConfig:        c.GenericConfig.LoopbackClientConfig,
            ServiceAccountIssuer:        c.ExtraConfig.ServiceAccountIssuer,
            ServiceAccountMaxExpiration: c.ExtraConfig.ServiceAccountMaxExpiration,
            APIAudiences:                c.GenericConfig.Authentication.APIAudiences,
        }
        m.InstallLegacyAPI(&c, c.GenericConfig.RESTOptionsGetter, legacyRESTStorageProvider)
    }

    // The order here is preserved in discovery.
    // If resources with identical names exist in more than one of these groups (e.g. "deployments.apps"" and "deployments.extensions"),
    // the order of this list determines which group an unqualified resource name (e.g. "deployments") should prefer.
    // This priority order is used for local discovery, but it ends up aggregated in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go
    // with specific priorities.
    // TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery
    // handlers that we have.
    // 将 /apis 开头的路由注册到 restful.Container
    restStorageProviders := []RESTStorageProvider{
        auditregistrationrest.RESTStorageProvider{},
        authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authentication.Authenticator, APIAudiences: c.GenericConfig.Authentication.APIAudiences},
        authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer, RuleResolver: c.GenericConfig.RuleResolver},
        autoscalingrest.RESTStorageProvider{},
        batchrest.RESTStorageProvider{},
        certificatesrest.RESTStorageProvider{},
        coordinationrest.RESTStorageProvider{},
        extensionsrest.RESTStorageProvider{},
        networkingrest.RESTStorageProvider{},
        policyrest.RESTStorageProvider{},
        rbacrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer},
        schedulingrest.RESTStorageProvider{},
        settingsrest.RESTStorageProvider{},
        storagerest.RESTStorageProvider{},
        // keep apps after extensions so legacy clients resolve the extensions versions of shared resource names.
        // See https://github.com/kubernetes/kubernetes/issues/42392
        appsrest.RESTStorageProvider{},
        admissionregistrationrest.RESTStorageProvider{},
        eventsrest.RESTStorageProvider{TTL: c.ExtraConfig.EventTTL},
    }
    m.InstallAPIs(c.ExtraConfig.APIResourceConfigSource, c.GenericConfig.RESTOptionsGetter, restStorageProviders...)

    ...

    return m, nil
}

restStorageProviders 中,每一个注册的 Route,我们可以进入接口 RESTStorageProvider 中,找到对应的路由信息,如 batchrest.RESTStorageProvider{},在 pkg/registry/batch/rest/storage_batch.go:

...

// 创建一个接口并返回 API 组相关信息
func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {
    apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(batch.GroupName, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
    // If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
    // TODO refactor the plumbing to provide the information in the APIGroupInfo

    if apiResourceConfigSource.VersionEnabled(batchapiv1.SchemeGroupVersion) {
        apiGroupInfo.VersionedResourcesStorageMap[batchapiv1.SchemeGroupVersion.Version] = p.v1Storage(apiResourceConfigSource, restOptionsGetter)
    }
    if apiResourceConfigSource.VersionEnabled(batchapiv1beta1.SchemeGroupVersion) {
        apiGroupInfo.VersionedResourcesStorageMap[batchapiv1beta1.SchemeGroupVersion.Version] = p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter)
    }
    if apiResourceConfigSource.VersionEnabled(batchapiv2alpha1.SchemeGroupVersion) {
        apiGroupInfo.VersionedResourcesStorageMap[batchapiv2alpha1.SchemeGroupVersion.Version] = p.v2alpha1Storage(apiResourceConfigSource, restOptionsGetter)
    }

    return apiGroupInfo, true
}

// 路由信息,可根据 API Version 区分
func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
    storage := map[string]rest.Storage{}
    // jobs
    jobsStorage, jobsStatusStorage := jobstore.NewREST(restOptionsGetter)
    storage["jobs"] = jobsStorage
    storage["jobs/status"] = jobsStatusStorage

    return storage
}

func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
    storage := map[string]rest.Storage{}
    // cronjobs
    cronJobsStorage, cronJobsStatusStorage := cronjobstore.NewREST(restOptionsGetter)
    storage["cronjobs"] = cronJobsStorage
    storage["cronjobs/status"] = cronJobsStatusStorage

    return storage
}

...

