From fdca67f47663e59fd9e2926829d4d741bc765dbd Mon Sep 17 00:00:00 2001 From: yadongzhang Date: Tue, 24 Dec 2019 19:17:10 +0800 Subject: [PATCH] Add tke-auth-controller into installer and oidc url change to tke-auth-api --- build/deploy/tke-auth-api.yaml | 118 ---------------- .../app/options/feature.go | 12 +- .../app/options/options.go | 2 +- .../app/installer/certs/certs.go | 2 +- .../app/installer/images/images.go | 6 +- cmd/tke-installer/app/installer/installer.go | 37 ++++- .../manifests/tke-auth-api/tke-auth-api.yaml | 121 +++++++++++++++++ .../tke-auth-controller.yaml | 99 ++++++++++++++ .../manifests/tke-auth/tke-auth.yaml | 127 ------------------ .../tke-business-api/tke-business-api.yaml | 6 +- .../manifests/tke-gateway/tke-gateway.yaml | 2 +- .../tke-monitor-api/tke-monitor-api.yaml | 6 +- .../tke-notify-api/tke-notify-api.yaml | 6 +- .../tke-platform-api/tke-platform-api.yaml | 6 +- .../tke-registry-api/tke-registry-api.yaml | 6 +- docs/devel/running-locally.md | 78 +++++++++-- go.mod | 1 - go.sum | 2 - pkg/auth/filter/filter.go | 13 +- 19 files changed, 357 insertions(+), 293 deletions(-) delete mode 100644 build/deploy/tke-auth-api.yaml create mode 100644 cmd/tke-installer/app/installer/manifests/tke-auth-api/tke-auth-api.yaml create mode 100644 cmd/tke-installer/app/installer/manifests/tke-auth-controller/tke-auth-controller.yaml delete mode 100644 cmd/tke-installer/app/installer/manifests/tke-auth/tke-auth.yaml diff --git a/build/deploy/tke-auth-api.yaml b/build/deploy/tke-auth-api.yaml deleted file mode 100644 index 950956186..000000000 --- a/build/deploy/tke-auth-api.yaml +++ /dev/null @@ -1,118 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - labels: - k8s-app: tke-auth - name: tke-auth - namespace: {{NAMESPACE}} -spec: - selector: - matchLabels: - k8s-app: tke-auth - template: - metadata: - labels: - k8s-app: tke-auth - spec: - containers: - - name: tke-auth - image: hkccr.ccs.tencentyun.com/tke-dev/tke-auth-api:zydtest - imagePullPolicy: Always - env: - - name: TIMESTAMP - value: 2019-11-14 - args: - - --log-disable-color - - --etcd-servers=http://etcd:2379 - - --tls-cert-file=/etc/tke/server.pem - - --tls-private-key-file=/etc/tke/server-key.pem - - --assets-path=web/auth - - --id-token-timeout=24h - - --basic-auth-file=/etc/tke/password.csv - - --token-auth-file=/etc/tke/token.csv - - --client-ca-file=/etc/tke/ca.pem - - --cors-allowed-origins=https://(.*).console.tke.com - - --casbin-reload-interval=2s - - --policy-path=/etc/auth/policy.json - - --category-path=/etc/auth/category.json - - --init-tenant-id=default - - --tenant-admin=admin - - --tenant-admin-secret=admin - - --init-client-id=default - - --init-client-secret=652422316756 - - --init-client-redirect-uris=https://{{NAMESPACE}}.console.tke.com/callback,https://{{NAMESPACE}}.console.tke.com:443/callback - volumeMounts: - - name: config-volume - mountPath: /etc/tke - - name: auth-config-volume - mountPath: /etc/auth - ports: - - containerPort: 9451 - readinessProbe: - httpGet: - port: 9451 - path: /healthz/ping - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - port: 9451 - path: /healthz - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumes: - - name: config-volume - configMap: - name: config - - name: auth-config-volume - configMap: - name: auth-config - ---- -kind: Service -apiVersion: v1 -metadata: - name: tke-auth - namespace: {{NAMESPACE}} -spec: - selector: - k8s-app: tke-auth - ports: - - protocol: TCP - port: 9451 - targetPort: 9451 - ---- -kind: Ingress -apiVersion: extensions/v1beta1 -metadata: - name: tke-auth - namespace: {{NAMESPACE}} - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/secure-backends: "true" - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - host: {{NAMESPACE}}.auth.tke.com - http: - paths: - - path: / - backend: - serviceName: tke-auth - servicePort: 9451 - - - diff --git a/cmd/tke-auth-controller/app/options/feature.go b/cmd/tke-auth-controller/app/options/feature.go index 87d645efe..a005c1c3b 100644 --- a/cmd/tke-auth-controller/app/options/feature.go +++ b/cmd/tke-auth-controller/app/options/feature.go @@ -36,12 +36,12 @@ const ( ) const ( - configPolicyPath = "feature.policy_path" - configCategoryPath = "feature.category_path" - configTenantAdmin = "feature.tenant_admin" - configTenantAdminSecret = "feature.tenant_admin_secret" - configCasbinModelFile = "feature.casbin_model_file" - configCasbinReloadInterval = "feature.casbin_reload_interval" + configPolicyPath = "features.policy_path" + configCategoryPath = "features.category_path" + configTenantAdmin = "features.tenant_admin" + configTenantAdminSecret = "features.tenant_admin_secret" + configCasbinModelFile = "features.casbin_model_file" + configCasbinReloadInterval = "features.casbin_reload_interval" ) type FeatureOptions struct { diff --git a/cmd/tke-auth-controller/app/options/options.go b/cmd/tke-auth-controller/app/options/options.go index 98656398d..af52386a7 100644 --- a/cmd/tke-auth-controller/app/options/options.go +++ b/cmd/tke-auth-controller/app/options/options.go @@ -41,7 +41,7 @@ func NewOptions(serverName string, allControllers []string, disabledByDefaultCon return &Options{ Log: log.NewOptions(), Debug: apiserveroptions.NewDebugOptions(), - SecureServing: apiserveroptions.NewSecureServingOptions(serverName, 9456), + SecureServing: apiserveroptions.NewSecureServingOptions(serverName, 9458), Component: controlleroptions.NewComponentOptions(allControllers, disabledByDefaultControllers), AuthAPIClient: controlleroptions.NewAPIServerClientOptions("auth", true), FeatureOptions: NewFeatureOptions(), diff --git a/cmd/tke-installer/app/installer/certs/certs.go b/cmd/tke-installer/app/installer/certs/certs.go index 61aa22126..8531e98e8 100644 --- a/cmd/tke-installer/app/installer/certs/certs.go +++ b/cmd/tke-installer/app/installer/certs/certs.go @@ -35,7 +35,7 @@ var ( "tke-platform-api", "tke-business-api", "tke-notify-api", - "tke-auth", + "tke-auth-api", "tke-console", "tke-monitor-api", "tke-registry-api", diff --git a/cmd/tke-installer/app/installer/images/images.go b/cmd/tke-installer/app/installer/images/images.go index 6dbd96745..c8de25cdb 100644 --- a/cmd/tke-installer/app/installer/images/images.go +++ b/cmd/tke-installer/app/installer/images/images.go @@ -36,7 +36,8 @@ type Components struct { ProviderRes containerregistry.Image TKEGateway containerregistry.Image - TKEAuth containerregistry.Image + TKEAuthAPI containerregistry.Image + TKEAuthController containerregistry.Image TKEBusinessAPI containerregistry.Image TKEBusinessController containerregistry.Image TKEMonitorAPI containerregistry.Image @@ -69,7 +70,8 @@ var components = Components{ ProviderRes: containerregistry.Image{Name: "provider-res", Tag: "v1.14.6-1"}, - TKEAuth: containerregistry.Image{Name: "tke-auth", Tag: Version}, + TKEAuthAPI: containerregistry.Image{Name: "tke-auth-api", Tag: Version}, + TKEAuthController: containerregistry.Image{Name: "tke-auth-controller", Tag: Version}, TKEBusinessAPI: containerregistry.Image{Name: "tke-business-api", Tag: Version}, TKEBusinessController: containerregistry.Image{Name: "tke-business-controller", Tag: Version}, TKEGateway: containerregistry.Image{Name: "tke-gateway", Tag: Version}, diff --git a/cmd/tke-installer/app/installer/installer.go b/cmd/tke-installer/app/installer/installer.go index cfc28990d..3f12b6d1d 100644 --- a/cmd/tke-installer/app/installer/installer.go +++ b/cmd/tke-installer/app/installer/installer.go @@ -419,8 +419,12 @@ func (t *TKE) initSteps() { if t.Para.Config.Auth.TKEAuth != nil { t.steps = append(t.steps, []handler{ { - Name: "Install tke-auth", - Func: t.installTKEAuth, + Name: "Install tke-auth-api", + Func: t.installTKEAuthAPI, + }, + { + Name: "Install tke-auth-controller", + Func: t.installTKEAuthController, }, }...) } @@ -1470,7 +1474,7 @@ func (t *TKE) installETCD() error { }) } -func (t *TKE) installTKEAuth() error { +func (t *TKE) installTKEAuthAPI() error { redirectHosts := t.servers redirectHosts = append(redirectHosts, "tke-gateway") if t.Para.Config.Gateway != nil && t.Para.Config.Gateway.Domain != "" { @@ -1482,20 +1486,41 @@ func (t *TKE) installTKEAuth() error { option := map[string]interface{}{ "Replicas": t.Config.Replicas, - "Image": images.Get().TKEAuth.FullName(), + "Image": images.Get().TKEAuthAPI.FullName(), "OIDCClientSecret": t.readOrGenerateString(constants.OIDCClientSecretFile), "AdminUsername": t.Para.Config.Auth.TKEAuth.Username, "AdminPassword": string(t.Para.Config.Auth.TKEAuth.Password), "TenantID": t.Para.Config.Auth.TKEAuth.TenantID, "RedirectHosts": redirectHosts, } - err := apiclient.CreateResourceWithDir(t.globalClient, "manifests/tke-auth/*.yaml", option) + err := apiclient.CreateResourceWithDir(t.globalClient, "manifests/tke-auth-api/*.yaml", option) + if err != nil { + return err + } + + return wait.PollImmediate(5*time.Second, 10*time.Minute, func() (bool, error) { + ok, err := apiclient.CheckDeployment(t.globalClient, t.namespace, "tke-auth-api") + if err != nil { + return false, nil + } + return ok, nil + }) +} + +func (t *TKE) installTKEAuthController() error { + err := apiclient.CreateResourceWithDir(t.globalClient, "manifests/tke-auth-controller/*.yaml", + map[string]interface{}{ + "Replicas": t.Config.Replicas, + "Image": images.Get().TKEAuthController.FullName(), + "AdminUsername": t.Para.Config.Auth.TKEAuth.Username, + "AdminPassword": string(t.Para.Config.Auth.TKEAuth.Password), + }) if err != nil { return err } return wait.PollImmediate(5*time.Second, 10*time.Minute, func() (bool, error) { - ok, err := apiclient.CheckDeployment(t.globalClient, t.namespace, "tke-auth") + ok, err := apiclient.CheckDeployment(t.globalClient, t.namespace, "tke-auth-controller") if err != nil { return false, nil } diff --git a/cmd/tke-installer/app/installer/manifests/tke-auth-api/tke-auth-api.yaml b/cmd/tke-installer/app/installer/manifests/tke-auth-api/tke-auth-api.yaml new file mode 100644 index 000000000..b0273e1aa --- /dev/null +++ b/cmd/tke-installer/app/installer/manifests/tke-auth-api/tke-auth-api.yaml @@ -0,0 +1,121 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: tke-auth-api + namespace: tke +spec: + selector: + app: tke-auth-api + ports: + - protocol: TCP + port: 443 + targetPort: 9451 +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + app: tke-auth-api + name: tke-auth-api + namespace: tke +spec: + replicas: {{ .Replicas }} + selector: + matchLabels: + app: tke-auth-api + template: + metadata: + labels: + app: tke-auth-api + spec: + containers: + - name: tke-auth-api + image: {{ .Image }} + args: + - -C=/app/conf/tke-auth-api.toml + volumeMounts: + - name: certs-volume + mountPath: /app/certs + - name: tke-auth-api-volume + mountPath: /app/conf + ports: + - containerPort: 9451 + readinessProbe: + httpGet: + port: 9451 + path: /healthz/ping + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + port: 9451 + path: /healthz + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumes: + - name: certs-volume + configMap: + name: certs + - name: tke-auth-api-volume + configMap: + name: tke-auth-api +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: tke-auth-api + namespace: tke +data: + abac-policy.json: | + {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:*","namespace":"*", "resource":"*","apiGroup":"*", "group": "*"}} + tke-auth-api.toml: | + [secure_serving] + tls_cert_file = "/app/certs/server.crt" + tls_private_key_file = "/app/certs/server.key" + + [etcd] + servers = [ + "https://etcd:2379" + ] + cafile = "/app/certs/etcd-ca.crt" + certfile = "/app/certs/etcd.crt" + keyfile = "/app/certs/etcd.key" + + [generic] + external_hostname = "tke-auth-api" + external_port = 443 + + [authorization] + policy_file="/app/conf/abac-policy.json" + + [authentication] + token_auth_file = "/app/certs/token.csv" + client_ca_file = "/app/certs/ca.crt" + + [authentication.requestheader] + client_ca_file = "/app/certs/ca.crt" + username_headers = "X-Remote-User" + extra_headers_prefix = "X-Remote-Extra-" + + [auth] + assets_path = "/app/web/auth" + tenant_admin = "{{ .AdminUsername }}" + tenant_admin_secret = "{{ .AdminPassword }}" + init_client_id = "{{ .TenantID }}" + init_client_secret = "{{ .OIDCClientSecret }}" + init_client_redirect_uris = [ +{{- range $element := .RedirectHosts}} + {{ printf ` "http://%s/callback",` $element}} + {{ printf ` "https://%s/callback",` $element}} +{{- end}} + ] diff --git a/cmd/tke-installer/app/installer/manifests/tke-auth-controller/tke-auth-controller.yaml b/cmd/tke-installer/app/installer/manifests/tke-auth-controller/tke-auth-controller.yaml new file mode 100644 index 000000000..512e0b56d --- /dev/null +++ b/cmd/tke-installer/app/installer/manifests/tke-auth-controller/tke-auth-controller.yaml @@ -0,0 +1,99 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + app: tke-auth-controller + name: tke-auth-controller + namespace: tke +spec: + replicas: {{ .Replicas }} + selector: + matchLabels: + app: tke-auth-controller + template: + metadata: + labels: + app: tke-auth-controller + spec: + containers: + - name: tke-auth-controller + image: {{ .Image }} + args: + - -C=/app/conf/tke-auth-controller.toml + volumeMounts: + - name: certs-volume + mountPath: /app/certs + - name: tke-auth-controller-volume + mountPath: /app/conf + ports: + - containerPort: 9458 + livenessProbe: + httpGet: + port: 9458 + path: /healthz + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumes: + - name: certs-volume + configMap: + name: certs + - name: tke-auth-controller-volume + configMap: + name: tke-auth-controller +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: tke-auth-controller + namespace: tke +data: + policy.json: | + [{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AddonFullAccess","tenantID":"default","category":"addon","type":"default","username":"","description":"该策略允许您管理平台租户内扩展组件相关资源,如Helm,prometheus等","statement":{"actions":["*Addon*","*Addons*","*Csioperator*","*Csioperators*","*Ipam*","*Ipams*","*Tappcontroller*","*Tappcontrollers*","*Logc*","*Logcs*","*Galaxy*","*Galaxies*","*Logcollector*","*Logcollectors*","*Addontype*","*Addontypes*","*Csi*","*Csis*","*Clusteraddontype*","*Clusteraddontypes*","*Coredns*","*Cronhpa*","*Cronhpas*","*Lbcf*","*Lbcfs*","*Helm*","*Helms*","*Persistentevent*","*Persistentevents*","*Gpumanager*","*Gpumanagers*","*Prometheuse*","*Prometheuses*","*Volumedecorator*","*Volumedecorators*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ConfigFullAccess","tenantID":"default","category":"config","type":"default","username":"","description":"该策略允许您管理平台租户k8s配置组资源,包括configmap、secret等","statement":{"actions":["*Configmap*","*Configmaps*","*Secret*","*Secrets*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"NotifyFullAccess","tenantID":"default","category":"notify","type":"default","username":"","description":"该策略允许您管理平台租户通知设置","statement":{"actions":["*Receiver*","*Receivers*","*Messagerequest*","*Messagerequests*","*Channel*","*Channels*","*Receivergroup*","*Receivergroups*","*Template*","*Templates*","*Message*","*Messages*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"NetworkFullAccess","tenantID":"default","category":"network","type":"default","username":"","description":"该策略允许您管理平台租户内网络资源,如网络策略,service,ignress等","statement":{"actions":["*Networkpolicy*","*Networkpolicies*","*Ingress*","*Ingresses*","*Lbcflb*","*Lbcflbs*","*Service*","*Services*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"VolumeFullAccess","tenantID":"default","category":"volume","type":"default","username":"","description":"该策略允许您管理平台租户云盘资源","statement":{"actions":["*Persistentvolume*","*Persistentvolumes*","*Storageclass*","*Storageclasses*","*Persistentvolumeclaim*","*Persistentvolumeclaims*","*Volumeattachment*","*Volumeattachments*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"RegistryFullAccess","tenantID":"default","category":"registry","type":"default","username":"","description":"该策略允许您管理平台租户镜像仓库资源","statement":{"actions":["*Repository*","*Repositories*","*Chartgroup*","*Chartgroups*","*Registrynamespace*","*Registrynamespaces*","*Registry*","*Registries*","*Chart*","*Charts*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"MonitorFullAccess","tenantID":"default","category":"monitor","type":"default","username":"","description":"该策略允许您管理平台租户监控告警策略","statement":{"actions":["*Metric*","*Metrics*","*Alarmpolicy*","*Alarmpolicies*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AuthFullAccess","tenantID":"default","category":"auth","type":"default","username":"","description":"该策略允许您管理平台租户内所有用户及其权限","statement":{"actions":["*Rolebinding*","*Rolebindings*","*Apikey*","*Apikeys*","*User*","*Users*","*Category*","*Categories*","*Permission*","*Permissions*","*Role*","*Roles*","*Clusterrole*","*Clusterroles*","*Localgroup*","*Localgroups*","*Client*","*Clients*","*Policy*","*Policies*","*Identityprovider*","*Identityproviders*","*Clusterrolebinding*","*Clusterrolebindings*","*Group*","*Groups*","*Localidentity*","*Localidentities*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ClusterFullAccess","tenantID":"default","category":"cluster","type":"default","username":"","description":"该策略允许您管理平台租户内集群相关的资源, 包括集群管理、节点和优先级等","statement":{"actions":["*Runtimeclass*","*Runtimeclasses*","*Node*","*Nodes*","*Cluster*","*Clusters*","*Clustercredential*","*Clustercredentials*","*Machine*","*Machines*","*Apply*","*Applies*","*Priorityclass*","*Priorityclasses*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ProjectFullAccess","tenantID":"default","category":"project","type":"default","username":"","description":"该策略允许您管理平台租户业务业务相关资源","statement":{"actions":["*Platform*","*Platforms*","*Resourcequota*","*Portal*","*Portals*","*Namespace*","*Namespaces*","*Event*","*Events*","*Project*","*Projects*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AdministratorAccess","tenantID":"default","category":"common","type":"default","username":"","description":"该策略允许管理平台租户内所有用户及其权限、容器服务资产","statement":{"actions":["*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ReadOnlyAccess","tenantID":"default","category":"common","type":"default","username":"","description":"该策略允许您只读访问账户内所有支持接口级鉴权或资源级鉴权的容器服务资产","statement":{"actions":["get*","list*","watch*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}}] + category.json: | + [{"metadata":{"name":"project","creationTimestamp":null},"Spec":{"displayName":"业务和命名空间","description":"业务和命名空间","actions":[{"name":"createEvent","description":"创建事件"},{"name":"createNamespace","description":"创建命名空间"},{"name":"createPlatform","description":"创建平台"},{"name":"createProject","description":"创建业务"},{"name":"createResourcequota","description":"创建资源配额"},{"name":"deleteEvent","description":"删除事件"},{"name":"deleteNamespace","description":"删除命名空间"},{"name":"deletePlatform","description":"删除平台"},{"name":"deleteProject","description":"删除业务"},{"name":"deleteResourcequota","description":"删除资源配额"},{"name":"getEvent","description":"获取事件"},{"name":"getNamespace","description":"获取命名空间"},{"name":"getNamespaceStatus","description":"获取命名空间状态"},{"name":"getPlatform","description":"获取平台"},{"name":"getProject","description":"获取业务"},{"name":"getProjectStatus","description":"获取业务状态"},{"name":"getResourcequota","description":"获取资源配额"},{"name":"getResourcequotaStatus","description":"获取资源配额状态"},{"name":"listEvents","description":"列举事件"},{"name":"listNamespaces","description":"列举命名空间"},{"name":"listPlatforms","description":"列举平台"},{"name":"listPortal","description":"列举Portal"},{"name":"listProjects","description":"列举业务"},{"name":"listResourcequotas","description":"列举资源配额"},{"name":"updateEvent","description":"修改事件"},{"name":"updateNamespace","description":"修改命名空间"},{"name":"updateNamespaceStatus","description":"修改命名空间状态"},{"name":"updatePlatform","description":"修改平台"},{"name":"updateProject","description":"修改业务"},{"name":"updateProjectStatus","description":"修改业务状态"},{"name":"updateResourcequota","description":"修改资源配额"},{"name":"updateResourcequotaStatus","description":"修改资源配额状态"}]}},{"metadata":{"name":"monitor","creationTimestamp":null},"Spec":{"displayName":"监控告警","description":"监控告警","actions":[{"name":"createAlarmpolicy","description":"创建告警策略"},{"name":"createMetric","description":"创建Metric"},{"name":"deleteAlarmpolicy","description":"删除告警策略"},{"name":"getAlarmpolicy","description":"获取告警策略"},{"name":"getMetric","description":"获取Metric"},{"name":"listAlarmpolicies","description":"列举告警策略"},{"name":"listMetrics","description":"列举Metric"},{"name":"updateAlarmpolicy","description":"修改告警策略"}]}},{"metadata":{"name":"notify","creationTimestamp":null},"Spec":{"displayName":"通知服务","description":"通知服务","actions":[{"name":"createChannel","description":"创建通知渠道"},{"name":"createMessage","description":"创建消息"},{"name":"createMessagerequest","description":"创建消息请求"},{"name":"createReceiver","description":"创建接收人"},{"name":"createReceivergroup","description":"创建接收人组"},{"name":"createTemplate","description":"创建消息模板"},{"name":"deleteChannel","description":"删除通知渠道"},{"name":"deleteMessage","description":"删除消息"},{"name":"deleteMessagerequest","description":"删除消息请求"},{"name":"deleteReceiver","description":"删除接收人"},{"name":"deleteReceivergroup","description":"删除接收人组"},{"name":"deleteTemplate","description":"删除消息模板"},{"name":"getChannel","description":"获取通知渠道"},{"name":"getChannelStatus","description":"获取通知渠道状态"},{"name":"getMessage","description":"获取消息"},{"name":"getMessageStatus","description":"获取消息状态"},{"name":"getMessagerequest","description":"获取消息请求"},{"name":"getMessagerequestStatus","description":"获取消息请求状态"},{"name":"getReceiver","description":"获取接收人"},{"name":"getReceivergroup","description":"获取接收人组"},{"name":"getTemplate","description":"获取消息模板"},{"name":"listChannels","description":"列举通知渠道"},{"name":"listMessagerequests","description":"列举消息请求"},{"name":"listMessages","description":"列举消息"},{"name":"listReceivergroups","description":"列举接收人组"},{"name":"listReceivers","description":"列举接收人"},{"name":"listTemplates","description":"列举消息模板"},{"name":"updateChannel","description":"修改通知渠道"},{"name":"updateChannelStatus","description":"修改通知渠道状态"},{"name":"updateMessage","description":"修改消息"},{"name":"updateMessageStatus","description":"修改消息状态"},{"name":"updateMessagerequest","description":"修改消息请求"},{"name":"updateMessagerequestStatus","description":"修改消息请求状态"},{"name":"updateReceiver","description":"修改接收人"},{"name":"updateReceivergroup","description":"修改接收人组"},{"name":"updateTemplate","description":"修改消息模板"}]}},{"metadata":{"name":"registry","creationTimestamp":null},"Spec":{"displayName":"镜像仓库","description":"镜像仓库","actions":[{"name":"createChart","description":"创建Chart"},{"name":"createChartgroup","description":"创建Chartgroup"},{"name":"createRegistry","description":"创建Registry"},{"name":"createRegistrynamespace","description":"创建Registrynamespace"},{"name":"createRepository","description":"创建Repository"},{"name":"deleteChart","description":"删除Chart"},{"name":"deleteChartgroup","description":"删除Chartgroup"},{"name":"deleteRegistry","description":"删除Registry"},{"name":"deleteRegistrynamespace","description":"删除Registrynamespace"},{"name":"deleteRepository","description":"删除Repository"},{"name":"getChart","description":"获取Chart"},{"name":"getChartStatus","description":"获取Chart状态"},{"name":"getChartgroup","description":"获取Chartgroup"},{"name":"getChartgroupStatus","description":"获取Chartgroup状态"},{"name":"getRegistry","description":"获取Registry"},{"name":"getRegistrynamespace","description":"获取Registrynamespace"},{"name":"getRegistrynamespaceStatus","description":"获取Registrynamespace状态"},{"name":"getRepository","description":"获取Repository"},{"name":"getRepositoryStatus","description":"获取Repository状态"},{"name":"listChartgroups","description":"列举Chartgroup"},{"name":"listCharts","description":"列举Chart"},{"name":"listRegistries","description":"列举Registry"},{"name":"listRegistrynamespaces","description":"列举Registrynamespace"},{"name":"listRepositories","description":"列举Repository"},{"name":"updateChart","description":"修改Chart"},{"name":"updateChartStatus","description":"修改Chart状态"},{"name":"updateChartgroup","description":"修改Chartgroup"},{"name":"updateChartgroupStatus","description":"修改Chartgroup状态"},{"name":"updateRegistry","description":"修改Registry"},{"name":"updateRegistrynamespace","description":"修改Registrynamespace"},{"name":"updateRegistrynamespaceStatus","description":"修改Registrynamespace状态"},{"name":"updateRepository","description":"修改Repository"},{"name":"updateRepositoryStatus","description":"修改Repository状态"}]}},{"metadata":{"name":"cluster","creationTimestamp":null},"Spec":{"displayName":"集群管理","description":"集群管理","actions":[{"name":"createCluster","description":"创建集群"},{"name":"createClustercredential","description":"创建集群凭据"},{"name":"createMachine","description":"创建机器"},{"name":"createNode","description":"创建节点"},{"name":"createPriorityclass","description":"创建优先级"},{"name":"createRuntimeclass","description":"创建Runtimeclass"},{"name":"deleteCluster","description":"删除集群"},{"name":"deleteClustercredential","description":"删除集群凭据"},{"name":"deleteMachine","description":"删除机器"},{"name":"deleteNode","description":"删除节点"},{"name":"deletePriorityclass","description":"删除优先级"},{"name":"deleteRuntimeclass","description":"删除Runtimeclass"},{"name":"getCluster","description":"获取集群"},{"name":"getClusterStatus","description":"获取集群状态"},{"name":"getClustercredential","description":"获取集群凭据"},{"name":"getMachine","description":"获取机器"},{"name":"getMachineStatus","description":"获取机器状态"},{"name":"getNode","description":"获取节点"},{"name":"getNodeStatus","description":"获取节点状态"},{"name":"getPriorityclass","description":"获取优先级"},{"name":"getRuntimeclass","description":"获取Runtimeclass"},{"name":"listClustercredentials","description":"列举集群凭据"},{"name":"listClusters","description":"列举集群"},{"name":"listMachines","description":"列举机器"},{"name":"listNodes","description":"列举节点"},{"name":"listPriorityclasses","description":"列举优先级"},{"name":"listRuntimeclasses","description":"列举Runtimeclass"},{"name":"updateCluster","description":"修改集群"},{"name":"updateClusterStatus","description":"修改集群状态"},{"name":"updateClustercredential","description":"修改集群凭据"},{"name":"updateMachine","description":"修改机器"},{"name":"updateMachineStatus","description":"修改机器状态"},{"name":"updateNode","description":"修改节点"},{"name":"updateNodeStatus","description":"修改节点状态"},{"name":"updatePriorityclass","description":"修改优先级"},{"name":"updateRuntimeclass","description":"修改Runtimeclass"}]}},{"metadata":{"name":"application","creationTimestamp":null},"Spec":{"displayName":"应用管理","description":"应用管理","actions":[{"name":"createBinding","description