From 496c6e6690bc8b126b3648fef539b8c307e11844 Mon Sep 17 00:00:00 2001 From: "huanqing.shao" Date: Fri, 3 Jan 2020 22:46:02 +0800 Subject: [PATCH] subPathExpr / ServiceAccount --- .vuepress/config-sidebar.js | 1 + .vuepress/public/install-script/kuboard.yaml | 2 + install/install-dashboard.md | 1 + learning/k8s-advanced/sec/sa-admin.md | 95 ++++++++++++++++++ .../image-20200101173914313.png | Bin 0 -> 10430 bytes .../persistent/volume-mount-point.md | 6 +- support/change-log/change-log-on-the-way.md | 9 +- support/change-log/v1.0.x.md | 15 ++- 8 files changed, 121 insertions(+), 8 deletions(-) create mode 100644 learning/k8s-advanced/sec/sa-admin.md create mode 100644 learning/k8s-intermediate/persistent/volume-mount-point.assets/image-20200101173914313.png diff --git a/.vuepress/config-sidebar.js b/.vuepress/config-sidebar.js index de6910f..3e8aee3 100644 --- a/.vuepress/config-sidebar.js +++ b/.vuepress/config-sidebar.js @@ -397,6 +397,7 @@ module.exports = { title: '安全', collapsable: true, children: [ + 'k8s-advanced/sec/sa-admin', 'k8s-advanced/sec/rbac/api', 'k8s-advanced/sec/rbac/default', 'k8s-advanced/sec/rbac/escalation', diff --git a/.vuepress/public/install-script/kuboard.yaml b/.vuepress/public/install-script/kuboard.yaml index a07670f..140a64e 100644 --- a/.vuepress/public/install-script/kuboard.yaml +++ b/.vuepress/public/install-script/kuboard.yaml @@ -125,6 +125,8 @@ metadata: name: kuboard namespace: kube-system annotations: + k8s.eip.work/displayName: kuboard + k8s.eip.work/workload: kuboard nginx.org/websocket-services: "kuboard" nginx.com/sticky-cookie-services: "serviceName=kuboard srv_id expires=1h path=/" spec: diff --git a/install/install-dashboard.md b/install/install-dashboard.md index 0b7d2f1..b525c4c 100644 --- a/install/install-dashboard.md +++ b/install/install-dashboard.md @@ -35,6 +35,7 @@ Kuboard 是 Kubernetes 的一款图形化管理界面。 | Kubernetes 版本 | Kuboard 版本 | 兼容性 | 说明 | | --------------- | -------------- | ------ | ------------------------------------------------------------ | +| v1.17 | v1.0 | 😄 | 已验证 | | v1.16 | v1.0 | 😄 | 已验证 | | v1.15 | v1.0 | 😄 | 已验证 | | v1.14 | v1.0 | 😄 | 已验证 | diff --git a/learning/k8s-advanced/sec/sa-admin.md b/learning/k8s-advanced/sec/sa-admin.md new file mode 100644 index 0000000..c3b70c4 --- /dev/null +++ b/learning/k8s-advanced/sec/sa-admin.md @@ -0,0 +1,95 @@ +--- +vssueId: 175 +layout: LearningLayout +description: Kubernetes教程_本文面向集群管理员,阐述如何管理Service Account。Kubernetes 已经计划了要支持 user account,但是尚未完成。本文中引用了未完成的特性(user account)是为了更好地描述 service account。 +meta: + - name: keywords + content: Kubernetes 教程,Kubernetes Service Account +--- + +# 管理ServiceAccount + + + +本文面向集群管理员,阐述如何管理Service Account。假设您已经熟悉了 [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)。 + + + +Kubernetes 已经计划了要支持 user account,但是尚未完成。本文中引用了未完成的特性(user account)是为了更好地描述 service account。 + +[[TOC]] + +## User accounts vs. service accounts + + +Kubernetes 明确地区分了 user account 和 service account 的概念,原因如下: + +* User account 的使用者是用户(人),service account 的使用者是运行在 Pod 中的进程。 +* User account 应该是全局的,用户名在集群范围内(跨名称空间)必须唯一。Service account 的名称在名称空间内唯一即可 +* 通常,集群的 user account 可能是从企业的数据库同步过来,在那里,创建新的 user account 需要特殊的权限,并且受复杂的业务流程管控。Service account 的创建则更加轻量级,允许集群的用户为特定的任务创建 service account,(最小权限的原则) +* 对用户(人)和 service account 的审计过程可能会不一样 +* 一个复杂系统中,可能为不同的组件配置不同的 service account。由于 service account 可以临时创建,并且在名称空间内唯一,这种配置信息是可以移植的 + +## Service account automation + +三个组件共同实现了 service account 的 automation: +* Service account admission controller +* Token controller +* Service account controller + +### Service account admission controller + +[Admission Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) 是 apiserver 的一部分,它在 Pod 创建或者更新时,对 Pod 执行一些修改。此控制器激活时(默认处于激活状态),当 Pod 被创建或修改时,该控制器将执行如下动作: +1. 如果 Pod 未设置 `ServiceAccount`,将 `ServiceAccount` 设置为 `default` +2. 确保 Pod 引用的 `ServiceAccount` 存在,否则拒绝创建或者修改 Pod +3. 如果 Pod 不包含任何 `ImagePullSecrets`,则 `ServiceAccount` 中的 `ImagePullSecrets` 将被添加到 Pod 上 +4. 为 Pod 添加一个 `volume` (其中包含了访问 APIServer 的 token) +5. 