OpenShift 文档正在迁移,很快将只能在 docs.redhat.com(所有 Red Hat 产品文档的中心)访问。立即体验 新的文档体验
  1. 文档
    2. history bug_report picture_as_pdf
×

教程:在ROSA上使用AWS Controllers for Kubernetes

编辑

AWS Controllers for Kubernetes (ACK) 允许您直接从AWS上的Red Hat OpenShift Service (ROSA) 定义和使用AWS服务资源。使用ACK,您可以利用AWS管理的服务来运行您的应用程序,而无需在集群外部定义资源,或在集群内运行提供支持功能(如数据库或消息队列)的服务。

您可以直接从OperatorHub安装各种ACK Operators。这使得您可以轻松上手并与您的应用程序一起使用这些Operators。此控制器是AWS Controller for Kubernetes项目的一个组件,目前处于开发者预览阶段。

本教程将指导您部署ACK S3 Operator。您也可以将其应用于集群OperatorHub中的任何其他ACK Operator。

编辑

前提条件

  • 一个ROSA集群

  • 具有cluster-admin权限的用户帐户

  • OpenShift CLI (oc)

  • Amazon Web Services (AWS) CLI (aws)

设置您的环境

  1. 配置以下环境变量,将集群名称更改为适合您的集群的名称

    $ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
$ export REGION=$(rosa describe cluster -c ${ROSA_CLUSTER_NAME} --output json | jq -r .region.id)
$ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed  's|^https://||')
$ export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
$ export ACK_SERVICE=s3
$ export ACK_SERVICE_ACCOUNT=ack-${ACK_SERVICE}-controller
$ export POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3FullAccess
$ export AWS_PAGER=""
$ export SCRATCH="/tmp/${ROSA_CLUSTER_NAME}/ack"
$ mkdir -p ${SCRATCH}

  2. 在继续下一部分之前,请确保所有字段都正确输出。

    $ echo "Cluster: ${ROSA_CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"

准备您的AWS账户

  1. 为ACK Operator创建一个AWS Identity Access Management (IAM) 信任策略

    $ cat <<EOF > "${SCRATCH}/trust-policy.json"
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Condition": {
   "StringEquals" : {
     "${OIDC_ENDPOINT}:sub": "system:serviceaccount:ack-system:${ACK_SERVICE_ACCOUNT}"
   }
 },
 "Principal": {
   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
 },
 "Action": "sts:AssumeRoleWithWebIdentity"
 }
 ]
}
EOF

  2. 创建一个AWS IAM角色供ACK Operator承担,并附加AmazonS3FullAccess策略

    您可以在每个项目的GitHub存储库中找到推荐的策略,例如 https://github.com/aws-controllers-k8s/s3-controller/blob/main/config/iam/recommended-policy-arn

    		 
    $ ROLE_ARN=$(aws iam create-role --role-name "ack-${ACK_SERVICE}-controller" \
   --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
   --query Role.Arn --output text)
$ echo $ROLE_ARN

$ aws iam attach-role-policy --role-name "ack-${ACK_SERVICE}-controller" \
     --policy-arn ${POLICY_ARN}

安装ACK S3控制器

  1. 创建一个项目来安装ACK S3 Operator

    $ oc new-project ack-system

  2. 创建一个包含ACK S3 Operator配置的文件

    ACK_WATCH_NAMESPACE故意留空,以便控制器可以正确监视集群中的所有命名空间。

    		 
    $ cat <<EOF > "${SCRATCH}/config.txt"
ACK_ENABLE_DEVELOPMENT_LOGGING=true
ACK_LOG_LEVEL=debug
ACK_WATCH_NAMESPACE=
AWS_REGION=${REGION}
AWS_ENDPOINT_URL=
ACK_RESOURCE_TAGS=${CLUSTER_NAME}
ENABLE_LEADER_ELECTION=true
LEADER_ELECTION_NAMESPACE=
EOF

  3. 使用上一步中的文件创建一个ConfigMap

    $ oc -n ack-system create configmap \
  --from-env-file=${SCRATCH}/config.txt ack-${ACK_SERVICE}-user-config

  4. 从OperatorHub安装ACK S3 Operator

    $ cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ack-${ACK_SERVICE}-controller
  namespace: ack-system
spec:
  upgradeStrategy: Default
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ack-${ACK_SERVICE}-controller
  namespace: ack-system
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: ack-${ACK_SERVICE}-controller
  source: community-operators
  sourceNamespace: openshift-marketplace
EOF

  5. 使用要承担的AWS IAM角色注释ACK S3 Operator服务帐户,并重新启动部署

    $ oc -n ack-system annotate serviceaccount ${ACK_SERVICE_ACCOUNT} \
  eks.amazonaws.com/role-arn=${ROLE_ARN} && \
  oc -n ack-system rollout restart deployment ack-${ACK_SERVICE}-controller

  6. 验证ACK S3 Operator是否正在运行

    $ oc -n ack-system get pods
    示例输出
    NAME                                 READY   STATUS    RESTARTS   AGE
ack-s3-controller-585f6775db-s4lfz   1/1     Running   0          51s

验证部署

  1. 部署S3存储桶资源

    $ cat << EOF | oc apply -f -
apiVersion: s3.services.k8s.aws/v1alpha1
kind: Bucket
metadata:
   name: ${CLUSTER-NAME}-bucket
   namespace: ack-system
spec:
   name: ${CLUSTER-NAME}-bucket
EOF

  2. 验证S3存储桶是否已在AWS中创建

    $ aws s3 ls | grep ${CLUSTER_NAME}-bucket
    示例输出
    2023-10-04 14:51:45 mrmc-test-maz-bucket

清理

  1. 删除S3存储桶资源

    $ oc -n ack-system delete bucket.s3.services.k8s.aws/${CLUSTER-NAME}-bucket

  2. 删除ACK S3 Operator和AWS IAM角色

    $ oc -n ack-system delete subscription ack-${ACK_SERVICE}-controller
$ aws iam detach-role-policy \
  --role-name "ack-${ACK_SERVICE}-controller" \
  --policy-arn ${POLICY_ARN}
$ aws iam delete-role \
  --role-name "ack-${ACK_SERVICE}-controller"

  3. 删除ack-system项目

    $ oc delete project ack-system