":"创建Binding"},{"name":"createCertificatesigningrequest","description":"创建证书签名请求"},{"name":"createControllerrevision","description":"创建Controllerrevision"},{"name":"createCronjob","description":"创建周期作业"},{"name":"createDaemonset","description":"创建守护作业集"},{"name":"createDeployment","description":"创建微服务"},{"name":"createDeploymentRollback","description":"创建微服务Rollback"},{"name":"createEndpoint","description":"创建端点"},{"name":"createHorizontalpodautoscaler","description":"创建pod水平伸缩器"},{"name":"createJob","description":"创建作业"},{"name":"createLease","description":"创建Lease"},{"name":"createLimitrange","description":"创建Limitrange"},{"name":"createMutatingwebhookconfiguration","description":"创建MutatingWebhook配置"},{"name":"createPod","description":"创建Pod"},{"name":"createPodBinding","description":"创建PodBinding"},{"name":"createPoddisruptionbudget","description":"创建Poddisruptionbudget"},{"name":"createPodpreset","description":"创建Podpreset"},{"name":"createPodsecuritypolicy","description":"创建pod安全策略"},{"name":"createPodtemplate","description":"创建pod模板"},{"name":"createReplicaset","description":"创建副本集"},{"name":"createReplicationcontroller","description":"创建副本控制器"},{"name":"createServiceaccount","description":"创建服务账户"},{"name":"createStatefulset","description":"创建有状态服务集"},{"name":"createValidatingwebhookconfiguration","description":"创建ValidatingWebhook配置"},{"name":"deleteCertificatesigningrequest","description":"删除证书签名请求"},{"name":"deleteControllerrevision","description":"删除Controllerrevision"},{"name":"deleteCronjob","description":"删除周期作业"},{"name":"deleteDaemonset","description":"删除守护作业集"},{"name":"deleteDeployment","description":"删除微服务"},{"name":"deleteEndpoint","description":"删除端点"},{"name":"deleteHorizontalpodautoscaler","description":"删除pod水平伸缩器"},{"name":"deleteJob","description":"删除作业"},{"name":"deleteLease","description":"删除Lease"},{"name":"deleteLimitrange","description":"删除Limitrange"},{"name":"deleteMutatingwebhookconfiguration","description":"删除MutatingWebhook配置"},{"name":"deletePod","description":"删除Pod"},{"name":"deletePoddisruptionbudget","description":"删除Poddisruptionbudget"},{"name":"deletePodpreset","description":"删除Podpreset"},{"name":"deletePodsecuritypolicy","description":"删除pod安全策略"},{"name":"deletePodtemplate","description":"删除pod模板"},{"name":"deleteReplicaset","description":"删除副本集"},{"name":"deleteReplicationcontroller","description":"删除副本控制器"},{"name":"deleteServiceaccount","description":"删除服务账户"},{"name":"deleteStatefulset","description":"删除有状态服务集"},{"name":"deleteValidatingwebhookconfiguration","description":"删除ValidatingWebhook配置"},{"name":"getCertificatesigningrequest","description":"获取证书签名请求"},{"name":"getComponentstatus","description":"获取Componentstatus"},{"name":"getControllerrevision","description":"获取Controllerrevision"},{"name":"getCronjob","description":"获取周期作业"},{"name":"getCronjobStatus","description":"获取周期作业状态"},{"name":"getDaemonset","description":"获取守护作业集"},{"name":"getDaemonsetStatus","description":"获取守护作业集状态"},{"name":"getDeployment","description":"获取微服务"},{"name":"getDeploymentStatus","description":"获取微服务状态"},{"name":"getEndpoint","description":"获取端点"},{"name":"getHorizontalpodautoscaler","description":"获取pod水平伸缩器"},{"name":"getHorizontalpodautoscalerStatus","description":"获取pod水平伸缩器状态"},{"name":"getJob","description":"获取作业"},{"name":"getJobStatus","description":"获取作业状态"},{"name":"getLease","description":"获取Lease"},{"name":"getLimitrange","description":"获取Limitrange"},{"name":"getMutatingwebhookconfiguration","description":"获取MutatingWebhook配置"},{"name":"getPod","description":"获取Pod"},{"name":"getPodLog","description":"获取Pod日志"},{"name":"getPodStatus","description":"获取Pod状态"},{"name":"getPoddisruptionbudget","description":"获取Poddisruptionbudget"},{"name":"getPoddisruptionbudgetStatus","description":"获取Poddisruptionbudget状态"},{"name":"getPodpreset","description":"获取Podpreset"},{"name":"getPodsecuritypolicy","description":"获取pod安全策略"},{"name":"getPodtemplate","description":"获取pod模板"},{"name":"getReplicaset","description":"获取副本集"},{"name":"getReplicasetStatus","description":"获取副本集状态"},{"name":"getReplicationcontroller","description":"获取副本控制器"},{"name":"getReplicationcontrollerStatus","description":"获取副本控制器状态"},{"name":"getServiceaccount","description":"获取服务账户"},{"name":"getStatefulset","description":"获取有状态服务集"},{"name":"getStatefulsetStatus","description":"获取有状态服务集状态"},{"name":"getValidatingwebhookconfiguration","description":"获取ValidatingWebhook配置"},{"name":"listCertificatesigningrequests","description":"列举证书签名请求"},{"name":"listComponentstatuses","description":"列举Componentstatus"},{"name":"listControllerrevisions","description":"列举Controllerrevision"},{"name":"listCronjobEvents","description":"列举周期作业事件"},{"name":"listCronjobs","description":"列举周期作业"},{"name":"listDaemonsetEvents","description":"列举守护作业集事件"},{"name":"listDaemonsetPods","description":"列举守护作业集Pod"},{"name":"listDaemonsets","description":"列举守护作业集"},{"name":"listDeploymentEvents","description":"列举微服务事件"},{"name":"listDeploymentHorizontalpodautoscalers","description":"列举微服务pod水平伸缩器"},{"name":"listDeploymentPods","description":"列举微服务Pod"},{"name":"listDeploymentScale","description":"列举微服务Scale"},{"name":"listDeployments","description":"列举微服务"},{"name":"listEndpoints","description":"列举端点"},{"name":"listHorizontalpodautoscalerEvents","description":"列举pod水平伸缩器事件"},{"name":"listHorizontalpodautoscalers","description":"列举pod水平伸缩器"},{"name":"listJobEvents","description":"列举作业事件"},{"name":"listJobPods","description":"列举作业Pod"},{"name":"listJobs","description":"列举作业"},{"name":"listLeases","description":"列举Lease"},{"name":"listLimitranges","description":"列举Limitrange"},{"name":"listMutatingwebhookconfigurations","description":"列举MutatingWebhook配置"},{"name":"listPodEvents","description":"列举Pod事件"},{"name":"listPoddisruptionbudgets","description":"列举Poddisruptionbudget"},{"name":"listPodpresets","description":"列举Podpreset"},{"name":"listPods","description":"列举Pod"},{"name":"listPodsecuritypolicies","description":"列举pod安全策略"},{"name":"listPodtemplates","description":"列举pod模板"},{"name":"listReplicasetEvents","description":"列举副本集事件"},{"name":"listReplicasetPods","description":"列举副本集Pod"},{"name":"listReplicasetScale","description":"列举副本集Scale"},{"name":"listReplicasets","description":"列举副本集"},{"name":"listReplicationcontrollerEvents","description":"列举副本控制器事件"},{"name":"listReplicationcontrollerPods","description":"列举副本控制器Pod"},{"name":"listReplicationcontrollerScale","description":"列举副本控制器Scale"},{"name":"listReplicationcontrollers","description":"列举副本控制器"},{"name":"listServiceaccounts","description":"列举服务账户"},{"name":"listStatefulsetEvents","description":"列举有状态服务集事件"},{"name":"listStatefulsetPods","description":"列举有状态服务集Pod"},{"name":"listStatefulsetScale","description":"列举有状态服务集Scale"},{"name":"listStatefulsets","description":"列举有状态服务集"},{"name":"listValidatingwebhookconfigurations","description":"列举ValidatingWebhook配置"},{"name":"updateCertificatesigningrequest","description":"修改证书签名请求"},{"name":"updateControllerrevision","description":"修改Controllerrevision"},{"name":"updateCronjob","description":"修改周期作业"},{"name":"updateCronjobStatus","description":"修改周期作业状态"},{"name":"updateDaemonset","description":"修改守护作业集"},{"name":"updateDaemonsetStatus","description":"修改守护作业集状态"},{"name":"updateDeployment","description":"修改微服务"},{"name":"updateDeploymentScale","description":"修改微服务Scale"},{"name":"updateDeploymentStatus","description":"修改微服务状态"},{"name":"updateEndpoint","description":"修改端点"},{"name":"updateHorizontalpodautoscaler","description":"修改pod水平伸缩器"},{"name":"updateHorizontalpodautoscalerStatus","description":"修改pod水平伸缩器状态"},{"name":"updateJob","description":"修改作业"},{"name":"updateJobStatus","description":"修改作业状态"},{"name":"updateLease","description":"修改Lease"},{"name":"updateLimitrange","description":"修改Limitrange"},{"name":"updateMutatingwebhookconfiguration","description":"修改MutatingWebhook配置"},{"name":"updatePod","description":"修改Pod"},{"name":"updatePodStatus","description":"修改Pod状态"},{"name":"updatePoddisruptionbudget","description":"修改Poddisruptionbudget"},{"name":"updatePoddisruptionbudgetStatus","description":"修改Poddisruptionbudget状态"},{"name":"updatePodpreset","description":"修改Podpreset"},{"name":"updatePodsecuritypolicy","description":"修改pod安全策略"},{"name":"updatePodtemplate","description":"修改pod模板"},{"name":"updateReplicaset","description":"修改副本集"},{"name":"updateReplicasetScale","description":"修改副本集Scale"},{"name":"updateReplicasetStatus","description":"修改副本集状态"},{"name":"updateReplicationcontroller","description":"修改副本控制器"},{"name":"updateReplicationcontrollerScale","description":"修改副本控制器Scale"},{"name":"updateReplicationcontrollerStatus","description":"修改副本控制器状态"},{"name":"updateServiceaccount","description":"修改服务账户"},{"name":"updateStatefulset","description":"修改有状态服务集"},{"name":"updateStatefulsetScale","description":"修改有状态服务集Scale"},{"name":"updateStatefulsetStatus","description":"修改有状态服务集状态"},{"name":"updateValidatingwebhookconfiguration","description":"修改ValidatingWebhook配置"}]}},{"metadata":{"name":"config","creationTimestamp":null},"Spec":{"displayName":"配置组管理","description":"配置组管理","actions":[{"name":"createConfigmap","description":"创建配置组"},{"name":"createSecret","description":"创建密钥"},{"name":"deleteConfigmap","description":"删除配置组"},{"name":"deleteSecret","description":"删除密钥"},{"name":"getConfigmap","description":"获取配置组"},{"name":"getSecret","description":"获取密钥"},{"name":"listConfigmaps","description":"列举配置组"},{"name":"listSecrets","description":"列举密钥"},{"name":"updateConfigmap","description":"修改配置组"},{"name":"updateSecret","description":"修改密钥"}]}},{"metadata":{"name":"network","creationTimestamp":null},"Spec":{"displayName":"网络管理","description":"网络管理","actions":[{"name":"createIngress","description":"创建Ingress"},{"name":"createNetworkpolicy","description":"创建网络策略"},{"name":"createService","description":"创建服务"},{"name":"deleteIngress","description":"删除Ingress"},{"name":"deleteNetworkpolicy","description":"删除网络策略"},{"name":"deleteService","description":"删除服务"},{"name":"getIngress","description":"获取Ingress"},{"name":"getIngressStatus","description":"获取Ingress状态"},{"name":"getNetworkpolicy","description":"获取网络策略"},{"name":"getService","description":"获取服务"},{"name":"getServiceStatus","description":"获取服务状态"},{"name":"listIngressEvents","description":"列举Ingress事件"},{"name":"listIngresses","description":"列举Ingress"},{"name":"listNetworkpolicies","description":"列举网络策略"},{"name":"listServiceEvents","description":"列举服务事件"},{"name":"listServices","description":"列举服务"},{"name":"updateIngress","description":"修改Ingress"},{"name":"updateIngressStatus","description":"修改Ingress状态"},{"name":"updateNetworkpolicy","description":"修改网络策略"},{"name":"updateService","description":"修改服务"},{"name":"updateServiceStatus","description":"修改服务状态"}]}},{"metadata":{"name":"addon","creationTimestamp":null},"Spec":{"displayName":"扩展组件管理","description":"扩展组件管理","actions":[{"name":"createCronhpa","description":"创建CronHPA组件"},{"name":"createCsioperator","description":"创建CSIOperator组件"},{"name":"createGpumanager","description":"创建GPUManager组件"},{"name":"createHelm","description":"创建Helm组件"},{"name":"createIpam","description":"创建IPAM组件"},{"name":"createLbcf","description":"创建LBCF组件"},{"name":"createLogcollector","description":"创建日志收集器组件"},{"name":"createPersistentevent","description":"创建事件持久化组件"},{"name":"createPrometheuse","description":"创建Prometheuse组件"},{"name":"createTappcontroller","description":"创建TappController组件"},{"name":"createVolumedecorator","description":"创建Volumedecorator组件"},{"name":"deleteCronhpa","description":"删除CronHPA组件"},{"name":"deleteCsioperator","description":"删除CSIOperator组件"},{"name":"deleteGpumanager","description":"删除GPUManager组件"},{"name":"deleteHelm","description":"删除Helm组件"},{"name":"deleteIpam","description":"删除IPAM组件"},{"name":"deleteLbcf","description":"删除LBCF组件"},{"name":"deleteLogcollector","description":"删除日志收集器组件"},{"name":"deletePersistentevent","description":"删除事件持久化组件"},{"name":"deletePrometheuse","description":"删除Prometheuse组件"},{"name":"deleteTappcontroller","description":"删除TappController组件"},{"name":"deleteVolumedecorator","description":"删除Volumedecorator组件"},{"name":"getClusteraddontype","description":"获取集群扩展类型"},{"name":"getCronhpa","description":"获取CronHPA组件"},{"name":"getCronhpaStatus","description":"获取CronHPA组件状态"},{"name":"getCsioperator","description":"获取CSIOperator组件"},{"name":"getCsioperatorStatus","description":"获取CSIOperator组件状态"},{"name":"getGpumanager","description":"获取GPUManager组件"},{"name":"getGpumanagerStatus","description":"获取GPUManager组件状态"},{"name":"getHelm","description":"获取Helm组件"},{"name":"getHelmStatus","description":"获取Helm组件状态"},{"name":"getIpam","description":"获取IPAM组件"},{"name":"getIpamStatus","description":"获取IPAM组件状态"},{"name":"getLbcf","description":"获取LBCF组件"},{"name":"getLbcfStatus","description":"获取LBCF组件状态"},{"name":"getLogcollector","description":"获取日志收集器组件"},{"name":"getLogcollectorStatus","description":"获取日志收集器组件状态"},{"name":"getPersistentevent","description":"获取事件持久化组件"},{"name":"getPersistenteventStatus","description":"获取事件持久化组件状态"},{"name":"getPrometheuse","description":"获取Prometheuse组件"},{"name":"getPrometheuseStatus","description":"获取Prometheuse组件状态"},{"name":"getTappcontroller","description":"获取TappController