为 Pod 中的每一个容器添加一个 `volumeSource`,并挂载到路径 `/var/run/secrets/kubernetes.io/serviceaccount` + +自 v1.13 开始,当 `BoundServiceAccountTokenVolume` 特性被启用时,可以将 service account volume 迁移到一个 [projected volume](https://kubernetes.io/docs/tasks/configure-pod-container/configure-projected-volume-storage/)。Service account token 将在一小时后或者 Pod 被删除后过期。 + +### Token Controller + +TokenController 作为 controller-manager 的一部分运行。以异步的方式执行如下动作: + +* 监听 ServiceAccount 的创建,并创建一个对应的 Secret 以允许访问 APIServer +* 监听 ServiceAccount 的删除,并删除所有对应的 ServiceAccountToken Secrets +* 监听 Secret 的添加,确保其引用的 ServiceAccount 以存在,并在需要时向 Secret 添加 Token +* 监听 Secret 的删除,并在需要的情况下将对应 ServiceAccount 中对 Secret 的引用也删除掉 + +启动 controller-manager 时,必须通过 `--service-account-private-key-file` 参数,向 token controller 传递一个 service account private key 文件。该 private key 将用来为沈城的 service account token 签名。类似的,也必须为通过 `--service-account-key-file` 将其对应的 public key 传递给 kube-apiserver。该 public key 将被用来在认证时验证 token。 + +#### 创建额外的 API token + +控制器确保每个 Service account 都有一个包含 API token 的 Secret。如需为 Service Account 创建额外的 API token,可以创建一个类型为 `ServiceAccountToken` 的 Secret,并在注解中引用对应的 Service Account,此时,控制器将为其创建一个新的 token: + +> secret.json + +``` json +{ + "kind": "Secret", + "apiVersion": "v1", + "metadata": { + "name": "mysecretname", + "annotations": { + "kubernetes.io/service-account.name": "myserviceaccount" + } + }, + "type": "kubernetes.io/service-account-token" +} +``` + +``` sh +kubectl create -f ./secret.json +kubectl describe secret mysecretname +``` + +#### 删除/禁用 Service Account token + +``` sh +kubectl delete secret mysecretname +``` + +### Service Account Controller + +Service Account Controller 管理了名称空间中的 ServiceAccount,并确保每一个当前有效的名称空间中都存在一个名为 `default` 的 ServiceAccount。 diff --git a/learning/k8s-intermediate/persistent/volume-mount-point.assets/image-20200101173914313.png b/learning/k8s-intermediate/persistent/volume-mount-point.assets/image-20200101173914313.png new file mode 100644 index 0000000000000000000000000000000000000000..439d03bae80fe45258f2f7e66775daac1d5c7063 GIT binary patch literal 10430 zcmZ{q1yoeg_wR?6E~TWqK@e#WkrwF|7+M^ZZWusBO1c}B8oGu~5owj~lp0}Z7@Bv- z-}}G+|E;&)S~GL+x_9n5_w2LJKA-(PCsO;R3NZm40SE*lR#Sbh3j$#T0_SP>aDm^8 