回到上一步,继续看 m.InstallAPIs() 方法,

代码大致逻辑:

  • 遍历所有的 Porviders,获取 API 组信息
  • 整合所有组的 API 组信息到 apiGroupsInfo
  • 注册安装所有的 API 组信息
// InstallAPIs will install the APIs for the restStorageProviders if they are enabled.
func (m *Master) InstallAPIs(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter, restStorageProviders ...RESTStorageProvider) {
    apiGroupsInfo := []*genericapiserver.APIGroupInfo{}

    // 遍历所有的 Porviders,获取 API 组信息
    for _, restStorageBuilder := range restStorageProviders {
        groupName := restStorageBuilder.GroupName()
        if !apiResourceConfigSource.AnyVersionForGroupEnabled(groupName) {
            klog.V(1).Infof("Skipping disabled API group %q.", groupName)
            continue
        }

        // 整合所有组的 API 组信息到 apiGroupsInfo
        apiGroupInfo, enabled := restStorageBuilder.NewRESTStorage(apiResourceConfigSource, restOptionsGetter)
        if !enabled {
            klog.Warningf("Problem initializing API group %q, skipping.", groupName)
            continue
        }

        ...

        apiGroupsInfo = append(apiGroupsInfo, &apiGroupInfo)
    }

    // 注册安装所有的 API 组信息
    if err := m.GenericAPIServer.InstallAPIGroups(apiGroupsInfo...); err != nil {
        klog.Fatalf("Error in registering group versions: %v", err)
    }
}

进入到 m.GenericAPIServer.InstallAPIGroups():

// Exposes given api groups in the API.
func (s *GenericAPIServer) InstallAPIGroups(apiGroupInfos ...*APIGroupInfo) error {
    ...

    for _, apiGroupInfo := range apiGroupInfos {
        if err := s.installAPIResources(APIGroupPrefix, apiGroupInfo, openAPIModels); err != nil {
            return fmt.Errorf("unable to install api resources: %v", err)
        }

        ...

        s.DiscoveryGroupManager.AddGroup(apiGroup)
        s.Handler.GoRestfulContainer.Add(discovery.NewAPIGroupHandler(s.Serializer, apiGroup).WebService())
    }
    return nil
}

进入到 s.installAPIResources():

// installAPIResources is a private method for installing the REST storage backing each api groupversionresource
func (s *GenericAPIServer) installAPIResources(apiPrefix string, apiGroupInfo *APIGroupInfo, openAPIModels openapiproto.Models) error {
    for _, groupVersion := range apiGroupInfo.PrioritizedVersions {
        ...

        if err := apiGroupVersion.InstallREST(s.Handler.GoRestfulContainer); err != nil {
            return fmt.Errorf("unable to setup API %v: %v", apiGroupInfo, err)
        }
    }

    return nil
}

进入到 apiGroupVersion.InstallREST():

// InstallREST registers the REST handlers (storage, watch, proxy and redirect) into a restful Container.
// It is expected that the provided path root prefix will serve all operations. Root MUST NOT end
// in a slash.
func (g *APIGroupVersion) InstallREST(container *restful.Container) error {
    prefix := path.Join(g.Root, g.GroupVersion.Group, g.GroupVersion.Version)
    // 创建一个 APIInstaller,包含 API 组、路径信息
    installer := &APIInstaller{
        group:                        g,
        prefix:                       prefix,
        minRequestTimeout:            g.MinRequestTimeout,
        enableAPIResponseCompression: g.EnableAPIResponseCompression,
    }

    apiResources, ws, registrationErrors := installer.Install()
    versionDiscoveryHandler := discovery.NewAPIVersionHandler(g.Serializer, g.GroupVersion, staticLister{apiResources})
    versionDiscoveryHandler.AddToWebService(ws)
    //将 webservice 添加到 container 中
    container.Add(ws)
    return utilerrors.NewAggregate(registrationErrors)
}

进入到 installer.Install():

// Install handlers for API resources.
func (a *APIInstaller) Install() ([]metav1.APIResource, *restful.WebService, []error) {
    var apiResources []metav1.APIResource
    var errors []error
    ws := a.newWebService()

    // Register the paths in a deterministic (sorted) order to get a deterministic swagger spec.
    paths := make([]string, len(a.group.Storage))
    var i int = 0
    for path := range a.group.Storage {
        paths[i] = path
        i++
    }
    sort.Strings(paths)
    for _, path := range paths {
        // 将路由注册到 webservice
        apiResource, err := a.registerResourceHandlers(path, a.group.Storage[path], ws)
        if err != nil {
            errors = append(errors, fmt.Errorf("error in registering resource: %s, %v", path, err))
        }
        if apiResource != nil {
            apiResources = append(apiResources, *apiResource)
        }
    }
    return apiResources, ws, errors
}

进入到 a.registerResourceHandlers(),

这段代码较长,可在 vendor/k8s.io/apiserver/pkg/endpoints/installer.go 中找到。

代码大致逻辑:

  • 根据类型断言判断 storage 接口类型
  • 根据接口类型和 scope,创建不同类型的 action, LIST, POST, PUT, WATCH 等等
  • 遍历所有的 action, 根据 action 类型设置不同的 handler, 并将 path 和对应的 handler 封装成 RouteBuilder 结构
  • 将所有 routes 添加到 webservice 中
func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storage, ws *restful.WebService) (*metav1.APIResource, error) {
    ...