组件"},{"name":"getTappcontrollerStatus","description":"获取TappController组件状态"},{"name":"getVolumedecorator","description":"获取Volumedecorator组件"},{"name":"getVolumedecoratorStatus","description":"获取Volumedecorator组件状态"},{"name":"listClusteraddontypes","description":"列举集群扩展类型"},{"name":"listCronhpas","description":"列举CronHPA组件"},{"name":"listCsioperators","description":"列举CSIOperator组件"},{"name":"listGpumanagers","description":"列举GPUManager组件"},{"name":"listHelms","description":"列举Helm组件"},{"name":"listIpams","description":"列举IPAM组件"},{"name":"listLbcfs","description":"列举LBCF组件"},{"name":"listLogcollectors","description":"列举日志收集器组件"},{"name":"listPersistentevents","description":"列举事件持久化组件"},{"name":"listPrometheuses","description":"列举Prometheuse组件"},{"name":"listTappcontrollers","description":"列举TappController组件"},{"name":"listVolumedecorators","description":"列举Volumedecorator组件"},{"name":"updateCronhpa","description":"修改CronHPA组件"},{"name":"updateCronhpaStatus","description":"修改CronHPA组件状态"},{"name":"updateCsioperator","description":"修改CSIOperator组件"},{"name":"updateCsioperatorStatus","description":"修改CSIOperator组件状态"},{"name":"updateGpumanager","description":"修改GPUManager组件"},{"name":"updateGpumanagerStatus","description":"修改GPUManager组件状态"},{"name":"updateHelm","description":"修改Helm组件"},{"name":"updateHelmStatus","description":"修改Helm组件状态"},{"name":"updateIpam","description":"修改IPAM组件"},{"name":"updateIpamStatus","description":"修改IPAM组件状态"},{"name":"updateLbcf","description":"修改LBCF组件"},{"name":"updateLbcfStatus","description":"修改LBCF组件状态"},{"name":"updateLogcollector","description":"修改日志收集器组件"},{"name":"updateLogcollectorStatus","description":"修改日志收集器组件状态"},{"name":"updatePersistentevent","description":"修改事件持久化组件"},{"name":"updatePersistenteventStatus","description":"修改事件持久化组件状态"},{"name":"updatePrometheuse","description":"修改Prometheuse组件"},{"name":"updatePrometheuseStatus","description":"修改Prometheuse组件状态"},{"name":"updateTappcontroller","description":"修改TappController组件"},{"name":"updateTappcontrollerStatus","description":"修改TappController组件状态"},{"name":"updateVolumedecorator","description":"修改Volumedecorator组件"},{"name":"updateVolumedecoratorStatus","description":"修改Volumedecorator组件状态"}]}},{"metadata":{"name":"auth","creationTimestamp":null},"Spec":{"displayName":"用户和权限","description":"用户和权限管理","actions":[{"name":"createApikey","description":"创建访问凭证"},{"name":"createApikeyPassword","description":"使用密码申请访问凭证"},{"name":"createApikeyToken","description":"使用Token申请访问凭证"},{"name":"createClusterrole","description":"创建K8S集群角色"},{"name":"createClusterrolebinding","description":"创建K8S集群角色绑定"},{"name":"createGroup","description":"创建用户组"},{"name":"createIdentityprovider","description":"创建IDP"},{"name":"createLocalgroup","description":"创建用户组"},{"name":"createLocalgroupBinding","description":"创建用户组Binding"},{"name":"createLocalgroupUnbinding","description":"创建用户组Unbinding"},{"name":"createLocalidentity","description":"创建用户"},{"name":"createLocalidentityPassword","description":"用户修改密码"},{"name":"createPolicy","description":"创建策略"},{"name":"createPolicyBinding","description":"绑定策略用户和用户组"},{"name":"createPolicyUnbinding","description":"移除策略用户或用户组"},{"name":"createRole","description":"创建角色"},{"name":"createRoleBinding","description":"绑定角色用户和用户组"},{"name":"createRolePolicybinding","description":"添加角色策略"},{"name":"createRolePolicyunbinding","description":"移除角色策略"},{"name":"createRoleUnbinding","description":"移除角色用户或用户组"},{"name":"createRolebinding","description":"创建K8S角色绑定"},{"name":"createUser","description":"创建用户"},{"name":"deleteApikey","description":"删除访问凭证"},{"name":"deleteClusterrole","description":"删除K8S集群角色"},{"name":"deleteClusterrolebinding","description":"删除K8S集群角色绑定"},{"name":"deleteIdentityprovider","description":"删除IDP"},{"name":"deleteLocalgroup","description":"删除用户组"},{"name":"deleteLocalidentity","description":"删除用户"},{"name":"deletePolicy","description":"删除策略"},{"name":"deleteRole","description":"删除角色"},{"name":"deleteRolebinding","description":"删除K8S角色绑定"},{"name":"getApikey","description":"获取访问凭证"},{"name":"getApikeyStatus","description":"获取访问凭证状态"},{"name":"getClusterrole","description":"获取K8S集群角色"},{"name":"getClusterrolebinding","description":"获取K8S集群角色绑定"},{"name":"getGroup","description":"获取用户组"},{"name":"getIdentityprovider","description":"获取IDP"},{"name":"getLocalgroup","description":"获取用户组"},{"name":"getLocalgroupStatus","description":"获取用户组状态"},{"name":"getLocalidentity","description":"获取用户"},{"name":"getLocalidentityStatus","description":"获取用户状态"},{"name":"getPolicy","description":"获取策略"},{"name":"getPolicyStatus","description":"获取策略状态"},{"name":"getRole","description":"获取角色"},{"name":"getRoleStatus","description":"获取角色状态"},{"name":"getRolebinding","description":"获取K8S角色绑定"},{"name":"getUser","description":"获取用户"},{"name":"listApikeys","description":"列举访问凭证"},{"name":"listClusterrolebindings","description":"列举K8S集群角色绑定"},{"name":"listClusterroles","description":"列举K8S集群角色"},{"name":"listGroups","description":"列举用户组"},{"name":"listIdentityproviders","description":"列举IDP"},{"name":"listLocalgroupUsers","description":"列举用户组用户"},{"name":"listLocalgroups","description":"列举用户组"},{"name":"listLocalidentities","description":"列举用户"},{"name":"listLocalidentityGroups","description":"列举用户用户组"},{"name":"listLocalidentityPolicies","description":"列举用户策略"},{"name":"listLocalidentityRoles","description":"列举用户角色"},{"name":"listPolicies","description":"列举策略"},{"name":"listPolicyGroups","description":"列举策略用户组"},{"name":"listPolicyUsers","description":"列举策略用户"},{"name":"listRoleGroups","description":"列举角色用户组"},{"name":"listRolePolicybinding","description":"列举角色绑定策略"},{"name":"listRoleUsers","description":"列举角色用户"},{"name":"listRolebindings","description":"列举K8S角色绑定"},{"name":"listRoles","description":"列举角色"},{"name":"listUsers","description":"列举用户"},{"name":"updateApikey","description":"修改访问凭证"},{"name":"updateApikeyStatus","description":"修改访问凭证状态"},{"name":"updateClusterrole","description":"修改K8S集群角色"},{"name":"updateClusterrolebinding","description":"修改K8S集群角色绑定"},{"name":"updateIdentityprovider","description":"修改IDP"},{"name":"updateLocalgroup","description":"修改用户组"},{"name":"updateLocalgroupStatus","description":"修改用户组状态"},{"name":"updateLocalidentity","description":"修改用户"},{"name":"updateLocalidentityStatus","description":"修改用户状态"},{"name":"updatePolicy","description":"修改策略"},{"name":"updatePolicyStatus","description":"修改策略状态"},{"name":"updateRole","description":"修改角色"},{"name":"updateRoleStatus","description":"修改角色状态"},{"name":"updateRolebinding","description":"修改K8S角色绑定"}]}},{"metadata":{"name":"volume","creationTimestamp":null},"Spec":{"displayName":"持久存储","description":"持久存储管理","actions":[{"name":"createPersistentvolume","description":"创建持久存储"},{"name":"createPersistentvolumeclaim","description":"创建持久存储声明"},{"name":"createStorageclass","description":"创建Storageclass"},{"name":"createVolumeattachment","description":"创建Volumeattachment"},{"name":"deletePersistentvolume","description":"删除持久存储"},{"name":"deletePersistentvolumeclaim","description":"删除持久存储声明"},{"name":"deleteStorageclass","description":"删除Storageclass"},{"name":"deleteVolumeattachment","description":"删除Volumeattachment"},{"name":"getPersistentvolume","description":"获取持久存储"},{"name":"getPersistentvolumeStatus","description":"获取持久存储状态"},{"name":"getPersistentvolumeclaim","description":"获取持久存储声明"},{"name":"getPersistentvolumeclaimStatus","description":"获取持久存储声明状态"},{"name":"getStorageclass","description":"获取Storageclass"},{"name":"getVolumeattachment","description":"获取Volumeattachment"},{"name":"listPersistentvolumeEvents","description":"列举持久存储事件"},{"name":"listPersistentvolumeclaimEvents","description":"列举持久存储声明事件"},{"name":"listPersistentvolumeclaims","description":"列举持久存储声明"},{"name":"listPersistentvolumes","description":"列举持久存储"},{"name":"listStorageclassEvents","description":"列举Storageclass事件"},{"name":"listStorageclasses","description":"列举Storageclass"},{"name":"listVolumeattachments","description":"列举Volumeattachment"},{"name":"updatePersistentvolume","description":"修改持久存储"},{"name":"updatePersistentvolumeStatus","description":"修改持久存储状态"},{"name":"updatePersistentvolumeclaim","description":"修改持久存储声明"},{"name":"updatePersistentvolumeclaimStatus","description":"修改持久存储声明状态"},{"name":"updateStorageclass","description":"修改Storageclass"},{"name":"updateVolumeattachment","description":"修改Volumeattachment"}]}}] + tke-auth-controller.toml: | + [secure_serving] + tls_cert_file = "/app/certs/server.crt" + tls_private_key_file = "/app/certs/server.key" + + [client] + + [client.auth] + api_server = "https://tke-auth-api" + api_server_client_config = "/app/conf/tke-auth-config.yaml" + + [features] + category_path = "/app/conf/category.json" + policy_path = "/app/conf/policy.json" + tenant_admin = "{{ .AdminUsername }}" + tenant_admin_secret = "{{ .AdminPassword }}" + + tke-auth-config.yaml: | + apiVersion: v1 + kind: Config + clusters: + - name: tke + cluster: + certificate-authority: /app/certs/ca.crt + server: https://tke-auth-api + users: + - name: admin-cert + user: + client-certificate: /app/certs/admin.crt + client-key: /app/certs/admin.key + current-context: tke + contexts: + - context: + cluster: tke + user: admin-cert + name: tke + diff --git a/cmd/tke-installer/app/installer/manifests/tke-auth/tke-auth.yaml b/cmd/tke-installer/app/installer/manifests/tke-auth/tke-auth.yaml deleted file mode 100644 index 1d45b1648..000000000 --- a/cmd/tke-installer/app/installer/manifests/tke-auth/tke-auth.yaml +++ /dev/null @@ -1,127 +0,0 @@ ---- -kind: Service -apiVersion: v1 -metadata: - name: tke-auth - namespace: tke -spec: - selector: - app: tke-auth - ports: - - protocol: TCP - port: 443 - targetPort: 9451 ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - labels: - app: tke-auth - name: tke-auth - namespace: tke -spec: - replicas: {{ .Replicas }} - selector: - matchLabels: - app: tke-auth - template: - metadata: - labels: - app: tke-auth - spec: - containers: - - name: tke-auth - image: {{ .Image }} - args: - - -C=/app/conf/tke-auth.toml - volumeMounts: - - name: certs-volume - mountPath: /app/certs - - name: tke-auth-volume - mountPath: /app/conf - ports: - - containerPort: 9451 - readinessProbe: - httpGet: - port: 9451 - path: /healthz/ping - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - port: 9451 - path: /healthz - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumes: - - name: certs-volume - configMap: - name: certs - - name: tke-auth-volume - configMap: - name: tke-auth ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tke-auth - namespace: tke -data: - policy.json: | - [{"name":"ProjectFullAccess","service":"project","statement":{"action":["*Namespace*","*Namespaces*","*Resourcequota*","*Platform*","*Platforms*","*Portal*","*Portals*","*Project*","*Projects*","*Event*","*Events*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户业务业务相关资源","type":1},{"name":"AuthFullAccess","service":"auth","statement":{"action":["*Clusterrolebinding*","*Clusterrolebindings*","*Localidentity*","*Localidentities*","*Policy*","*Policies*","*Role*","*Roles*","*Client*","*Clients*","*Permission*","*Permissions*","*Clusterrole*","*Clusterroles*","*Category*","*Categories*","*Identityprovider*","*Identityproviders*","*Rolebinding*","*Rolebindings*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户内所有用户及其权限","type":1},{"name":"NotifyFullAccess","service":"notify","statement":{"action":["*Channel*","*Channels*","*Receivergroup*","*Receivergroups*","*Template*","*Templates*","*Receiver*","*Receivers*","*Message*","*Messages*","*Messagerequest*","*Messagerequests*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户通知设置","type":1},{"name":"AddonFullAccess","service":"addon","statement":{"action":["*Lbcfbackendrecord*","*Lbcfbackendrecords*","*Csi*","*Csis*","*Lbcflbdriver*","*Lbcflbdrivers*","*Csioperator*","*Csioperators*","*Logcollector*","*Logcollectors*","*Helm*","*Helms*","*Lbcf*","*Lbcfs*","*Lbcfbackendgroup*","*Lbcfbackendgroups*","*Prometheuse*","*Prometheuses*","*Cronhpa*","*Cronhpas*","*Logc*","*Logcs*","*Persistentevent*","*Persistentevents*","*Galaxy*","*Galaxies*","*Clusteraddontype*","*Clusteraddontypes*","*Gpumanager*","*Gpumanagers*","*Coredns*","*Volumedecorator*","*Volumedecorators*","*Tappcontroller*","*Tappcontrollers*","*Addon*","*Addons*","*Ipam*","*Ipams*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户内扩展组件相关资源,如Helm,prometheus等","type":1},{"name":"MonitorFullAccess","service":"monitor","statement":{"action":["*Metricsquery*","*Metricsqueries*","*Alarmpolicy*","*Alarmpolicies*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户监控告警策略","type":1},{"name":"NetworkFullAccess","service":"network","statement":{"action":["*Lbcflb*","*Lbcflbs*","*Service*","*Services*","*Ingress*","*Ingresses*","*Networkpolicy*","*Networkpolicies*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户内网络资源,如网络策略,service,ignress等","type":1},{"name":"ConfigFullAccess","service":"config","statement":{"action":["*Secret*","*Secrets*","*Configmap*","*Configmaps*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户k8s配置组资源,包括configmap、secret等","type":1},{"name":"ClusterFullAccess","service":"cluster","statement":{"action":["*Priorityclass*","*Priorityclasses*","*Runtimeclass*","*Runtimeclasses*","*Machine*","*Machines*","*Cluster*","*Clusters*","*Node*","*Nodes*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户内集群相关的资源, 