z(P#|df`X%>qPCi%BD1!ev%RB}9SFpoU;_qIsPc37TUmj@{Udxl1a98C5fPts!9m}; z?tRE6VkM%A9O%V~#lVnz%0VPd_aLAZSDz3&%~QdC(s(gKdr3@dH!CR#){W3aJ(~Oq zs!X0(vt_=)i%3c&j8dnep`i?R+BizYBx}X#r{cksBIwV>ur5}dfjr%1zjp;P)>Mrb zjSmFwss2=bfl-?Wnw3&hT|=lkm9#T=S=lmz?ZITKU9f`C#EB>hGGw-;wn=hEuFjX0 zdqki0aelSg$}-@vVXIZdTkfBKcsv;em_W3VGVi_`z785vxba5*Ig8 z@7|-rXd+cXx+6 z1AYVn8+G({xvV?{(c)V6d?om+0@zf-&RES}Qxn7soZkasggb(;fiu9&AUfa+0%7K3 z{?`?ZzGNN1Gs|+HwRfDmCPr&=&POXW=6m|>>W(ztFNf1*8E~Ng&l`C5@38|GO#Mr_ ziJ5X<{CE()HlmIcIK&5&lIM@1KL4;cP(xRxo)`F^8Y4g{9i(DU%GA*X>R;|+p=(%C z#KsIPseGq1*>Z`?!vjnHn<=&0y0`E}&G;V0fhr~x3Z)=t7&V z7Uz%=$a6JnulfH_)o;9ah(bvtWil{;x}7OrJ36Ke{+ZM@))yQI{G-VS<-Mt!u{=78 z=3r&jxBkNRYt7u34`_rlr?!O-$K<4E;zVmW?9EuQGeHuBqPq}_Fz*@q4J%neIhc#q zh9xH>iEau~=Ld)}R}58q1x$7@3n*u8_>wuL1BZe1pV6*>#`_07tow*=5}4&_p|e6a z7TT}}P|TM+H;UmTYF1XOYWjnNgSNkNWx2u{NoP6&TbV0Znwy*5R=O}?rKO2QMVxFi zt6Y0JCMF2sC5z{8-&SYz z)@K#9AC^G)?F5TKrut`UY);`*tGBne6!-7jGO#NtDIFd5F%jZYK@jteRWI`7%>B-G z9T|3Y`ohALj%K$k2Y-JyAsM<^Shh?K>TK4=#Kfd8vcd*BV4vJY9bxtd27@JdF9#ao zt)8DB{;36bV+P83Y->xR7Tix=9UWo23(a~=Y{bbfzP`=hzke^0-60=aSm3ARd=c-x z%Kj5*$K{Ge%p7$1O)h6cZD3dF#IQa}p6wM7y^A zG#$8oI{gqWzqz4Dz_B1-p z^48g#e;qyz!#_iaQWDWr|D3An3Md-u4vPj{vt4#2IY{Z2|^__!n` zO)8s7zHy!u0DtR?Iyw7%LsmP4uM~tS5SNj^Dmtb+*?Phns7fdFgddqUK)uV(hFJFE* zk|jQ*L~UO1r#y%yXO*Our0>xbZaL1B|CR7}#Zk+E!(IwTMnUdQ7VdG_f||0a_r=1O z>x&ZCBSCA|| zC=x2o)x7XA73gA%=lCAOdZdzdlh-c(_1?KF`&4wx!Kw||alfHEmgO2u+-(|9HSH6n zZ#2Cv1ttr{yDV=FVskbDJ@y5=EK71M~)ewRmSrft<+ zTwFX5h>|Z!xmBVR)F(u|#X3|ZmE{&{moeI3(V^tY5Zw~w4IngN{NIrR$r22YT$CW= zX5$Y0vmhmVy`5&^2W!|9f45M=Kh*A51d^9q5H3>SDr1R8>{2i$TH9X zDSQD3_mS{>I<+s<+C|HCtVQwF2SI0R?cSS9{s3br#U6Dn+D5czJX2Qw=#x1XE+4ee zRHF=^80OQl2so6KJ+MOdnBJcLkUvFykEBL)-wzFD0RsQgLY)?@JOAY`icc<3^h73) zQ5^8_qcg)G-TdPirX~oPL-s>6iIDxWs*XgiT%TvTLASmaw^#e8KQlt{NdGE;N53d# z3g6fD@@lXkdSZ`n8FT|*f`?{cLi77sW-vb3ERbq}6lYh}EFsNja}c|kYO7S{UCdf2 z4%S-ykMRQKW^Y`Qei_&d@ddG1OiE@wK_3p|X)RMoJ{D-iL92XS-t0rxs$In8n+Clpl z%}0ZLr=C7Yti4D#@W&9mHenZV8Q0iwmbg~)laHp1_1}8TXM#vKVl!