    // 根据类型断言判断接口类型
    // what verbs are supported by the storage, used to know what verbs we support per path
    creater, isCreater := storage.(rest.Creater)
    namedCreater, isNamedCreater := storage.(rest.NamedCreater)
    lister, isLister := storage.(rest.Lister)
    getter, isGetter := storage.(rest.Getter)
    getterWithOptions, isGetterWithOptions := storage.(rest.GetterWithOptions)
    gracefulDeleter, isGracefulDeleter := storage.(rest.GracefulDeleter)
    collectionDeleter, isCollectionDeleter := storage.(rest.CollectionDeleter)
    updater, isUpdater := storage.(rest.Updater)
    patcher, isPatcher := storage.(rest.Patcher)
    watcher, isWatcher := storage.(rest.Watcher)
    connecter, isConnecter := storage.(rest.Connecter)
    storageMeta, isMetadata := storage.(rest.StorageMetadata)

    ...

    var apiResource metav1.APIResource
    // Get the list of actions for the given scope.
    // 根据接口类型和 scope,创建不同类型的 action, `LIST`, `POST`, `PUT`, `WATCH` 等等
    switch {
    case !namespaceScoped:
        ...

        // Handler for standard REST verbs (GET, PUT, POST and DELETE).
        // Add actions at the resource path: /api/apiVersion/resource
        actions = appendIf(actions, action{"LIST", resourcePath, resourceParams, namer, false}, isLister)
        actions = appendIf(actions, action{"POST", resourcePath, resourceParams, namer, false}, isCreater)
        actions = appendIf(actions, action{"DELETECOLLECTION", resourcePath, resourceParams, namer, false}, isCollectionDeleter)
        // DEPRECATED in 1.11
        actions = appendIf(actions, action{"WATCHLIST", "watch/" + resourcePath, resourceParams, namer, false}, allowWatchList)

        // Add actions at the item path: /api/apiVersion/resource/{name}
        actions = appendIf(actions, action{"GET", itemPath, nameParams, namer, false}, isGetter)
        if getSubpath {
            actions = appendIf(actions, action{"GET", itemPath + "/{path:*}", proxyParams, namer, false}, isGetter)
        }
        actions = appendIf(actions, action{"PUT", itemPath, nameParams, namer, false}, isUpdater)
        actions = appendIf(actions, action{"PATCH", itemPath, nameParams, namer, false}, isPatcher)
        actions = appendIf(actions, action{"DELETE", itemPath, nameParams, namer, false}, isGracefulDeleter)
        // DEPRECATED in 1.11
        actions = appendIf(actions, action{"WATCH", "watch/" + itemPath, nameParams, namer, false}, isWatcher)
        actions = appendIf(actions, action{"CONNECT", itemPath, nameParams, namer, false}, isConnecter)
        actions = appendIf(actions, action{"CONNECT", itemPath + "/{path:*}", proxyParams, namer, false}, isConnecter && connectSubpath)
    default:
        namespaceParamName := "namespaces"
        // Handler for standard REST verbs (GET, PUT, POST and DELETE).
        namespaceParam := ws.PathParameter("namespace", "object name and auth scope, such as for teams and projects").DataType("string")
        namespacedPath := namespaceParamName + "/{namespace}/" + resource
        namespaceParams := []*restful.Parameter{namespaceParam}

        resourcePath := namespacedPath
        resourceParams := namespaceParams
        itemPath := namespacedPath + "/{name}"
        nameParams := append(namespaceParams, nameParam)
        proxyParams := append(nameParams, pathParam)
        itemPathSuffix := ""
        if isSubresource {
            itemPathSuffix = "/" + subresource
            itemPath = itemPath + itemPathSuffix
            resourcePath = itemPath
            resourceParams = nameParams
        }
        apiResource.Name = path
        apiResource.Namespaced = true
        apiResource.Kind = resourceKind
        namer := handlers.ContextBasedNaming{
            SelfLinker:         a.group.Linker,
            ClusterScoped:      false,
            SelfLinkPathPrefix: gpath.Join(a.prefix, namespaceParamName) + "/",
            SelfLinkPathSuffix: itemPathSuffix,
        }

        actions = appendIf(actions, action{"LIST", resourcePath, resourceParams, namer, false}, isLister)
        actions = appendIf(actions, action{"POST", resourcePath, resourceParams, namer, false}, isCreater)
        actions = appendIf(actions, action{"DELETECOLLECTION", resourcePath, resourceParams, namer, false}, isCollectionDeleter)
        // DEPRECATED in 1.11
        actions = appendIf(actions, action{"WATCHLIST", "watch/" + resourcePath, resourceParams, namer, false}, allowWatchList)

        actions = appendIf(actions, action{"GET", itemPath, nameParams, namer, false}, isGetter)
        if getSubpath {
            actions = appendIf(actions, action{"GET", itemPath + "/{path:*}", proxyParams, namer, false}, isGetter)
        }
        actions = appendIf(actions, action{"PUT", itemPath, nameParams, namer, false}, isUpdater)
        actions = appendIf(actions, action{"PATCH", itemPath, nameParams, namer, false}, isPatcher)
        actions = appendIf(actions, action{"DELETE", itemPath, nameParams, namer, false}, isGracefulDeleter)
        // DEPRECATED in 1.11
        actions = appendIf(actions, action{"WATCH", "watch/" + itemPath, nameParams, namer, false}, isWatcher)
        actions = appendIf(actions, action{"CONNECT", itemPath, nameParams, namer, false}, isConnecter)
        actions = appendIf(actions, action{"CONNECT", itemPath + "/{path:*}", proxyParams, namer, false}, isConnecter && connectSubpath)