包括集群管理、节点和优先级等","type":1},{"name":"VolumeFullAccess","service":"volume","statement":{"action":["*Volumeattachment*","*Volumeattachments*","*Storageclass*","*Storageclasses*","*Persistentvolume*","*Persistentvolumes*","*Persistentvolumeclaim*","*Persistentvolumeclaims*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户云盘资源","type":1},{"name":"TcrFullAccess","service":"tcr","statement":{"action":["*TCR*"],"resource":"*","effect":"allow"},"description":"该策略允许您管理平台租户镜像仓库资源","type":1},{"name":"AdministratorAccess","service":"common","statement":{"action":["*"],"resource":"*","effect":"allow"},"description":"该策略允许管理平台租户内所有用户及其权限、容器服务资产","type":1},{"name":"ReadOnlyAccess","service":"common","statement":{"action":["get*","list*","read*","pull*"],"resource":"*","effect":"allow"},"description":"该策略允许您只读访问账户内所有支持接口级鉴权或资源级鉴权的容器服务资产","type":1}] - category.json: | - [{"name":"config","displayName":"配置组管理","description":"配置组管理","actions":{"createConfigmap":{"name":"createConfigmap","description":"创建配置组"},"createSecret":{"name":"createSecret","description":"创建密钥"},"deleteConfigmap":{"name":"deleteConfigmap","description":"删除配置组"},"deleteSecret":{"name":"deleteSecret","description":"删除密钥"},"getConfigmap":{"name":"getConfigmap","description":"获取配置组"},"getSecret":{"name":"getSecret","description":"获取密钥"},"listConfigmaps":{"name":"listConfigmaps","description":"列举配置组"},"listSecrets":{"name":"listSecrets","description":"列举密钥"},"updateConfigmap":{"name":"updateConfigmap","description":"修改配置组"},"updateSecret":{"name":"updateSecret","description":"修改密钥"}}},{"name":"network","displayName":"网络管理","description":"网络管理","actions":{"createIngress":{"name":"createIngress","description":"创建Ingress"},"createLbcflb":{"name":"createLbcflb","description":"创建LBCF LoadBalancer CRD"},"createNetworkpolicy":{"name":"createNetworkpolicy","description":"创建网络策略"},"createService":{"name":"createService","description":"创建服务"},"deleteIngress":{"name":"deleteIngress","description":"删除Ingress"},"deleteLbcflb":{"name":"deleteLbcflb","description":"删除LBCF LoadBalancer CRD"},"deleteNetworkpolicy":{"name":"deleteNetworkpolicy","description":"删除网络策略"},"deleteService":{"name":"deleteService","description":"删除服务"},"getIngress":{"name":"getIngress","description":"获取Ingress"},"getIngressStatus":{"name":"getIngressStatus","description":"获取Ingress状态"},"getNetworkpolicy":{"name":"getNetworkpolicy","description":"获取网络策略"},"getService":{"name":"getService","description":"获取服务"},"getServiceStatus":{"name":"getServiceStatus","description":"获取服务状态"},"listIngressEvents":{"name":"listIngressEvents","description":"列举Ingress事件"},"listIngresses":{"name":"listIngresses","description":"列举Ingress"},"listLbcflbs":{"name":"listLbcflbs","description":"列举LBCF LoadBalancer CRD"},"listNetworkpolicies":{"name":"listNetworkpolicies","description":"列举网络策略"},"listServiceEvents":{"name":"listServiceEvents","description":"列举服务事件"},"listServices":{"name":"listServices","description":"列举服务"},"updateIngress":{"name":"updateIngress","description":"修改Ingress"},"updateIngressStatus":{"name":"updateIngressStatus","description":"修改Ingress状态"},"updateLbcflb":{"name":"updateLbcflb","description":"修改LBCF LoadBalancer CRD"},"updateNetworkpolicy":{"name":"updateNetworkpolicy","description":"修改网络策略"},"updateService":{"name":"updateService","description":"修改服务"},"updateServiceStatus":{"name":"updateServiceStatus","description":"修改服务状态"}}},{"name":"monitor","displayName":"监控告警","description":"监控告警","actions":{"createAlarmpolicy":{"name":"createAlarmpolicy","description":"创建告警策略"},"createMetricsquery":{"name":"createMetricsquery","description":"创建指标查询"},"deleteAlarmpolicy":{"name":"deleteAlarmpolicy","description":"删除告警策略"},"getAlarmpolicy":{"name":"getAlarmpolicy","description":"获取告警策略"},"listAlarmpolicies":{"name":"listAlarmpolicies","description":"列举告警策略"},"updateAlarmpolicy":{"name":"updateAlarmpolicy","description":"修改告警策略"}}},{"name":"addon","displayName":"扩展组件管理","description":"扩展组件管理","actions":{"createCoredns":{"name":"createCoredns","description":"创建CoreDNS组件"},"createCronhpa":{"name":"createCronhpa","description":"创建CronHPA组件"},"createCsi":{"name":"createCsi","description":"创建容器存储接口CRD"},"createCsioperator":{"name":"createCsioperator","description":"创建CSIOperator"},"createGalaxy":{"name":"createGalaxy","description":"创建Galaxy组件"},"createGpumanager":{"name":"createGpumanager","description":"创建GPU管理组件"},"createHelm":{"name":"createHelm","description":"创建Helm组件"},"createIpam":{"name":"createIpam","description":"创建IP分配管理组件"},"createLbcf":{"name":"createLbcf","description":"创建LBCF组件"},"createLbcfbackendgroup":{"name":"createLbcfbackendgroup","description":"创建LBCF BackendGroup"},"createLbcfbackendrecord":{"name":"createLbcfbackendrecord","description":"创建LBCF BackendRecord"},"createLbcflbdriver":{"name":"createLbcflbdriver","description":"创建LBCF LoadBalancerDriver"},"createLogc":{"name":"createLogc","description":"创建日志crd"},"createLogcollector":{"name":"createLogcollector","description":"创建日志收集组件"},"createPersistentevent":{"name":"createPersistentevent","description":"创建事件持久化组件"},"createPrometheuse":{"name":"createPrometheuse","description":"创建Prometheuse组件"},"createTappcontroller":{"name":"createTappcontroller","description":"创建TappController组件"},"createVolumedecorator":{"name":"createVolumedecorator","description":"创建Volume装饰器组件"},"deleteCoredns":{"name":"deleteCoredns","description":"删除CoreDNS组件"},"deleteCronhpa":{"name":"deleteCronhpa","description":"删除CronHPA组件"},"deleteCsi":{"name":"deleteCsi","description":"删除容器存储接口CRD"},"deleteCsioperator":{"name":"deleteCsioperator","description":"删除CSIOperator"},"deleteGalaxy":{"name":"deleteGalaxy","description":"删除Galaxy组件"},"deleteGpumanager":{"name":"deleteGpumanager","description":"删除GPU管理组件"},"deleteHelm":{"name":"deleteHelm","description":"删除Helm组件"},"deleteIpam":{"name":"deleteIpam","description":"删除IP分配管理组件"},"deleteLbcf":{"name":"deleteLbcf","description":"删除LBCF组件"},"deleteLbcfbackendgroup":{"name":"deleteLbcfbackendgroup","description":"删除LBCF BackendGroup"},"deleteLbcfbackendrecord":{"name":"deleteLbcfbackendrecord","description":"删除LBCF BackendRecord"},"deleteLbcflbdriver":{"name":"deleteLbcflbdriver","description":"删除LBCF LoadBalancerDriver"},"deleteLogc":{"name":"deleteLogc","description":"删除日志crd"},"deleteLogcollector":{"name":"deleteLogcollector","description":"删除日志收集组件"},"deletePersistentevent":{"name":"deletePersistentevent","description":"删除事件持久化组件"},"deletePrometheuse":{"name":"deletePrometheuse","description":"删除Prometheuse组件"},"deleteTappcontroller":{"name":"deleteTappcontroller","description":"删除TappController组件"},"deleteVolumedecorator":{"name":"deleteVolumedecorator","description":"删除Volume装饰器组件"},"getClusteraddontype":{"name":"getClusteraddontype","description":"获取集群Addon类型"},"getCoredns":{"name":"getCoredns","description":"获取CoreDNS组件"},"getCorednsStatus":{"name":"getCorednsStatus","description":"获取CoreDNS组件状态"},"getCronhpa":{"name":"getCronhpa","description":"获取CronHPA组件"},"getCronhpaStatus":{"name":"getCronhpaStatus","description":"获取CronHPA组件状态"},"getCsioperator":{"name":"getCsioperator","description":"获取CSIOperator"},"getCsioperatorStatus":{"name":"getCsioperatorStatus","description":"获取CSIOperator状态"},"getGalaxy":{"name":"getGalaxy","description":"获取Galaxy组件"},"getGalaxyStatus":{"name":"getGalaxyStatus","description":"获取Galaxy组件状态"},"getGpumanager":{"name":"getGpumanager","description":"获取GPU管理组件"},"getGpumanagerStatus":{"name":"getGpumanagerStatus","description":"获取GPU管理组件状态"},"getHelm":{"name":"getHelm","description":"获取Helm组件"},"getHelmStatus":{"name":"getHelmStatus","description":"获取Helm组件状态"},"getIpam":{"name":"getIpam","description":"获取IP分配管理组件"},"getIpamStatus":{"name":"getIpamStatus","description":"获取IP分配管理组件状态"},"getLbcf":{"name":"getLbcf","description":"获取LBCF组件"},"getLbcfStatus":{"name":"getLbcfStatus","description":"获取LBCF组件状态"},"getLogcollector":{"name":"getLogcollector","description":"获取日志收集组件"},"getLogcollectorStatus":{"name":"getLogcollectorStatus","description":"获取日志收集组件状态"},"getPersistentevent":{"name":"getPersistentevent","description":"获取事件持久化组件"},"getPersistenteventStatus":{"name":"getPersistenteventStatus","description":"获取事件持久化组件状态"},"getPrometheuse":{"name":"getPrometheuse","description":"获取Prometheuse组件"},"getPrometheuseStatus":{"name":"getPrometheuseStatus","description":"获取Prometheuse组件状态"},"getTappcontroller":{"name":"getTappcontroller","description":"获取TappController组件"},"getTappcontrollerStatus":{"name":"getTappcontrollerStatus","description":"获取TappController组件状态"},"getVolumedecorator":{"name":"getVolumedecorator","description":"获取Volume装饰器组件"},"getVolumedecoratorStatus":{"name":"getVolumedecoratorStatus","description":"获取Volume装饰器组件状态"},"listAddons":{"name":"listAddons","description":"列举扩展组件"},"listClusteraddontypes":{"name":"listClusteraddontypes","description":"列举集群Addon类型"},"listCorednss":{"name":"listCorednss","description":"列举CoreDNS组件"},"listCronhpas":{"name":"listCronhpas","description":"列举CronHPA组件"},"listCsioperators":{"name":"listCsioperators","description":"列举CSIOperator"},"listCsis":{"name":"listCsis","description":"列举容器存储接口CRD"},"listGalaxies":{"name":"listGalaxies","description":"列举Galaxy组件"},"listGpumanagers":{"name":"listGpumanagers","description":"列举GPU管理组件"},"listHelm":{"name":"listHelm","description":"列举Helm组件"},"listHelms":{"name":"listHelms","description":"列举Helm组件"},"listIpams":{"name":"listIpams","description":"列举IP分配管理组件"},"listLbcfbackendgroups":{"name":"listLbcfbackendgroups","description":"列举LBCF BackendGroup"},"listLbcfbackendrecords":{"name":"listLbcfbackendrecords","description":"列举LBCF BackendRecord"},"listLbcflbdrivers":{"name":"listLbcflbdrivers","description":"列举LBCF LoadBalancerDriver"},"listLbcfs":{"name":"listLbcfs","description":"列举LBCF组件"},"listLogcollectors":{"name":"listLogcollectors","description":"列举日志收集组件"},"listLogcs":{"name":"listLogcs","description":"列举日志crd"},"listPersistentevents":{"name":"listPersistentevents","description":"列举事件持久化组件"},"listPrometheuses":{"name":"listPrometheuses","description":"列举Prometheuse组件"},"listTappcontrollers":{"name":"listTappcontrollers","description":"列举TappController组件"},"listVolumedecorators":{"name":"listVolumedecorators","description":"列举Volume装饰器组件"},"updateCoredns":{"name":"updateCoredns","description":"修改CoreDNS组件"},"updateCorednsStatus":{"name":"updateCorednsStatus","description":"修改CoreDNS组件状态"},"updateCronhpa":{"name":"updateCronhpa","description":"修改CronHPA组件"},"updateCronhpaStatus":{"name":"updateCronhpaStatus","description":"修改CronHPA组件状态"},"updateCsi":{"name":"updateCsi","description":"修改容器存储接口CRD"},"updateCsioperator":{"name":"updateCsioperator","description":"修改CSIOperator"},"updateCsioperatorStatus":{"name":"updateCsioperatorStatus","description":"修改CSIOperator状态"},"updateGalaxy":{"name":"updateGalaxy","description":"修改Galaxy组件"},"updateGalaxyStatus":{"name":"updateGalaxyStatus","description":"修改Galaxy组件状态"},"updateGpumanager":{"name":"updateGpumanager","description":"修改GPU管理组件"},"updateGpumanagerStatus":{"name":"updateGpumanagerStatus","description":"修改GPU管理组件状态"},"updateHelm":{"name":"updateHelm","description":"修改Helm组件"},"updateHelmStatus":{"name":"updateHelmStatus","description":"修改Helm组件状态"},"updateIpam":{"name":"updateIpam","description":"修改IP分配管理组件"},"updateIpamStatus":{"name":"updateIpamStatus","description":"修改IP分配管理组件状态"},"updateLbcf":{"name":"updateLbcf","description":"修改LBCF组件"},"updateLbcfStatus":{"name":"updateLbcfStatus","description":"修改LBCF组件状态"},"updateLbcfbackendgroup":{"name":"updateLbcfbackendgroup","description":"修改LBCF BackendGroup"},"updateLbcfbackendrecord":{"name":"updateLbcfbackendrecord","description":"修改LBCF BackendRecord"},"updateLbcflbdriver":{"name":"updateLbcflbdriver","description":"修改LBCF