~Os1&N9!P8Gy zq_mRp7@MXkqen!5(a}VXF&-pHo+<%&*YbWjxQ1NFD0H7moxaLi7`qM&h>m6TfieqX z#>`KaW<$HXjemc*>ht+K-T#Y09<@7^fox8iT^-I5C9=-r$X^0 zj+72sbwPDXfX7n$%FL4=*0G>5a8wGXrMFxgk;Sp`-U9$NG4;G>f z4kI5pMwkvAnq}7(hV4OcO&HJaQO7xGg>={XLz4~DW}m* z45RIUz*)1GuqyHDM;7!B|0<-+?3?)Uj?>-OG5P2l4xvut8y1vyWMr&NwD(5E&&L>T zi0YP>mx+ETVNbp@EWPyfes&CpE2h9p&h8dg+NE-Q!n`$e?B7MN&Fa2E!KwGhGgwy8 zrHLy}Dmj{(nE`-GuHik1`%bF9!o*5mSR)ECOy<&Xr-R7)JoxyZ$v6O$wHL6M5ToH# zSP?K85eKO%Ftf4&JjJN3OLh2y(&fjbZ3Dl6fPj6HNKO{zid>+$bN*ScS*ut3I-?}3 zsKW~*Y2{M8<4pmn0n)N5)o0Iy)U-4n$jb*w-d(#&U5Ap&r+%{uL)O(u#_d0-IfX$!V5B_K>D&hk<$HTC25*I2A(mOb-5dfi3?_Q21{Ac1r8f!yV-)(NC%4i!hI{` z6TcJRvC{I&i(|`ij=sy!r*vQB(kP>&vYy;<8(H4CXFNtYh`hTtZeIPk;{+uOe|-NJ z%kPN^eg*YWl%_hF*f$O9XQXh2F3ZeGcPujF%Y=kgw-sj#E1yTmflW9&8Mes@J++EbO@ZrjPwl$O5s^=zxj-bVZTOr z6Qf=(KhRn=_eZ|4+nDbE(rc-4_Sq@NNC6t6Z)m9Qs#7DkpO;%Ha5p?mgjkYQHmooe z=;h!T)3$VW->D5Ay_?zJ;AM{Vw4fJXzOWWHG`w^ng50StJ<5Xg^gQEu z@??&4SYoycH#=9hMI&8ZQBtAHsZ%6t@A=QoI3W9}`+Jnk*Lh`OSb1%c_GeUuF_Csq zeYwUx?R#&px{G!^fbwQP_#n3lDtGxEpB6n^%-(hA1nteWtMG(C2Qj6s_2N!$5pFvb z;LaWXtc=*ban`UTu_^N(u;cY#*uO6d2 z;eTcy9TeP2#F!4mls@>HviV1%pY<@^z`(C94YhAM!4GVP89&!s9pd5P%{poHf`k2~ zbT4@V{fA=B@z&cCLW2e$=#5c|a|`k$VTH%4#`txxyd*}SstAwrL!Vcp{C0Lzl0QSUA~4jvtK>$l96u6|=*C^4 zQm8EhOb&2Lj0VfhYzyS_Bo0|;EAC5QUq<5N|J9X&w~qOjYzTdh&yx9aeVFHatA zVDL}bVKb@-nz?N3#$H{?obAk;XC=VLpNe99mutGQta9}O^+_+)v)piLx!jn~5fvzj5(>0S3oHTLwG$%n5$7%@% zetEYUPPBTrB^&7foelA{Xrd1tYhbvt+g>3;6frts9V4Yt0|%e6PG4YOkUW%n%6C~Y zf2Qu}6m}A^BS`b-pF~5$Le+#$PENrmq2emk5%ZIQ3<7|L`0)B^4Dy z==;eu##(3(u1N)z%YNq_BM+azxVpR;Ja4$;#;_*!=89A`>=N^KqcgXfq=8=kpsSsN z;enkbY7@)Ht2ViIw#_rnmg#2_lt(S~?;8F77;WYKSbWm>jh4DVP_ILi;|i{DELO5z zoCy)pdxFz9_l7~t)nkX0G~g@GzE(4BohDcChz&zmZgLt^+ES#f9coF@uZG6ar6Mn7 zr+>*a-L8DTTGNkPJPr;Hk?3$J&-~nw;{4QJ-sB7^mBTg0QfX#8pR|)ca=+|E`?8Nf zV?ChopvE|+MaeT-zb>5@sa*SWIVW!M^WE$jrgu?qZO(J>@V3rc@hx%*u43{c;c_V0 zQM_ZJdW8rg&%t4GdubUYhw#I0J2`sQuI(T`rh)bOak!n`V4Rs3Lg|HZwQ)5+k3brE z4{pZMg*OMCObEUbF}{AQ+b5gs9%N{kx$(E+MAnUGh|l+h?C&WJE?R3LdPYKXWVF9) zx2#}W&=?E%d$79@7nUe^7P}o66ra|x_X@HO(-U>KC`QmF|Mq5~$tUW5WG`y0*LB%b zD%KF)?RokZD?DL|Qm(ZHmonB1vB%L;B zvMpIqVd2{T<*7eS8@7;gCJOx$B5gIkY5oSIO}&*~nS{x)3)5O&Qp2voFq| zGh<;79V-ccqp~;?c zS2^-jskg9w$g8c&JoDMRl9NTaQTCTtfafK=xVuPs6GdO_4UxHSUDhz1B5S@VddP2f zP@Uy)xW+-^uCA$RFlA7oOJzke?