Kubernetes相关:配置RBAC

RBAC全称叫:Role-based access control,即权限相关的配置。

Hazelcast官网已经为我们准备了一个在线yaml,ServiceAccount=defult,namespace同样为default,如果需要自定义,那么下载rbac.yaml文件自行改之: 

kubectl apply -f https://raw.githubusercontent.com/hazelcast/hazelcast-kubernetes/master/rbac.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: hazelcast-cluster-role
rules:
  - apiGroups:
      - ""
      # Access to apps API is only required to support automatic cluster state management
      # when persistence (hot-restart) is enabled.
      - apps
    resources:
      - endpoints
      - pods
      - nodes
      - services
      # Access to statefulsets resource is only required to support automatic cluster state management
      # when persistence (hot-restart) is enabled.
      - statefulsets
    verbs:
      - get
      - list
      # Watching resources is only required to support automatic cluster state management
      # when persistence (hot-restart) is enabled.
      - watch
  - apiGroups:
      - "discovery.k8s.io"
    resources:
      - endpointslices
    verbs:
      - get
      - list

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: hazelcast-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: hazelcast-cluster-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: mijiuye # 命名空间需要按照实际情况调整

app.yml配置文件

kind: Deployment
apiVersion: apps/v1
metadata:
  name: snest-v1
  namespace: $PROJECT_NAMESPACE
  labels:
    app: snest
    app.kubernetes.io/name: snest
    app.kubernetes.io/version: v1
    version: v1
  annotations:
    deployment.kubernetes.io/revision: '3'
    kubesphere.io/creator: admin
    servicemesh.kubesphere.io/enabled: 'true'
spec:
  replicas: 1
  selector:
    matchLabels:
      app: snest
      app.kubernetes.io/name: snest
      app.kubernetes.io/version: v1
      version: v1
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: snest
        app.kubernetes.io/name: snest
        app.kubernetes.io/version: v1
        version: v1
      annotations:
        logging.kubesphere.io/logsidecar-config: '{}'
        sidecar.istio.io/inject: 'true'
    spec:
      volumes:
        - name: host-time
          hostPath:
            path: /etc/localtime
            type: ''
        - name: volume-18unfh
          configMap:
            name: snest
            defaultMode: 420
        - name: volume-v4qaik
          persistentVolumeClaim:
            claimName: apps-frontend
        - name: volume-ajqw8u
          persistentVolumeClaim:
            claimName: apps
      containers:
        - name: sie-snest-server
          image: $REGISTRY/$DOCKERHUB_NAMESPACE/$APP_NAME:$TAG_NAME_ENV
          ports:
            - name: http-8060
              containerPort: 8060
              protocol: TCP
          resources: {}
          volumeMounts:
            - name: host-time
              readOnly: true
              mountPath: /etc/localtime
            - name: volume-18unfh
              readOnly: true
              mountPath: /config
            - name: volume-v4qaik
              mountPath: /apps-frontend
            - name: volume-ajqw8u
              mountPath: /apps
          lifecycle:
            postStart:
              exec:
                command:
                  - /bin/sh
                  - '-c'
                  - >-
                    cp -rf /apps_temp/* /apps
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: default
      serviceAccount: default
      securityContext: {}
      imagePullSecrets:
        - name: harbor
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

IIOT 配置文件

部署方式

  • 单机:stand-alone;
  • k8s分布式:distributed;
  • docker分布式:docker-distributed deployment.mode=distributed

Auth 配置文件

appAuth.Server=http://192.168.168.176:8080

hazelcast 配置文件

hazelcast.cluster-name = hazelcast-cluster
hazelcast.network.join.auto-detection.enabled = true
hazelcast.network.join.multicast.enabled = false
hazelcast.network.join.kubernetes.enabled = true
hazelcast.network.join.kubernetes.namespace = default # 实际部署时,以实际的命名空间为准。比如 iidp命名空间,则需要改为iidp
hazelcast.map.hazelcast-map.backup-count = 1

Engine运行模式配置文件

#profile 

engine.run.mode=DISTRIBUTED
engine.store.meta.mode=CLOUD

SG 策略配置文件

url.whiteList=base.rbac_login_model.*,base.rbac_user.*,*.rbac_user.*,*.ui_menu.*,*.meta_app.*,*.meta_product_line.*,*.meta_app_category.*,*.meta_app_dependency.*,*.meta_app_store.*,*.meta_attachment.*,*.ui_view_seed.*,*.meta_app_store_dependency.*,iiot_thing.*,iiot_importexport.*,*.iiot_thing_entity.*,*iiot_thing_overview_model.*,*iiot_thing_model.*,*.iiot_thing_property.*
getModel.whiteList=*.rbac_login_log,*.meta_tree_data,*.rbac_user,*.ui_menu,*.meta_app,*.meta_product_line,*.meta_app_category,*.meta_app_dependency,*.meta_app_store,*.meta_attachment,*.ui_view_seed,*.meta_app_store_dependency,iiot_importexport.*,iiot_thing.*,,*iiot_thing_model.*,*.iiot_thing_property.*
sg.whiteList=iiot_alarm.*,iiot_thing.*

Table of Contents