LoadBalancerDriver"},"updateLogc":{"name":"updateLogc","description":"修改日志crd"},"updateLogcollector":{"name":"updateLogcollector","description":"修改日志收集组件"},"updateLogcollectorStatus":{"name":"updateLogcollectorStatus","description":"修改日志收集组件状态"},"updatePersistentevent":{"name":"updatePersistentevent","description":"修改事件持久化组件"},"updatePersistenteventStatus":{"name":"updatePersistenteventStatus","description":"修改事件持久化组件状态"},"updatePrometheuse":{"name":"updatePrometheuse","description":"修改Prometheuse组件"},"updatePrometheuseStatus":{"name":"updatePrometheuseStatus","description":"修改Prometheuse组件状态"},"updateTappcontroller":{"name":"updateTappcontroller","description":"修改TappController组件"},"updateTappcontrollerStatus":{"name":"updateTappcontrollerStatus","description":"修改TappController组件状态"},"updateVolumedecorator":{"name":"updateVolumedecorator","description":"修改Volume装饰器组件"},"updateVolumedecoratorStatus":{"name":"updateVolumedecoratorStatus","description":"修改Volume装饰器组件状态"}}},{"name":"auth","displayName":"用户和权限","description":"用户和权限管理","actions":{"addPolicyUsers":{"name":"addPolicyUsers","description":"添加策略用户"},"addRolePolicies":{"name":"addRolePolicies","description":"添加角色策略"},"addRoleUsers":{"name":"addRoleUsers","description":"添加角色用户"},"createCategory":{"name":"createCategory","description":"创建策略类别"},"createClient":{"name":"createClient","description":"创建Client"},"createClusterrole":{"name":"createClusterrole","description":"创建集群角色"},"createClusterrolebinding":{"name":"createClusterrolebinding","description":"创建集群角色绑定"},"createIdentityprovider":{"name":"createIdentityprovider","description":"创建IDP"},"createLocalidentity":{"name":"createLocalidentity","description":"创建用户"},"createPolicy":{"name":"createPolicy","description":"创建策略"},"createRole":{"name":"createRole","description":"创建角色"},"createRolebinding":{"name":"createRolebinding","description":"创建角色绑定"},"deleteCategory":{"name":"deleteCategory","description":"删除策略类别"},"deleteCategoryActions":{"name":"deleteCategoryActions","description":"删除策略类别动作"},"deleteClient":{"name":"deleteClient","description":"删除Client"},"deleteClusterrole":{"name":"deleteClusterrole","description":"删除集群角色"},"deleteClusterrolebinding":{"name":"deleteClusterrolebinding","description":"删除集群角色绑定"},"deleteIdentityprovider":{"name":"deleteIdentityprovider","description":"删除IDP"},"deleteLocalidentity":{"name":"deleteLocalidentity","description":"删除用户"},"deletePolicy":{"name":"deletePolicy","description":"删除策略"},"deletePolicyUsers":{"name":"deletePolicyUsers","description":"删除策略用户"},"deleteRole":{"name":"deleteRole","description":"删除角色"},"deleteRolePolicies":{"name":"deleteRolePolicies","description":"删除角色策略"},"deleteRoleUsers":{"name":"deleteRoleUsers","description":"删除角色用户"},"deleteRolebinding":{"name":"deleteRolebinding","description":"删除角色绑定"},"getCategory":{"name":"getCategory","description":"获取策略类别"},"getClient":{"name":"getClient","description":"获取Client"},"getClusterrole":{"name":"getClusterrole","description":"获取集群角色"},"getClusterrolebinding":{"name":"getClusterrolebinding","description":"获取集群角色绑定"},"getIdentityprovider":{"name":"getIdentityprovider","description":"获取IDP"},"getLocalidentity":{"name":"getLocalidentity","description":"获取用户"},"getPolicy":{"name":"getPolicy","description":"获取策略"},"getRole":{"name":"getRole","description":"获取角色"},"getRolebinding":{"name":"getRolebinding","description":"获取角色绑定"},"listCategories":{"name":"listCategories","description":"列举策略类别"},"listClients":{"name":"listClients","description":"列举Client"},"listClusterrolebindings":{"name":"listClusterrolebindings","description":"列举集群角色绑定"},"listClusterroles":{"name":"listClusterroles","description":"列举集群角色"},"listIdentityproviders":{"name":"listIdentityproviders","description":"列举IDP"},"listLocalidentities":{"name":"listLocalidentities","description":"列举用户"},"listLocalidentityPermissions":{"name":"listLocalidentityPermissions","description":"列举用户权限"},"listLocalidentityPolicies":{"name":"listLocalidentityPolicies","description":"列举用户策略"},"listLocalidentityRoles":{"name":"listLocalidentityRoles","description":"列举用户角色"},"listPolicies":{"name":"listPolicies","description":"列举策略"},"listPolicyUsers":{"name":"listPolicyUsers","description":"列举策略用户"},"listRolePolicies":{"name":"listRolePolicies","description":"列举角色策略"},"listRoleUsers":{"name":"listRoleUsers","description":"列举角色用户"},"listRolebindings":{"name":"listRolebindings","description":"列举角色绑定"},"listRoles":{"name":"listRoles","description":"列举角色"},"updateCategory":{"name":"updateCategory","description":"修改策略类别"},"updateCategoryActions":{"name":"updateCategoryActions","description":"修改策略类别动作"},"updateClient":{"name":"updateClient","description":"修改Client"},"updateClusterrole":{"name":"updateClusterrole","description":"修改集群角色"},"updateClusterrolebinding":{"name":"updateClusterrolebinding","description":"修改集群角色绑定"},"updateIdentityprovider":{"name":"updateIdentityprovider","description":"修改IDP"},"updateLocalidentity":{"name":"updateLocalidentity","description":"修改用户"},"updateLocalidentityPassword":{"name":"updateLocalidentityPassword","description":"修改用户Password"},"updateLocalidentityStatus":{"name":"updateLocalidentityStatus","description":"修改用户状态"},"updatePolicy":{"name":"updatePolicy","description":"修改策略"},"updateRole":{"name":"updateRole","description":"修改角色"},"updateRolebinding":{"name":"updateRolebinding","description":"修改角色绑定"}}},{"name":"application","displayName":"应用管理","description":"应用管理","actions":{"createApply":{"name":"createApply","description":"创建Apply"},"createBinding":{"name":"createBinding","description":"创建Binding"},"createCertificatesigningrequest":{"name":"createCertificatesigningrequest","description":"创建Certificatesigningrequest"},"createControllerrevision":{"name":"createControllerrevision","description":"创建Controllerrevision"},"createCronjob":{"name":"createCronjob","description":"创建周期作业"},"createDaemonset":{"name":"createDaemonset","description":"创建Daemonset"},"createDeployment":{"name":"createDeployment","description":"创建Deployment"},"createDeploymentRollback":{"name":"createDeploymentRollback","description":"创建DeploymentRollback"},"createEndpoint":{"name":"createEndpoint","description":"创建端点"},"createHorizontalpodautoscaler":{"name":"createHorizontalpodautoscaler","description":"创建Horizontalpodautoscaler"},"createJob":{"name":"createJob","description":"创建作业"},"createLease":{"name":"createLease","description":"创建Lease"},"createLimitrange":{"name":"createLimitrange","description":"创建Limitrange"},"createMutatingwebhookconfiguration":{"name":"createMutatingwebhookconfiguration","description":"创建Mutatingwebhookconfiguration"},"createPod":{"name":"createPod","description":"创建Pod"},"createPodBinding":{"name":"createPodBinding","description":"创建PodBinding"},"createPoddisruptionbudget":{"name":"createPoddisruptionbudget","description":"创建Poddisruptionbudget"},"createPodpreset":{"name":"createPodpreset","description":"创建Podpreset"},"createPodsecuritypolicy":{"name":"createPodsecuritypolicy","description":"创建Podsecuritypolicy"},"createPodtemplate":{"name":"createPodtemplate","description":"创建pod模板"},"createPvcr":{"name":"createPvcr","description":"创建Pvcr"},"createRegistry":{"name":"createRegistry","description":"创建Registry"},"createReplicaset":{"name":"createReplicaset","description":"创建副本集"},"createReplicationcontroller":{"name":"createReplicationcontroller","description":"创建副本控制器"},"createServiceaccount":{"name":"createServiceaccount","description":"创建Serviceaccount"},"createStatefulset":{"name":"createStatefulset","description":"创建Statefulset"},"createTapp":{"name":"createTapp","description":"创建Tapp"},"createValidatingwebhookconfiguration":{"name":"createValidatingwebhookconfiguration","description":"创建Validatingwebhookconfiguration"},"deleteCertificatesigningrequest":{"name":"deleteCertificatesigningrequest","description":"删除Certificatesigningrequest"},"deleteControllerrevision":{"name":"deleteControllerrevision","description":"删除Controllerrevision"},"deleteCronjob":{"name":"deleteCronjob","description":"删除周期作业"},"deleteDaemonset":{"name":"deleteDaemonset","description":"删除Daemonset"},"deleteDeployment":{"name":"deleteDeployment","description":"删除Deployment"},"deleteEndpoint":{"name":"deleteEndpoint","description":"删除端点"},"deleteHorizontalpodautoscaler":{"name":"deleteHorizontalpodautoscaler","description":"删除Horizontalpodautoscaler"},"deleteJob":{"name":"deleteJob","description":"删除作业"},"deleteLease":{"name":"deleteLease","description":"删除Lease"},"deleteLimitrange":{"name":"deleteLimitrange","description":"删除Limitrange"},"deleteMutatingwebhookconfiguration":{"name":"deleteMutatingwebhookconfiguration","description":"删除Mutatingwebhookconfiguration"},"deletePod":{"name":"deletePod","description":"删除Pod"},"deletePoddisruptionbudget":{"name":"deletePoddisruptionbudget","description":"删除Poddisruptionbudget"},"deletePodpreset":{"name":"deletePodpreset","description":"删除Podpreset"},"deletePodsecuritypolicy":{"name":"deletePodsecuritypolicy","description":"删除Podsecuritypolicy"},"deletePodtemplate":{"name":"deletePodtemplate","description":"删除pod模板"},"deletePvcr":{"name":"deletePvcr","description":"删除Pvcr"},"deleteRegistry":{"name":"deleteRegistry","description":"删除Registry"},"deleteReplicaset":{"name":"deleteReplicaset","description":"删除副本集"},"deleteReplicationcontroller":{"name":"deleteReplicationcontroller","description":"删除副本控制器"},"deleteServiceaccount":{"name":"deleteServiceaccount","description":"删除Serviceaccount"},"deleteStatefulset":{"name":"deleteStatefulset","description":"删除Statefulset"},"deleteTapp":{"name":"deleteTapp","description":"删除Tapp"},"deleteValidatingwebhookconfiguration":{"name":"deleteValidatingwebhookconfiguration","description":"删除Validatingwebhookconfiguration"},"getCertificatesigningrequest":{"name":"getCertificatesigningrequest","description":"获取Certificatesigningrequest"},"getComponentstatus":{"name":"getComponentstatus","description":"获取Componentstatus"},"getControllerrevision":{"name":"getControllerrevision","description":"获取Controllerrevision"},"getCronjob":{"name":"getCronjob","description":"获取周期作业"},"getCronjobStatus":{"name":"getCronjobStatus","description":"获取周期作业状态"},"getDaemonset":{"name":"getDaemonset","description":"获取Daemonset"},"getDaemonsetStatus":{"name":"getDaemonsetStatus","description":"获取Daemonset状态"},"getDeployment":{"name":"getDeployment","description":"获取Deployment"},"getDeploymentStatus":{"name":"getDeploymentStatus","description":"获取Deployment状态"},"getEndpoint":{"name":"getEndpoint","description":"获取端点"},"getHorizontalpodautoscaler":{"name":"getHorizontalpodautoscaler","description":"获取Horizontalpodautoscaler"},"getHorizontalpodautoscalerStatus":{"name":"getHorizontalpodautoscalerStatus","description":"获取Horizontalpodautoscaler状态"},"getJob":{"name":"getJob","description":"获取作业"},"getJobStatus":{"name":"getJobStatus","description":"获取作业状态"},"getLease":{"name":"getLease","description":"获取Lease"},"getLimitrange":{"name":"getLimitrange","description":"获取Limitrange"},"getMutatingwebhookconfiguration":{"name":"getMutatingwebhookconfiguration","description":"获取Mutatingwebhookconfiguration"},"getPod":{"name":"getPod","description":"获取Pod"},"getPodLog":{"name":"getPodLog","description":"获取Pod日志"},"getPodStatus":{"name":"getPodStatus","description":"获取Pod状态"},"getPoddisruptionbudget":{"name":"getPoddisruptionbudget","description":"获取Poddisruptionbudget"},"getPoddisruptionbudgetStatus":{"name":"getPoddisruptionbudgetStatus","description":"获取Poddisruptionbudget状态"},"getPodpreset":{"name":"getPodpreset","description":"获取Podpreset"},"getPodsecuritypolicy":{"name":"getPodsecuritypolicy","description":"获取Podsecuritypolicy"},"getPodtemplate":{"name":"getPodtemplate","description":"获取pod模板"},"getRegistry":{"name":"getRegistry","description":"获取Registry"},"getReplicaset":{"name":"getReplicaset","description":"获取副本集"},"getReplicasetStatus":{"name":"getReplicasetStatus","description":"获取副本集状态"},"getReplicationcontroller":{"name":"getReplicationcontroller","description":"获取副本控制器"},"getReplicationcontrollerStatus":{"name":"getReplicationcontrollerStatus","description":"获取副本控制器状态"},"getServiceaccount":{"name":"getServiceaccount","description":"获取Serviceaccount"},"getStatefulset":{"name":"getStatefulset","description":"获取Statefulset"},"getStatefulsetStatus":{"name":"getStatefulsetStatus","description":"获取Statefulset状态"},"getValidatingwebhookconfiguration":{"name":"getValidatingwebhookconfiguration","description":"获取Validatingwebhookconfiguration"},"listCertificatesigningrequests":{"name":"listCertificatesigningrequests","description":"列举Certificatesigningrequest"},"listComponentstatuses":{"name":"listComponentstatuses","description":"列举Componentstatus"},"listControllerrevisions":{"name":"listControllerrevisions","description":"列举Controllerrevision"},"listCronjobEvents":{"name":"listCronjobEvents","description":"列举周期作业事件"},"listCronjobs":{"name":"listCronjobs","description":"列举周期作业"},"listDaemonsetEvents":{"name":"listDaemonsetEvents","description":"列举Daemonset事件"},"listDaemonsetPods":{"name":"listDaemonsetPods","description":"列举DaemonsetPod"},"listDaemonsets":{"name":"listDaemonsets","description":"列举Daemonset"},"listDeploymentEvents":{"name":"listDeploymentEvents","description":"列举Deployment事件"},"listDeploymentPods":{"name":"listDeploymentPods","description":"列举DeploymentPod"},"listDeploymentScale":{"name":"listDeploymentScale","description":"列举DeploymentScale"},"listDeployments":{"name":"listDeployments","description":"列举Deployment"},"listEndpoints":{"name":"listEndpoints","description":"列举端点"},"listHorizontalpodautoscalers":{"name":"listHorizontalpodautoscalers","description":"列举Horizontalpodautoscaler"},"listJobEvents":{"name":"listJobEvents","description":"列举作业事件"},"listJobPods":{"name":"listJobPods","description":"列举作业Pod"},"listJobs":{"name":"listJobs","description":"列举作业"},"listLeases":{"name":"listLeases","description":"列举Lease"},"listLimitranges":{"name":"listLimitranges","description":"列举Limitrange"},"listMutatingwebhookconfigurations":{"name":"listMutatingwebhookconfigurations","description":"列举Mutatingwebhookconfiguration"},"listPodEvents":{"name":"listPodEvents","description":"列举Pod事件"},"listPoddisruptionbudgets":{"name":"listPoddisruptionbudgets","description":"列举Poddisruptionbudget"},"listPodpresets":{"name":"listPodpresets","description":"列举Podpreset"},"listPods":{"name":"listPods","description":"列举Pod"},"listPodsecuritypolicies":{"name":"listPodsecuritypolicies","description":"列举Podsecuritypolicy"},"listPodtemplates":{"name":"listPodtemplates","description":"列举pod模板"},"listPvcrs":{"name":"listPvcrs","description":"列举Pvcr"},"listRegistries":{"name":"listRegistries","description":"列举Registry"},"listReplicasetEvents":{"name":"listReplicasetEvents","description":"列举副本集事件"},"listReplicasetPods":{"name":"listReplicasetPods","description":"列举副本集Pod"},"listReplicasetScale":{"name":"listReplicasetScale","description":"列举副本集Scale"},"listReplicasets":{"name":"listReplicasets","description":"列举副本集"},"listReplicationcontrollerEvents":{"name":"listReplicationcontrollerEvents","description":"列举副本控制器事件"},"listReplicationcontrollerPods":{"name":"listReplicationcontrollerPods","description":"列举副本控制器Pod"},"listReplicationcontrollerScale":{"name":"listReplicationcontrollerScale","description":"列举副本控制器Scale"},"listReplicationcontrollers":{"name":"listReplicationcontrollers","description":"列举副本控制器"},"listServiceaccounts":{"name":"listServiceaccounts","description":"列举Serviceaccount"},"listStatefulsetEvents":{"name":"listStatefulsetEvents","description":"列举Statefulset事件"},"listStatefulsetPods":{"name":"listStatefulsetPods","description":"列举StatefulsetPod"},"listStatefulsetScale":{"name":"listStatefulsetScale","description":"列举StatefulsetScale"},"listStatefulsets":{"name":"listStatefulsets","description":"列举Statefulset"},"listTapps":{"name":"listTapps","description":"列举Tapp"},"listValidatingwebhookconfigurations":{"name":"listValidatingwebhookconfigurations","description":"列举Validatingwebhookconfiguration"},"updateCertificatesigningrequest":{"name":"updateCertificatesigningrequest","description":"修改Certificatesigningrequest"},"updateControllerrevision":{"name":"updateControllerrevision","description":"修改Controllerrevision"},"updateCronjob":{"name":"updateCronjob","description":"修改周期作业"},"updateCronjobStatus":{"name":"updateCronjobStatus","description":"修改周期作业状态"},"updateDaemonset":{"name":"updateDaemonset","description":"修改Daemonset"},"updateDaemonsetStatus":{"name":"updateDaemonsetStatus","description":"修改Daemonset状态"},"updateDeployment":{"name":"updateDeployment","description":"修改Deployment"},"updateDeploymentScale":{"name":"updateDeploymentScale","description":"修改DeploymentScale"},"updateDeploymentStatus":{"name":"updateDeploymentStatus","description":"修改Deployment状态"},"updateEndpoint":{"name":"updateEndpoint","description":"修改端点"},"updateHorizontalpodautoscaler":{"name":"updateHorizontalpodautoscaler","description":"修改Horizontalpodautoscaler"},"updateHorizontalpodautoscalerStatus":{"name":"updateHorizontalpodautoscalerStatus","description":"修改Horizontalpodautoscaler状态"},"updateJob":{"name":"updateJob","description":"修改作业"},"updateJobStatus":{"name":"updateJobStatus","description":"修改作业状态"},"updateLease":{"name":"updateLease","description":"修改Lease"},"updateLimitrange":{"name":"updateLimitrange","description":"修改Limitrange"},"updateMutatingwebhookconfiguration":{"name":"updateMutatingwebhookconfiguration","description":"修改Mutatingwebhookconfiguration"},"updatePod":{"name":"updatePod","description":"修改Pod"},"updatePodStatus":{"name":"updatePodStatus","description":"修改Pod状态"},"updatePoddisruptionbudget":{"name":"updatePoddisruptionbudget","description":"修改Poddisruptionbudget"},"updatePoddisruptionbudgetStatus":{"name":"updatePoddisruptionbudgetStatus","description":"修改Poddisruptionbudget状态"},"updatePodpreset":{"name":"updatePodpreset","description":"修改Podpreset"},"updatePodsecuritypolicy":{"name":"updatePodsecuritypolicy","description":"修改Podsecuritypolicy"},"updatePodtemplate":{"name":"updatePodtemplate","description":"修改pod模板"},"updatePvcr":{"name":"updatePvcr","description":"修改Pvcr"},"updateRegistry":{"name":"updateRegistry","description":"修改Registry"},"updateReplicaset":{"name":"updateReplicaset","description":"修改副本集"},"updateReplicasetScale":{"name":"updateReplicasetScale","description":"修改副本集Scale"},"updateReplicasetStatus":{"name":"updateReplicasetStatus","description":"修改副本集状态"},"updateReplicationcontroller":{"name":"updateReplicationcontroller","description":"修改副本控制器"},"updateReplicationcontrollerScale":{"name":"updateReplicationcontrollerScale","description":"修改副本控制器Scale"},"updateReplicationcontrollerStatus":{"name":"updateReplicationcontrollerStatus","description":"修改副本控制器状态"},"updateServiceaccount":{"name":"updateServiceaccount","description":"修改Serviceaccount"},"updateStatefulset":{"name":"updateStatefulset","description":"修改Statefulset"},"updateStatefulsetScale":{"name":"updateStatefulsetScale","description":"修改StatefulsetScale"},"updateStatefulsetStatus":{"name":"updateStatefulsetStatus","description":"修改Statefulset状态"},"updateTapp":{"name":"updateTapp","description":"修改Tapp"},"updateValidatingwebhookconfiguration":{"name":"updateValidatingwebhookconfiguration","description":"修改Validatingwebhookconfiguration"}}},{"name":"volume","displayName":"持久存储","description":"持久存储管理","actions":{"createPersistentvolume":{"name":"createPersistentvolume","description":"创建持久存储"},"createPersistentvolumeclaim":{"name":"createPersistentvolumeclaim","description":"创建持久存储声明"},"createStorageclass":{"name":"createStorageclass","description":"创建Storageclass"},"createVolumeattachment":{"name":"createVolumeattachment","description":"创建Volumeattachment"},"deletePersistentvolume":{"name":"deletePersistentvolume","description":"删除持久存储"},"deletePersistentvolumeclaim":{"name":"deletePersistentvolumeclaim","description":"删除持久存储声明"},"deleteStorageclass":{"name":"deleteStorageclass","description":"删除Storageclass"},"deleteVolumeattachment":{"name":"deleteVolumeattachment","description":"删除Volumeattachment"},"getPersistentvolume":{"name":"getPersistentvolume","description":"获取持久存储"},"getPersistentvolumeStatus":{"name":"getPersistentvolumeStatus","description":"获取持久存储状态"},"getPersistentvolumeclaim":{"name":"getPersistentvolumeclaim","description":"获取持久存储声明"},"getPersistentvolumeclaimStatus":{"name":"getPersistentvolumeclaimStatus","description":"获取持久存储声明状态"},"getStorageclass":{"name":"getStorageclass","description":"获取Storageclass"},"getVolumeattachment":{"name":"getVolumeattachment","description":"获取Volumeattachment"},"listPersistentvolumeEvents":{"name":"listPersistentvolumeEvents","description":"列举持久存储事件"},"listPersistentvolumeclaimEvents":{"name":"listPersistentvolumeclaimEvents","description":"列举持久存储声明事件"},"listPersistentvolumeclaims":{"name":"listPersistentvolumeclaims","description":"列举持久存储声明"},"listPersistentvolumes":{"name":"listPersistentvolumes","description":"列举持久存储"},"listStorageclassEvents":{"name":"listStorageclassEvents","description":"列举Storageclass事件"},"listStorageclasses":{"name":"listStorageclasses","description":"列举Storageclass"},"listVolumeattachments":{"name":"listVolumeattachments","description":"列举Volumeattachment"},"updatePersistentvolume":{"name":"updatePersistentvolume","description":"修改持久存储"},"updatePersistentvolumeStatus":{"name":"updatePersistentvolumeStatus","description":"修改持久存储状态"},"updatePersistentvolumeclaim":{"name":"updatePersistentvolumeclaim","description":"修改持久存储声明"},"updatePersistentvolumeclaimStatus":{"name":"updatePersistentvolumeclaimStatus","description":"修改持久存储声明状态"},"updateStorageclass":{"name":"updateStorageclass","description":"修改Storageclass"},"updateVolumeattachment":{"name":"updateVolumeattachment","description":"修改Volumeattachment"}}},{"name":"project","displayName":"业务和命名空间","description":"业务和命名空间","actions":{"createEvent":{"name":"createEvent","description":"创建事件"},"createNamespace":{"name":"createNamespace","description":"创建命名空间"},"createPlatform":{"name":"createPlatform","description":"创建平台"},"createProject":{"name":"createProject","description":"创建业务"},"createResourcequota":{"name":"createResourcequota","description":"创建资源配额"},"deleteEvent":{"name":"deleteEvent","description":"删除事件"},"deleteNamespace":{"name":"deleteNamespace","description":"删除命名空间"},"deletePlatform":{"name":"deletePlatform","description":"删除平台"},"deleteProject":{"name":"deleteProject","description":"删除业务"},"deleteResourcequota":{"name":"deleteResourcequota","description":"删除资源配额"},"getEvent":{"name":"getEvent","description":"获取事件"},"getNamespace":{"name":"getNamespace","description":"获取命名空间"},"getNamespaceStatus":{"name":"getNamespaceStatus","description":"获取命名空间状态"},"getPlatform":{"name":"getPlatform","description":"获取平台"},"getProject":{"name":"getProject","description":"获取业务"},"getProjectFinalize":{"name":"getProjectFinalize","description":"获取业务Finalize"},"getProjectStatus":{"name":"getProjectStatus","description":"获取业务状态"},"getResourcequota":{"name":"getResourcequota","description":"获取资源配额"},"getResourcequotaStatus":{"name":"getResourcequotaStatus","description":"获取资源配额状态"},"listEvents":{"name":"listEvents","description":"列举事件"},"listNamespaces":{"name":"listNamespaces","description":"列举命名空间"},"listPlatforms":{"name":"listPlatforms","description":"列举平台"},"listPortal":{"name":"listPortal","description":"列举Portal"},"listProjects":{"name":"listProjects","description":"列举业务"},"listResourcequotas":{"name":"listResourcequotas","description":"列举资源配额"},"updateEvent":{"name":"updateEvent","description":"修改事件"},"updateNamespace":{"name":"updateNamespace","description":"修改命名空间"},"updateNamespaceFinalize":{"name":"updateNamespaceFinalize","description":"修改命名空间Finalize"},"updateNamespaceStatus":{"name":"updateNamespaceStatus","description":"修改命名空间状态"},"updatePlatform":{"name":"updatePlatform","description":"修改平台"},"updateProject":{"name":"updateProject","description":"修改业务"},"updateProjectFinalize":{"name":"updateProjectFinalize","description":"修改业务Finalize"},"updateProjectStatus":{"name":"updateProjectStatus","description":"修改业务状态"},"updateResourcequota":{"name":"updateResourcequota","description":"修改资源配额"},"updateResourcequotaStatus":{"name":"updateResourcequotaStatus","description":"修改资源配额状态"}}},{"name":"notify","displayName":"通知服务","description":"通知服务","actions":{"createChannel":{"name":"createChannel","description":"创建通知渠道"},"createMessage":{"name":"createMessage","description":"创建消息"},"createMessagerequest":{"name":"createMessagerequest","description":"创建消息请求"},"createReceiver":{"name":"createReceiver","description":"创建接收人"},"createReceivergroup":{"name":"createReceivergroup","description":"创建接收人组"},"createTemplate":{"name":"createTemplate","description":"创建消息模板"},"deleteChannel":{"name":"deleteChannel","description":"删除通知渠道"},"deleteMessage":{"name":"deleteMessage","description":"删除消息"},"deleteMessagerequest":{"name":"deleteMessagerequest","description":"删除消息请求"},"deleteReceiver":{"name":"deleteReceiver","description":"删除接收人"},"deleteReceivergroup":{"name":"deleteReceivergroup","description":"删除接收人组"},"deleteTemplate":{"name":"deleteTemplate","description":"删除消息模板"},"getChannel":{"name":"getChannel","description":"获取通知渠道"},"getChannelStatus":{"name":"getChannelStatus","description":"获取通知渠道状态"},"getMessage":{"name":"getMessage","description":"获取消息"},"getMessageStatus":{"name":"getMessageStatus","description":"获取消息状态"},"getMessagerequest":{"name":"getMessagerequest","description":"获取消息请求"},"getMessagerequestStatus":{"name":"getMessagerequestStatus","description":"获取消息请求状态"},"getReceiver":{"name":"getReceiver","description":"获取接收人"},"getReceivergroup":{"name":"getReceivergroup","description":"获取接收人组"},"getTemplate":{"name":"getTemplate","description":"获取消息模板"},"listChannels":{"name":"listChannels","description":"列举通知渠道"},"listMessagerequests":{"name":"listMessagerequests","description":"列举消息请求"},"listMessages":{"name":"listMessages","description":"列举消息"},"listReceivergroups":{"name":"listReceivergroups","description":"列举接收人组"},"listReceivers":{"name":"listReceivers","description":"列举接收人"},"listTemplates":{"name":"listTemplates","description":"列举消息模板"},"updateChannel":{"name":"updateChannel","description":"修改通知渠道"},"updateChannelFinalize":{"name":"updateChannelFinalize","description":"修改通知渠道Finalize"},"updateChannelStatus":{"name":"updateChannelStatus","description":"修改通知渠道状态"},"updateMessage":{"name":"updateMessage","description":"修改消息"},"updateMessageStatus":{"name":"updateMessageStatus","description":"修改消息状态"},"updateMessagerequest":{"name":"updateMessagerequest","description":"修改消息请求"},"updateMessagerequestStatus":{"name":"updateMessagerequestStatus","description":"修改消息请求状态"},"updateReceiver":{"name":"updateReceiver","description":"修改接收人"},"updateReceivergroup":{"name":"updateReceivergroup","description":"修改接收人组"},"updateTemplate":{"name":"updateTemplate","description":"修改消息模板"}}},{"name":"cluster","displayName":"集群管理","description":"集群管理","actions":{"createCluster":{"name":"createCluster","description":"创建集群"},"createMachine":{"name":"createMachine","description":"创建机器"},"createNode":{"name":"createNode","description":"创建节点"},"createPriorityclass":{"name":"createPriorityclass","description":"创建优先级"},"createRuntimeclass":{"name":"createRuntimeclass","description":"创建Runtimeclass"},"deleteCluster":{"name":"deleteCluster","description":"删除集群"},"deleteMachine":{"name":"deleteMachine","description":"删除机器"},"deleteNode":{"name":"deleteNode","description":"删除节点"},"deletePriorityclass":{"name":"deletePriorityclass","description":"删除优先级"},"deleteRuntimeclass":{"name":"deleteRuntimeclass","description":"删除Runtimeclass"},"getCluster":{"name":"getCluster","description":"获取集群"},"getClusterFinalize":{"name":"getClusterFinalize","description":"获取集群Finalize"},"getClusterStatus":{"name":"getClusterStatus","description":"获取集群状态"},"getMachine":{"name":"getMachine","description":"获取机器"},"getMachineStatus":{"name":"getMachineStatus","description":"获取机器状态"},"getNode":{"name":"getNode","description":"获取节点"},"getNodeStatus":{"name":"getNodeStatus","description":"获取节点状态"},"getPriorityclass":{"name":"getPriorityclass","description":"获取优先级"},"getRuntimeclass":{"name":"getRuntimeclass","description":"获取Runtimeclass"},"listClusters":{"name":"listClusters","description":"列举集群"},"listMachines":{"name":"listMachines","description":"列举机器"},"listNodes":{"name":"listNodes","description":"列举节点"},"listPriorityclasses":{"name":"listPriorityclasses","description":"列举优先级"},"listRuntimeclasses":{"name":"listRuntimeclasses","description":"列举Runtimeclass"},"updateCluster":{"name":"updateCluster","description":"修改集群"},"updateClusterFinalize":{"name":"updateClusterFinalize","description":"修改集群Finalize"},"updateClusterStatus":{"name":"updateClusterStatus","description":"修改集群状态"},"updateMachine":{"name":"updateMachine","description":"修改机器"},"updateMachineStatus":{"name":"updateMachineStatus","description":"修改机器状态"},"updateNode":{"name":"updateNode","description":"修改节点"},"updateNodeStatus":{"name":"updateNodeStatus","description":"修改节点状态"},"updatePriorityclass":{"name":"updatePriorityclass","description":"修改优先级"},"updateRuntimeclass":{"name":"updateRuntimeclass","description":"修改Runtimeclass"}}},{"name":"tcr","displayName":"镜像仓库","description":"镜像仓库","actions":{"createTCRHelmChart":{"name":"createTCRHelmChart","description":"创建helm