&FSqpNan}G~CVZ`6e@=xObIk1H^jkMTu^1?ao`k_yE;O%vN`*gj%0_x7yX9g#j21<`;=wl*Q& zvF#OKr!K5VsT>c>F>nR>@1u-%L{>|ea=FbXfyT*}H+F?bhu8A*@=c@_w;nAT_G<`@ zq`3b1p{}YLaea6wKVLPm=x^E9|pQKyw%7WHomv~oaHiwc(< z)e|ZWqnf>~+n$oAmGmw$w4Onj^uwI>8~84nQaTitL*JBjW_4>)BxmccgWzXM{9|5 zW?*+6ki6btG$J4Q@5q3=ZIr?M>!y9HH2VmcPPF6bs1751u_91*0kM$L;K^ChF7-^O zq2%n;sA|6JOXcV5%&fQ6Mx%Jl%54eM-{!+NI(FBY6V8 z=ao8}Y<1h9*nc19@}c-eH2@(4KTd|nuUuugp4@@XXOZM~PTIoe_9{0kD@L!Ajy^2EYPj076dshLLC;oF34sy`O(v{YS@P zXgaReG2uYdu?t%ACa3*B#f_o9Dchy|GY~mYf{HE8OSJ7Q0EK(`e^hjyR!5&8skj<& zeM=OAeD5TEMI#e62>p#iylL0C>vZ=ALi5vFrHfkjKk{{nyaa<4$~iu_ckRHiSPdl9 z_U$3b;Wzkt$6?WOXAjgRbH%rr^EcXfK~&P(7SNjK&p)WY@K`r#<8$^b!e7zM`Y#FF ztcEH5+xO?3_!9GX+vDQ+Qx66X>@|(g@9(n)KT(>`d~k+USCIab2%S>^nOv!$`uNaf{xQ+gs?%cFwGut{l@}$3tuAv;uYg#DVxtvaLGv^3~pjn z#qt{vefNV760UD9?oyWJ&zkrxZ!0tx|L*MA?X_J{(5|*DTH9@Gpmn9wKq>(XR@A~( z@Wj;Ip6O*CS6(U{GCiN%JIUq4?KoK~RvXy&(#Qcxd7*>2dM;X*h>KwyY5(0xO4K(e z^09O0O^|N9B{QJp@is2FCGp?bX8_`rcdA+7@raw`R<;5lkz3=tpDLJ`G`F2jNmu@y z(uXE--n>`}M9JzoX7s0mEPKF1J;+~AoR?Uc0Wvb_W}$%`|j zwC!RGF$EPBuSP1AO-)VB?O0P>RarTRAxw!ynZu2F+jSn3sV={cV31eg5vHsvDqbftOm)#0Sk-75-8iuJs^0CP+4 zKbq4+=dL!VhYoo`EE;Kol*Xv>BFzMzBre23eZ4*pH+THtpn7Cf)R@(^T`Wi-&^>#B z)j&@#Dd23D+O6kwdVuhkJXc6a$k9M?-cD^G{54v1d|?4a;LwVDeQLYBquM?IRwC5m z)ls{3S_9_Zi-O0S?YyUdJ;^$F2LkYIIydQzj-R zN-;XBh?t&C=&mb<*K#O@DXjc8xmZL|l$S$KvIvD_EL+1?zJ^;v5gWd4NHNj%W{10? zTpH3eqs?1I%SN{iRIO8nMlH#|Ns|T! zwH^cFA}X|;ao2k+V%2Rz^4#7dNm{oC_QTnNRh_p&frRBoT`|YSeN0IzOuoh)mu@vN z8pT?9a*2TwecUASniPQEfIrBPs4yU3*#XMPpdG6)EBM4Ht8SvM;xYQJ_0+!k#3Ai9 zWbYe3^=m=`^7Hr0Uh@K%Lo(o}MeHYkIW8_P_Ox>Zc|t{KI3O+`p$;$4R%Nn8RseEV zkQr;P%dc=)_Np`eK9cH?d(+x>u{lq5C-o_GZqD=}AY47eryt!ujb9xaquTKYy-yTTBcaFCvwnhPJleO-5B?BcL* zBz0b;>?GyEgH(6MbT&ZGk$m|siC}6x>cO&FuU1aGW#@hKhLJZ$fSMn`At@{mO(y+0yxlyX`0b!!lt0j3T z!YZ_$Z^gK(Ir1NlALU%>hg7&;QY0bWzzI*vv!}ABqyXF9QetyiNv!|LIs!|BrVJ{rMS3^ zsDw;eS>b zroH0VNFKsgXX@~uAbrPR!