        // list or post across namespace.
        // For ex: LIST all pods in all namespaces by sending a LIST request at /api/apiVersion/pods.
        // TODO: more strongly type whether a resource allows these actions on "all namespaces" (bulk delete)
        if !isSubresource {
            actions = appendIf(actions, action{"LIST", resource, params, namer, true}, isLister)
            // DEPRECATED in 1.11
            actions = appendIf(actions, action{"WATCHLIST", "watch/" + resource, params, namer, true}, allowWatchList)
        }
    }

    ...

    // 遍历所有的 action, 根据 action 类型设置不同的 handler, 并将 path 和对应的 handler 封装成 RouteBuilder 结构
    for _, action := range actions {
        producedObject := storageMeta.ProducesObject(action.Verb)
        if producedObject == nil {
            producedObject = defaultVersionedObject
        }
        reqScope.Namer = action.Namer

        requestScope := "cluster"
        var namespaced string
        var operationSuffix string
        if apiResource.Namespaced {
            requestScope = "namespace"
            namespaced = "Namespaced"
        }
        if strings.HasSuffix(action.Path, "/{path:*}") {
            requestScope = "resource"
            operationSuffix = operationSuffix + "WithPath"
        }
        if action.AllNamespaces {
            requestScope = "cluster"
            operationSuffix = operationSuffix + "ForAllNamespaces"
            namespaced = ""
        }

        if kubeVerb, found := toDiscoveryKubeVerb[action.Verb]; found {
            if len(kubeVerb) != 0 {
                kubeVerbs[kubeVerb] = struct{}{}
            }
        } else {
            return nil, fmt.Errorf("unknown action verb for discovery: %s", action.Verb)
        }

        routes := []*restful.RouteBuilder{}

        // If there is a subresource, kind should be the parent's kind.
        if isSubresource {
            parentStorage, ok := a.group.Storage[resource]
            if !ok {
                return nil, fmt.Errorf("missing parent storage: %q", resource)
            }

            fqParentKind, err := GetResourceKind(a.group.GroupVersion, parentStorage, a.group.Typer)
            if err != nil {
                return nil, err
            }
            kind = fqParentKind.Kind
        }

        verbOverrider, needOverride := storage.(StorageMetricsOverride)

        switch action.Verb {
        case "GET": // Get a resource.
            var handler restful.RouteFunction
            if isGetterWithOptions {
                handler = restfulGetResourceWithOptions(getterWithOptions, reqScope, isSubresource)
            } else {
                handler = restfulGetResource(getter, exporter, reqScope)
            }

            if needOverride {
                // need change the reported verb
                handler = metrics.InstrumentRouteFunc(verbOverrider.OverrideMetricsVerb(action.Verb), group, version, resource, subresource, requestScope, metrics.APIServerComponent, handler)
            } else {
                handler = metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, handler)
            }