_rv)-D}4lHaAE+&Gxcgv_v^7D#}CdJPc=d@K4H^qRDi1 zb;3(_^FHahTiT-Qn>vSO)?1`c zo4RYi){}!Mjn5PmLM|z{a#_pV3j#p1Q+Sdb+wN;E+Xm%YbH8K$1E62wLb#$oAe-ZLbWb zLz06NHo9(H_zmB1U8X3EL|7tcuLhmIU z{^=XAg2&?oA?smD8{K$Jx>vPq@cnUaZmR9gpE*L#ZHLZk8aocNHCErRE*-$&U|ai> zV+o>}isRLArX6$fGQ%qJ^IyfKa^QPZo~V6!=8sp-5xV)y{AQKr9O*bf5YIs`X9ZQZ z+ZUPgU255FG;$m1l*^pVH<+wFc;iimn|fn-D03zxjK>F{4+Kqd*x>L zRCzu&YJ8xnp~2A1`uxb0u)*OQtH||NW%_R}#0_4$XdalG%BU~qMH0YsYPIs%5zCz; zI5q`+tjNx#0FC{&*^&llL7lozAfl<7tca0Zg}|lz`|EhP1dd7F=`q;o z&<4`%5Pw`*6)uO|SWk&5$7=;ijTgU0_=Al?NGEfRgLumStP3(Mi zUUeu5Vb((aX-tj13|YNvd>QvAKE6R|>TK2iC&Q_l=ro;UH5eiQJSN9cw9aA`MYAy!q88sODf$!wDUNc1NVD#-W#w1SQ~PNy}jh9^j8aMx=o?^>dn#;$>J;PoF6}>#$a32eazZtFe6i1*k~` z`}Yeql&XBjMe&=AJMAX+Qwgh3YNPtWJnAXa*XEA|Rf}Rt60g^&no+%`kvh}u9zp3J z!ZU-mk`iVkTWMIX|FaLp1wSMw+-yBfo-kF@KdVrc=jelRkSr*f(K)5F&4R1d-E?=U zxTD4Zn4b1B7{62z5}YK-6dvsB5!|(Cyl1bg>Xf;TGli9VL8E{@7}Szj|Ac)p>=tin ztC;YxbG6sMBadVEf~gySc%#z3iJZn3ml`&&R*5BMZVNd^Vz>=NF!Shy_Lq0+549|g zFxa{4(l1JLu~_|cmnOWBD)GmIVTxEB&)UDAcF?jM{jA0H^|7cZ>C_XV4ZODd5vD-F zu=>gbc9Qd_cLLol;Ha*mz>zt;&XqD;ScP-SFC%gFu-ci2SiajjAtElB3d)bc8*`32W}YiwouiTG z%AM&n<$);LK+N^RxE;?m5jZ1R$NJe5Df4X3==?WCDl z4ZJQWvD0a3nZIYUi(+i^;!%!3N{6HV3srRbw27Z=*uXm-d$fCff=U`nNm&-S{xH@l z%%{Ef<{RpBSwAZXWzNbGG@#!HwcV~_nU!?0T1=$Lh%V_z+82j|A z`|MQ#x8lH!Gd7X;R$(}LZPG50sRGJ&xfAFM?N4D(2Pdk*yL z=f{9j3t^hAlmp00%sZ8AA^!Skuay742UKB!HT*G#XougRVZE g6&Q;D{m}WH*y^LV`aMVgcFCzJy?kEz4E+9o0h;Ui^8f$< literal 0 HcmV?d00001 diff --git a/learning/k8s-intermediate/persistent/volume-mount-point.md b/learning/k8s-intermediate/persistent/volume-mount-point.md index 1b6b9b0..0b5ba57 100644 --- a/learning/k8s-intermediate/persistent/volume-mount-point.md +++ b/learning/k8s-intermediate/persistent/volume-mount-point.md @@ -54,12 +54,16 @@ spec: ### 通过环境变量指定数据卷内子路径 -**FEATURE STATE:** `Kubernetes v1.15` beta Kuboard暂不支持 +**FEATURE STATE:** `Kubernetes v1.15` beta 使用 `volumeMounts.subPathExpr` 字段,可以通过容器的环境变量指定容器内路径。使用此特性时,必须启用 `VolumeSubpathEnvExpansion` [feature gate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/) (自 Kubernetes v1.15 开始,是默认启用的。) 同一个 volumeMounts 中 `subPath` 字段和 `subPathExpr` 字段不能同时使用。 +> 在Kuboard界面中,如果工作负载编辑器中挂载点的 subPath/subPathExpr 字段中包含 `$`,则 Kuboard 认为该字段为 subPathExpr,否则被认为是 subPath。例如,下图中的 $(podName) 将被认为是 subPathExpr :Kuboard v1.0.6-beta.1 +> +> ![./image-20200101173914313](./volume-mount-point.assets/image-20200101173914313.png) + 如下面的例子,该 Pod 使用 `subPathExpr` 在 hostPath 数据卷 `/var/log/pods` 中创建了一个目录 `pod1`(该参数来自于Pod的名字)。此时,宿主机目录 `/var/log/pods/pod1` 挂载到了容器的 `/logs` 路径: ``` yaml {9,19} diff --git a/support/change-log/change-log-on-the-way.md b/support/change-log/change-log-on-the-way.md index 5062500..9822161 100644 --- a/support/change-log/change-log-on-the-way.md +++ b/support/change-log/change-log-on-the-way.md @@ -1,19 +1,17 @@ Kuboard v1.0.x 的更新说明 -**BUG 修复** - -* 工作负载编辑器 --> Ingress --> 当启用前缀时,Ingress中选择的ServiceName缺少前缀 -* 工作负载编辑器 --> 容器 --> 添加环境变量但不填写时,界面无响应 +## v1.0.6-beta.1 +**新特性** +* 工作负载编辑器 --> 容器信息 --> 挂载点 --> 支持subPathExpr * 日志界面支持 ctrl + F * 更新版本时,可以通过下拉列表选择仓库中的版本号 * 导入导出时,需要支持 nfs 等类型的数据卷 -* subPathExpr https://kuboard.cn/learning/k8s-intermediate/persistent/volume-mount-point.html#%E6%95%B0%E6%8D%AE%E5%8D%B7%E5%86%85%E5%AD%90%E8%B7%AF%E5%BE%84 * 工作负载查看 --> 未显示 SecurityContext * EndPoint @@ -35,7 +33,6 @@ Kuboard v1.0.x 的更新说明 --> clientIP.timeoutSeconds * Service --> .spec.clusterIP -* PV 中支持 hostPath * 存储卷声明去掉分配模式的字段 * 删除容器组时 - graceful period diff --git a/support/change-log/v1.0.x.md b/support/change-log/v1.0.x.md index e97acde..9259380 100644 --- a/support/change-log/v1.0.x.md +++ b/support/change-log/v1.0.x.md @@ -9,10 +9,23 @@ description: 本文描述了Kuboard_v1.0.x的版本变更说明 了解如何 [升级Kuboard](/install/install-dashboard-upgrade.html) -eipwork/kuboard:latest 当前对应的版本是 kuboard v1.0.5.3 +eipwork/kuboard:latest 当前对应的版本是 kuboard v1.0.5.4 Kuboard v1.0.x 的更新说明 +## v1.0.5.4 + +**发布日期** + +2020年1月1日 + +**BUG 修复** + +* 工作负载编辑器 --> Ingress --> 当启用前缀时,Ingress中选择的ServiceName缺少前缀 +* 工作负载编辑器 --> 容器 --> 添加环境变量但不填写时,界面无响应 +* 安装套件 --> 从套件仓库选择套件 --> 点击安装时,不应该所有的套件按钮都显示为加载状态 +* 事件列表 --> 按名称空间删除事件 --> 删除某一个名称空间的事件时,其他名称空间对应的按钮不应该显示为加载状态 + ## v1.0.5.3 **发布日期**