            if a.enableAPIResponseCompression {
                handler = genericfilters.RestfulWithCompression(handler)
            }
            doc := "read the specified " + kind
            if isSubresource {
                doc = "read " + subresource + " of the specified " + kind
            }
            route := ws.GET(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("read"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
                Returns(http.StatusOK, "OK", producedObject).
                Writes(producedObject)
            if isGetterWithOptions {
                if err := addObjectParams(ws, route, versionedGetOptions); err != nil {
                    return nil, err
                }
            }
            if isExporter {
                if err := addObjectParams(ws, route, versionedExportOptions); err != nil {
                    return nil, err
                }
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "LIST": // List all resources of a kind.
            doc := "list objects of kind " + kind
            if isSubresource {
                doc = "list " + subresource + " of objects of kind " + kind
            }
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulListResource(lister, watcher, reqScope, false, a.minRequestTimeout))
            if a.enableAPIResponseCompression {
                handler = genericfilters.RestfulWithCompression(handler)
            }
            route := ws.GET(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("list"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), allMediaTypes...)...).
                Returns(http.StatusOK, "OK", versionedList).
                Writes(versionedList)
            if err := addObjectParams(ws, route, versionedListOptions); err != nil {
                return nil, err
            }
            switch {
            case isLister && isWatcher:
                doc := "list or watch objects of kind " + kind
                if isSubresource {
                    doc = "list or watch " + subresource + " of objects of kind " + kind
                }
                route.Doc(doc)
            case isWatcher:
                doc := "watch objects of kind " + kind
                if isSubresource {
                    doc = "watch " + subresource + "of objects of kind " + kind
                }
                route.Doc(doc)
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "PUT": // Update a resource.
            doc := "replace the specified " + kind
            if isSubresource {
                doc = "replace " + subresource + " of the specified " + kind
            }
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulUpdateResource(updater, reqScope, admit))
            route := ws.PUT(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("replace"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
                Returns(http.StatusOK, "OK", producedObject).
                // TODO: in some cases, the API may return a v1.Status instead of the versioned object
                // but currently go-restful can't handle multiple different objects being returned.
                Returns(http.StatusCreated, "Created", producedObject).
                Reads(defaultVersionedObject).
                Writes(producedObject)
            if err := addObjectParams(ws, route, versionedUpdateOptions); err != nil {
                return nil, err
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "PATCH": // Partially update a resource
            doc := "partially update the specified " + kind
            if isSubresource {
                doc = "partially update " + subresource + " of the specified " + kind
            }
            supportedTypes := []string{
                string(types.JSONPatchType),
                string(types.MergePatchType),
                string(types.StrategicMergePatchType),
            }
            if utilfeature.DefaultFeatureGate.Enabled(features.ServerSideApply) {
                supportedTypes = append(supportedTypes, string(types.ApplyPatchType))
            }
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulPatchResource(patcher, reqScope, admit, supportedTypes))
            route := ws.PATCH(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Consumes(supportedTypes...).
                Operation("patch"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
                Returns(http.StatusOK, "OK", producedObject).
                Reads(metav1.Patch{}).
                Writes(producedObject)
            if err := addObjectParams(ws, route, versionedPatchOptions); err != nil {
                return nil, err
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "POST": // Create a resource.
            var handler restful.RouteFunction
            if isNamedCreater {
                handler = restfulCreateNamedResource(namedCreater, reqScope, admit)
            } else {
                handler = restfulCreateResource(creater, reqScope, admit)
            }
            handler = metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, handler)
            article := getArticleForNoun(kind, " ")
            doc := "create" + article + kind
            if isSubresource {
                doc = "create " + subresource + " of" + article + kind
            }
            route := ws.POST(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("create"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
                Returns(http.StatusOK, "OK", producedObject).
                // TODO: in some cases, the API may return a v1.Status instead of the versioned object
                // but currently go-restful can't handle multiple different objects being returned.
                Returns(http.StatusCreated, "Created", producedObject).
                Returns(http.StatusAccepted, "Accepted", producedObject).
                Reads(defaultVersionedObject).
                Writes(producedObject)
            if err := addObjectParams(ws, route, versionedCreateOptions); err != nil {
                return nil, err
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "DELETE": // Delete a resource.
            article := getArticleForNoun(kind, " ")
            doc := "delete" + article + kind
            if isSubresource {
                doc = "delete " + subresource + " of" + article + kind
            }
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulDeleteResource(gracefulDeleter, isGracefulDeleter, reqScope, admit))
            route := ws.DELETE(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("delete"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
                Writes(versionedStatus).
                Returns(http.StatusOK, "OK", versionedStatus).
                Returns(http.StatusAccepted, "Accepted", versionedStatus)
            if isGracefulDeleter {
                route.Reads(versionedDeleterObject)
                route.ParameterNamed("body").Required(false)
                if err := addObjectParams(ws, route, versionedDeleteOptions); err != nil {
                    return nil, err
                }
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "DELETECOLLECTION":
            doc := "delete collection of " + kind
            if isSubresource {
                doc = "delete collection of " + subresource + " of a " + kind
            }
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulDeleteCollection(collectionDeleter, isCollectionDeleter, reqScope, admit))
            route := ws.DELETE(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("deletecollection"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
                Writes(versionedStatus).
                Returns(http.StatusOK, "OK", versionedStatus)
            if err := addObjectParams(ws, route, versionedListOptions); err != nil {
                return nil, err
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        // deprecated in 1.11
        case "WATCH": // Watch a resource.
            doc := "watch changes to an object of kind " + kind
            if isSubresource {
                doc = "watch changes to " + subresource + " of an object of kind " + kind
            }
            doc += ". deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter."
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulListResource(lister, watcher, reqScope, true, a.minRequestTimeout))
            route := ws.GET(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("watch"+namespaced+kind+strings.Title(subresource)+operationSuffix).
                Produces(allMediaTypes...).
                Returns(http.StatusOK, "OK", versionedWatchEvent).
                Writes(versionedWatchEvent)
            if err := addObjectParams(ws, route, versionedListOptions); err != nil {
                return nil, err
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        // deprecated in 1.11
        case "WATCHLIST": // Watch all resources of a kind.
            doc := "watch individual changes to a list of " + kind
            if isSubresource {
                doc = "watch individual changes to a list of " + subresource + " of " + kind
            }
            doc += ". deprecated: use the 'watch' parameter with a list operation instead."
            handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulListResource(lister, watcher, reqScope, true, a.minRequestTimeout))
            route := ws.GET(action.Path).To(handler).
                Doc(doc).
                Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).
                Operation("watch"+namespaced+kind+strings.Title(subresource)+"List"+operationSuffix).
                Produces(allMediaTypes...).
                Returns(http.StatusOK, "OK", versionedWatchEvent).
                Writes(versionedWatchEvent)
            if err := addObjectParams(ws, route, versionedListOptions); err != nil {
                return nil, err
            }
            addParams(route, action.Params)
            routes = append(routes, route)
        case "CONNECT":
            for _, method := range connecter.ConnectMethods() {
                connectProducedObject := storageMeta.ProducesObject(method)
                if connectProducedObject == nil {
                    connectProducedObject = "string"
                }
                doc := "connect " + method + " requests to " + kind
                if isSubresource {
                    doc = "connect " + method + " requests to " + subresource + " of " + kind
                }
                handler := metrics.InstrumentRouteFunc(action.Verb, group, version, resource, subresource, requestScope, metrics.APIServerComponent, restfulConnectResource(connecter, reqScope, admit, path, isSubresource))
                route := ws.Method(method).Path(action.Path).
                    To(handler).
                    Doc(doc).
                    Operation("connect" + strings.Title(strings.ToLower(method)) + namespaced + kind + strings.Title(subresource) + operationSuffix).
                    Produces("*/*").
                    Consumes("*/*").
                    Writes(connectProducedObject)
                if versionedConnectOptions != nil {
                    if err := addObjectParams(ws, route, versionedConnectOptions); err != nil {
                        return nil, err
                    }
                }
                addParams(route, action.Params)
                routes = append(routes, route)

                // transform ConnectMethods to kube verbs
                if kubeVerb, found := toDiscoveryKubeVerb[method]; found {
                    if len(kubeVerb) != 0 {
                        kubeVerbs[kubeVerb] = struct{}{}
                    }
                }
            }
        default:
            return nil, fmt.Errorf("unrecognized action verb: %s", action.Verb)
        }
        // 将所有 routes 添加到 webservice 中
        for _, route := range routes {
            route.Metadata(ROUTE_META_GVK, metav1.GroupVersionKind{
                Group:   reqScope.Kind.Group,
                Version: reqScope.Kind.Version,
                Kind:    reqScope.Kind.Kind,
            })
            route.Metadata(ROUTE_META_ACTION, strings.ToLower(action.Verb))
            ws.Route(route)
        }
        // Note: update GetAuthorizerAttributes() when adding a custom handler.
    }

    ...

    return &apiResource, nil
}

filter (权限相关)

kube-apiserver 权限相关的功能,AuthN、AuthZ、Admission 等,是通过 filter 的形式实现的。

回到 cmd/kube-apiserver/app/server.go,进去 CreateKubeAPIServerConfig() -> buildGenericConfig() -> genericapiserver.NewConfig() -> DefaultBuildHandlerChain,可以看到如下代码:

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
    handler := genericapifilters.WithAuthorization(apiHandler, c.Authorization.Authorizer, c.Serializer)
    handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
    handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)
    handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
    failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)
    failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)
    handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)
    handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
    handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
    handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)
    handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)
    handler = genericfilters.WithPanicRecovery(handler)
    return handler
}

回到 cmd/kube-apiserver/app/server.go,进去 CreateKubeAPIServer() -> kubeAPIServerConfig.Complete().New() -> c.GenericConfig.New(),可以看到如下代码:

// New creates a new server which logically combines the handling chain with the passed server.
// name is used to differentiate for logging. The handler chain in particular can be difficult as it starts delgating.
// delegationTarget may not be nil.
func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*GenericAPIServer, error) {
    ...

    // handlerChainBuilder
    handlerChainBuilder := func(handler http.Handler) http.Handler {
        return c.BuildHandlerChainFunc(handler, c.Config)
    }
    apiServerHandler := NewAPIServerHandler(name, c.Serializer, handlerChainBuilder, delegationTarget.UnprotectedHandler())
    ...

    return s, nil
}

进入 NewAPIServerHandler(),

代码大致逻辑:

  • 将 director 作为参数传给回调函数 handlerChainBuilder,完成 restful.Container 的 handler 注册工作
func NewAPIServerHandler(name string, s runtime.NegotiatedSerializer, handlerChainBuilder HandlerChainBuilderFn, notFoundHandler http.Handler) *APIServerHandler {
    nonGoRestfulMux := mux.NewPathRecorderMux(name)
    if notFoundHandler != nil {
        nonGoRestfulMux.NotFoundHandler(notFoundHandler)
    }

    gorestfulContainer := restful.NewContainer()
    gorestfulContainer.ServeMux = http.NewServeMux()
    gorestfulContainer.Router(restful.CurlyRouter{}) // e.g. for proxy/{kind}/{name}/{*}
    gorestfulContainer.RecoverHandler(func(panicReason interface{}, httpWriter http.ResponseWriter) {
        logStackOnRecover(s, panicReason, httpWriter)
    })
    gorestfulContainer.ServiceErrorHandler(func(serviceErr restful.ServiceError, request *restful.Request, response *restful.Response) {
        serviceErrorHandler(s, serviceErr, request, response)
    })

    director := director{
        name:               name,
        goRestfulContainer: gorestfulContainer,
        nonGoRestfulMux:    nonGoRestfulMux,
    }

    return &APIServerHandler{
        // 回调函数
        FullHandlerChain:   handlerChainBuilder(director),
        GoRestfulContainer: gorestfulContainer,
        NonGoRestfulMux:    nonGoRestfulMux,
        Director:           director,
    }
}

就这样,通过 DefaultBuildHandlerChain 中各种 filter,kube-apiserver 完成了权限控制。

一林黄葉
关注
【k8s源码分析-Apiserver-2】kube-apiserver 结构概览以及主体部分源码分析
叮当猫的喵i
12-25 1366
假 设 所 有 的 认 证 器 都 被 启 用 , 当 客 户 端 发 送 请 求 到 kubeapiserver服务,该请求会进入Authentication Handler函数(处理认 证相关的Handler函数),在Authentication Handler函数中,会遍历已启用的认证器列表, 尝试执行每个认证器, 当有一个认证器返回 true时,则认证成功,否则继续尝试下一个认证器。当客户端发起一个请求,经过认证阶段时,只要有一个认证器通过,则认证成功。在客户端请求通过认证之后, 会来到授权阶段。
【k8s源码分析-Apiserver-1】理解 apiserver 的结构(AggregatorServerKubeAPIServerApiExtensionsServer
叮当猫的喵i
12-06 578
Prometheus 项目与Kubernetes项目一样,也来自于 Google 的Borg体系,它的原型系统,叫作 BorgMon,是一个几乎与 Borg 同时诞生的内部监控系统。而 Prometheus 项目的发起原因也跟 Kubernetes 很类似,都是希望通过对用户更友好的方式,将 Google 内部系统的设计理念,传递给用户和开发者。作为一个监控系统,Prometheus 项目的作用和工作方式,其实可以用如下所示的一张官方示意图来解释。可以看到,Prometheus 项目工作的核心,是。
kube-apiserver源码分析
fengcai_ke的博客
09-12 783
kube-apiserver流程分析
kubernetes的kube-apiserver组件源码分析
虾米的博客
08-24 1791
1 apiserver模块main函数 func main(){    runtime.GOMAXPROCS(runtime.NumCPU())//多核cpu,增加系统吞吐量    rand.Seed(time.Now().UTC().UnixNano())    s:=options.NewAPIServer()//新建一个APIServer对象,APIServer结构体    s.A
kube-apiserver启动流程源码分析
任我行的博客
03-29 732
KubeAPIServer 主要是提供对 API Resource 的操作请求,为 kubernetes 中众多 API 注册路由信息,暴露 RESTful API 并且对外提供 kubernetes service,使集群中以及集群外的服务都可以通过 RESTful API 操作 kubernetes 中的资源。
kube-apiserver原理报告
最新发布
qq_42944740的博客
04-03 976
CRDAA无需编程。用户可选任何语言来实现 CRD 控制器需要编程,并构建可执行文件和镜像。无需额外运行服务;CRD 由 API 服务器处理需要额外创建服务,且该服务可能失效。一旦 CRD 被创建,不需要持续提供支持。Kubernetes 主控节点升级过程中自动会带入缺陷修复。可能需要周期性地从上游提取缺陷修复并更新聚合 API 服务器。无需处理 API 的多个版本;例如,当你控制资源的客户端时,你可以更新它使之与 API 同步。需要处理 API 的多个版本;
kube-apiserver源码-动态准入控制 admission webhook
u014152978的博客
07-06 1600
动态配置admission webhook举例(详情见官方文档:https://kubernetes.io/zh/docs/reference/access-authn-authz/extensible-admission-controllers/): apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "pod-policy.example.com" web
【k8s】kube-scheduler
qq_41123190的博客
06-17 1243
Scheduler在整个系统中承担了“承上启下”的重要功能。“承上”是指它负责接受Controller Manager创建的新Pod,为其安排Node;“启下”是指安置工作完成后,目标Node上的kubelet服务进程接管后续工作。Pod是Kubernetes中最小的调度单元,Pod被创建出来的工作流程如图所示:在这张图中通过这个流程我们可以看出整个过程中最重要的就是apiserver watch APIkube-scheduler的调度策略。总之,kube-scheduler的功能是为还没有和任何Nod
etcd 启动分析_Etcd源码分析: 启动
weixin_39566864的博客
12-19 388
启动启动源码 /etcdmain/main.go 中的main函数开始func Main() {checkSupportArch() // 检查系统是否支持if len(os.Args) > 1 { // 获取入参cmd := os.Args[1] // 获取启动命令if covArgs := os.Getenv("ETCDCOV_ARGS"); len(covArgs) >...
kube-apiserver鉴权源码简析
nangonghen的博客
11-19 538
kube-apiserver的鉴权其实so easy
KubeApiserver源码分析
a1023934860的博客
05-24 343
KubeApiserver流程分析 kube-apiserver底层原理使用go-restful框架对路径进行映射,然后通过etcd客户端对etcd进行请求。 我们需要注意kube-apiserver的几个功能:TLS认证、权限验证、webhook。 kube-apiserver使用http2.0作为传输协议所以对请求进行采用TLS认证,在认证完成后会通过类似于过滤链的形式对请求进行调用。 接下来让我们先看一下kube-apiserver是如何创建go-restful以及添加资源映射的。 //创建go-re
kube-apiserver源码解析之数据库操作
weixin_41842682的博客
09-08 364
ApiServer与数据库的交互主要指的是与etcd的交互,Kubernetes所有组件不直接与etcd交互,都是通过请求apiserverapiserveretcd进行交互完成数据的最终落盘。在之前路由的实现已经说过,apiserver最终实现的handler对应的后端数据库是以Store的结构 保存的,这里以api开头的路由为例,在NewLegacyRESTStorage方法中,通过New...
kubernetes源码分析】解析apiserver资源类型(一)
c-rain
04-09 739
前言   2021年开始第4个月了,由于工作过于繁忙的缘故很久没有开始文章的写作。其实一直以来我个人把写文章这件事,当作推进自己学习成长的一种方式。   这篇文章是kubernetes源码分析的第一个主题,后续会陆续更新。大致的纲要为client-go、控制器、调度器、自定义控制器、operator、网络几个方面。   当操作资源与apiserver进行通信时,平时都是直接编写YAML资源文件,通过kubectl来提交创建对应等资源对象,那么它究竟
k8s :kube-apiserver 访问 etcd 后端存储
weixin_33971977的博客
03-30 1652
前言 本文介绍 kube-apiserver 是如何访问 etcd 后端存储 相关源代码主要在 kubernetes/staging/src/k8s.io/apiserver/pkg/storage 通用接口 Interface offers a common interface for object marshaling/unmarsh...
kubernetes 架构解析之kube-apiserver启动过程详解
柳清风的专栏
02-04 6345
之前的blog分析过k8s 1.4的apiserver代码,今天和大家分享一下k8s 1.7.6关于apiserver启动的代码。先上一个大图,花了好几个小时! 上面的图是整个启动的完整流程,关于api注册的地方。我打印了具体日志 上面installAPIResources有三个输入源分别是下面三个: extensions version:apiextensions.k8s.io/
etcd 启动分析_如何阅读 etcd 源码
weixin_33312000的博客
12-31 130
在前面的几篇文章中,我们已经学习了 Raft 协议、raftexample 和 etcd 常用命令。Raft 和 raftexample 主要对 Raft 协议的认识和实践,etcd 常用命令只能算是揭开 etcd 使用的面纱。此时解读源码,从哪里开始呢?有的同学可能会说:“从 etcdctl 命令开始,从 etcd server 开始 或 从 raft 模块开始“。如果对于一个项目没有整体的认识...
Kubernetes APIServerEtcd,controller manager,scheduler 高可用原理
小楼一夜听春雨,深巷明朝卖杏花
07-20 2024
这两个月和博云合作的项目是要用于客户生产环境的,这个和我以前做的东西有很大的不同,所有基础架构必须给出高可用的解决方案。在这之前我只做过一些流量较小的用户产品或者一些原型项目,一开始基础架构都只给出了单节点的解决方案,结果被大师兄喷这个在生产环境根本不可用。不过事实确实是在一个真实的分布式系统中硬件损坏、进程崩溃、网络不通都可能直接导致系统不可用。...
Kubernetes1.5源码分析(四) apiServer资源的etcd接口实现
weixin_34357267的博客
03-18 748
源码版本 Kubernetes v1.5.0 简介 k8s的各个组件与apiServer交互操作各种资源对象,最终都会落入到etcd中。k8s为所有对外提供服务的Restful资源实现了一套通用的符合Restful要求的etcd操作接口,每个服务接口负责处理一类(Kind)资源对象。这些资源对象包括pods、bindings、podTem...
kube-apiserver启动失败
06-28
当您尝试启动Kubernetes的kube-apiserver时,可能会遇到一些问题。这些问题可能会由各种原因引起,例如配置错误或系统故障。 以下是一些可能会导致kube-apiserver启动失败的常见原因: 1. 网络问题:kube-api...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值