chart"},"createTCRHelmChartVersion":{"name":"createTCRHelmChartVersion","description":"创建helm chart版本"},"createTCRHelmChartVersionLabel":{"name":"createTCRHelmChartVersionLabel","description":"创建helm chart版本标签"},"createTCRMetadata":{"name":"createTCRMetadata","description":"创建项目源数据"},"createTCRRepository":{"name":"createTCRRepository","description":"创建镜像仓库"},"createTCRRepositoryLabel":{"name":"createTCRRepositoryLabel","description":"创建镜像标签"},"createTCRRepositoryTagLabel":{"name":"createTCRRepositoryTagLabel","description":"创建镜像tag标签"},"createTCRRepositoryTagScanJob":{"name":"createTCRRepositoryTagScanJob","description":"创建镜像tag扫描任务"},"deleteTCRHelmChart":{"name":"createTCRHelmChart","description":"删除helm chart"},"deleteTCRHelmChartVersion":{"name":"deleteTCRHelmChartVersion","description":"删除helm chart版本"},"deleteTCRHelmChartVersionLabel":{"name":"deleteTCRHelmChartVersionLabel","description":"删除helm chart版本标签"},"deleteTCRMetadata":{"name":"deleteTCRMetadata","description":"删除项目源数据"},"deleteTCRProject":{"name":"deleteTCRProject","description":"删除项目"},"deleteTCRRepository":{"name":"deleteTCRRepository","description":"删除镜像仓库"},"deleteTCRRepositoryLabel":{"name":"deleteTCRRepositoryLabel","description":"删除镜像标签"},"deleteTCRRepositoryTagLabel":{"name":"deleteTCRRepositoryTagLabel","description":"删除镜像tag标签"},"listTCRHelmChart":{"name":"listTCRHelmChart","description":"列举helm chart"},"listTCRHelmChartVersion":{"name":"listTCRHelmChartVersion","description":"列举helm chart版本"},"listTCRLog":{"name":"listTCRLog","description":"列举项目日志"},"listTCRRepository":{"name":"listTCRRepository","description":"列举镜像仓库"},"listTCRRepositoryLabel":{"name":"listTCRRepositoryLabel","description":"列举镜像标签"},"listTCRRepositoryTag":{"name":"listTCRRepositoryTag","description":"列举镜像tag"},"listTCRRepositoryTagLabel":{"name":"listTCRRepositoryTagLabel","description":"列举镜像tag标签"},"listTCRRepositoryTagVulnerability":{"name":"listTCRRepositoryTagVulnerability","description":"列举镜像tag漏洞"},"pullTCRRepository":{"name":"pullRepository","description":"拉取镜像"},"pushTCRRepository":{"name":"pushRepository","description":"推送镜像"},"readTCRHelmChart":{"name":"readTCRTCRHelmChart","description":"获取helm chart"},"readTCRHelmChartVersion":{"name":"readTCRHelmChartVersion","description":"获取helm chart版本"},"readTCRMetadata":{"name":"readTCRMetadata","description":"获取项目源数据"},"readTCRProject":{"name":"readTCRProject","description":"获取项目"},"readTCRRepository":{"name":"readTCRRepository","description":"获取镜像仓库"},"readTCRRepositoryTag":{"name":"readTCRRepositoryTag","description":"获取镜像tag"},"readTCRRepositoryTagManifest":{"name":"readTCRRepositoryTagManifest","description":"获取镜像tag manifest"},"updateTCRMetadata":{"name":"updateTCRMetadata","description":"修改项目源数据"},"updateTCRProject":{"name":"updateTCRProject","description":"更新项目"},"updateTCRRepository":{"name":"updateTCRRepository","description":"修改镜像仓库"}}}] - abac-policy.json: | - {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:*","namespace":"*", "resource":"*","apiGroup":"*", "group": "*"}} - tke-auth.toml: | - [secure_serving] - tls_cert_file = "/app/certs/server.crt" - tls_private_key_file = "/app/certs/server.key" - - [etcd] - servers = [ - "https://etcd:2379" - ] - cafile = "/app/certs/etcd-ca.crt" - certfile = "/app/certs/etcd.crt" - keyfile = "/app/certs/etcd.key" - - [generic] - external_hostname = "tke-auth" - external_port = 443 - - [authorization] - policy_file="/app/conf/abac-policy.json" - - [authentication] - token_auth_file = "/app/certs/token.csv" - client_ca_file = "/app/certs/ca.crt" - - [authentication.requestheader] - client_ca_file = "/app/certs/ca.crt" - username_headers = "X-Remote-User" - extra_headers_prefix = "X-Remote-Extra-" - - [auth] - assets_path = "/app/web/auth" - category_path = "/app/conf/category.json" - policy_path = "/app/conf/policy.json" - tenant_admin = "{{ .AdminUsername }}" - tenant_admin_secret = "{{ .AdminPassword }}" - init_client_id = "{{ .TenantID }}" - init_client_secret = "{{ .OIDCClientSecret }}" - init_client_redirect_uris = [ -{{- range $element := .RedirectHosts}} - {{ printf ` "http://%s/callback",` $element}} - {{ printf ` "https://%s/callback",` $element}} -{{- end}} - ] diff --git a/cmd/tke-installer/app/installer/manifests/tke-business-api/tke-business-api.yaml b/cmd/tke-installer/app/installer/manifests/tke-business-api/tke-business-api.yaml index 5abe6c5c7..32141ab52 100644 --- a/cmd/tke-installer/app/installer/manifests/tke-business-api/tke-business-api.yaml +++ b/cmd/tke-installer/app/installer/manifests/tke-business-api/tke-business-api.yaml @@ -100,8 +100,8 @@ data: [authentication.oidc] {{- if .EnableAuth }} client_id = "default" - issuer_url = "https://tke-auth/oidc" - external_issuer_url = "https://tke-auth/oidc" + issuer_url = "https://tke-auth-api/oidc" + external_issuer_url = "https://tke-auth-api/oidc" ca_file = "/app/certs/ca.crt" username_prefix ="-" username_claim = "name" @@ -149,7 +149,7 @@ data: - name: tke cluster: certificate-authority: /app/certs/ca.crt - server: https://tke-auth/auth/authz + server: https://tke-auth-api/auth/authz users: - name: admin-cert user: diff --git a/cmd/tke-installer/app/installer/manifests/tke-gateway/tke-gateway.yaml b/cmd/tke-installer/app/installer/manifests/tke-gateway/tke-gateway.yaml index fdf47bd7e..a6d4f5393 100644 --- a/cmd/tke-installer/app/installer/manifests/tke-gateway/tke-gateway.yaml +++ b/cmd/tke-installer/app/installer/manifests/tke-gateway/tke-gateway.yaml @@ -91,7 +91,7 @@ data: [authentication.oidc] client_secret = "{{ .OIDCClientSecret }}" client_id = "default" - issuer_url = "https://tke-auth/oidc" + issuer_url = "https://tke-auth-api/oidc" ca_file = "/app/certs/ca.crt" username_prefix ="-" username_claim = "name" diff --git a/cmd/tke-installer/app/installer/manifests/tke-monitor-api/tke-monitor-api.yaml b/cmd/tke-installer/app/installer/manifests/tke-monitor-api/tke-monitor-api.yaml index 1ea801f3e..b5b88d47b 100644 --- a/cmd/tke-installer/app/installer/manifests/tke-monitor-api/tke-monitor-api.yaml +++ b/cmd/tke-installer/app/installer/manifests/tke-monitor-api/tke-monitor-api.yaml @@ -102,8 +102,8 @@ data: [authentication.oidc] {{- if .EnableAuth }} client_id = "default" - issuer_url = "https://tke-auth/oidc" - external_issuer_url = "https://tke-auth/oidc" + issuer_url = "https://tke-auth-api/oidc" + external_issuer_url = "https://tke-auth-api/oidc" ca_file = "/app/certs/ca.crt" username_prefix ="-" username_claim = "name" @@ -140,7 +140,7 @@ data: - name: tke cluster: certificate-authority: /app/certs/ca.crt - server: https://tke-auth/auth/authz + server: https://tke-auth-api/auth/authz users: - name: admin-cert user: diff --git a/cmd/tke-installer/app/installer/manifests/tke-notify-api/tke-notify-api.yaml b/cmd/tke-installer/app/installer/manifests/tke-notify-api/tke-notify-api.yaml index 8f754b3f6..b35f89c21 100644 --- a/cmd/tke-installer/app/installer/manifests/tke-notify-api/tke-notify-api.yaml +++ b/cmd/tke-installer/app/installer/manifests/tke-notify-api/tke-notify-api.yaml @@ -101,8 +101,8 @@ data: [authentication.oidc] {{- if .EnableAuth }} client_id = "default" - issuer_url = "https://tke-auth/oidc" - external_issuer_url = "https://tke-auth/oidc" + issuer_url = "https://tke-auth-api/oidc" + external_issuer_url = "https://tke-auth-api/oidc" ca_file = "/app/certs/ca.crt" username_prefix ="-" username_claim = "name" @@ -139,7 +139,7 @@ data: - name: tke cluster: certificate-authority: /app/certs/ca.crt - server: https://tke-auth/auth/authz + server: https://tke-auth-api/auth/authz users: - name: admin-cert user: diff --git a/cmd/tke-installer/app/installer/manifests/tke-platform-api/tke-platform-api.yaml b/cmd/tke-installer/app/installer/manifests/tke-platform-api/tke-platform-api.yaml index 136a0788e..73edd5f77 100644 --- a/cmd/tke-installer/app/installer/manifests/tke-platform-api/tke-platform-api.yaml +++ b/cmd/tke-installer/app/installer/manifests/tke-platform-api/tke-platform-api.yaml @@ -129,8 +129,8 @@ data: [authentication.oidc] {{- if .EnableAuth }} client_id = "default" - issuer_url = "https://tke-auth/oidc" - external_issuer_url = "https://tke-auth/oidc" + issuer_url = "https://tke-auth-api/oidc" + external_issuer_url = "https://tke-auth-api/oidc" ca_file = "/app/certs/ca.crt" username_prefix ="-" username_claim = "name" @@ -164,7 +164,7 @@ data: - name: tke cluster: certificate-authority: /app/certs/ca.crt - server: https://tke-auth/auth/authz + server: https://tke-auth-api/auth/authz users: - name: admin-cert user: diff --git a/cmd/tke-installer/app/installer/manifests/tke-registry-api/tke-registry-api.yaml b/cmd/tke-installer/app/installer/manifests/tke-registry-api/tke-registry-api.yaml index 6d9a1806b..aa436587e 100644 --- a/cmd/tke-installer/app/installer/manifests/tke-registry-api/tke-registry-api.yaml +++ b/cmd/tke-installer/app/installer/manifests/tke-registry-api/tke-registry-api.yaml @@ -110,8 +110,8 @@ data: [authentication.oidc] {{- if .EnableAuth }} client_id = "default" - issuer_url = "https://tke-auth/oidc" - external_issuer_url = "https://tke-auth/oidc" + issuer_url = "https://tke-auth-api/oidc" + external_issuer_url = "https://tke-auth-api/oidc" ca_file = "/app/certs/ca.crt" username_prefix ="-" username_claim = "name" @@ -174,7 +174,7 @@ data: - name: tke cluster: certificate-authority: /app/certs/ca.crt - server: https://tke-auth/auth/authz + server: https://tke-auth-api/auth/authz users: - name: admin-cert user: diff --git a/docs/devel/running-locally.md b/docs/devel/running-locally.md index 6e3403a14..694380918 100644 --- a/docs/devel/running-locally.md +++ b/docs/devel/running-locally.md @@ -13,7 +13,8 @@ This guide will walk you through deploying the full TKE stack on you local machi - [Create Self-signed Certificates](#create-self-signed-certificates) - [Create Static Token](#create-static-token) - [Bootstrap TKE Core Components](#bootstrap-tke-core-components) - - [tke-auth](#tke-auth) + - [tke-auth-api](#tke-auth-api) + - [tke-auth-controller](#tke-auth-controller) - [tke-platform-api](#tke-platform-api) - [tke-platform-controller](#tke-platform-controller) - [tke-registry-api(Optional)](#tke-registry-apioptional) @@ -165,15 +166,16 @@ For your convenient, - Export `${root_store}` to reference the path of your root certificate created by mkcert in the previous step. For macOS, the path is usually /Users/${username}/Library/Application Support/mkcert. -### tke-auth +### tke-auth-api -- Create `_debug/auth.json` +- Create `_debug/auth-api.json`
- Click to show sample confi + Click to show sample config
- **_debug/auth.json** + **_debug/auth-api.json** + ```json { "secure_serving": { @@ -205,11 +207,71 @@ previous step. For macOS, the path is usually /Users/${username}/Library/Applica
-- Run `tke-auth` +- Run `tke-auth-api` ```sh - $ _output/${host_os}/${host_arch}/tke-auth -C _debug/auth.json - ``` + $ _output/${host_os}/${host_arch}/tke-auth-api -C _debug/auth-api.json + ``` + +### tke-auth-controller + +- Create `_debug/auth-api-client-config.yaml` +
+ Click to view sample config +
+ + ***_debug/auth-api-client-config.yaml*** + + ```yaml + apiVersion: v1 + kind: Config + clusters: + - name: tke + cluster: + certificate-authority: ${root_store}/mkcert/rootCA.pem + server: https://127.0.0.1:9451 + users: + - name: admin + user: + token: token + current-context: tke + contexts: + - context: + cluster: tke + user: admin + name: tke + ``` + +
+ +- Create `_debug/auth-controller.json` + +
+ Click to view sample config +
+ + ***_debug/auth-controller.json*** + + ```json + { + "secure_serving": { + "tls_cert_file": "_debug/certificates/localhost+2.pem", + "tls_private_key_file": "_debug/certificates/localhost+2-key.pem" + }, + "client": { + "platform": { + "api_server_client_config": "_debug/auth-api-client-config.yaml" + } + } + } + ``` + +
+- Runn `tke-auth-controller`: + + ```sh + $ _output/${host_os}/${host_arch}/tke-auth-controller -C _debug/auth-controller.json + ``` ### tke-platform-api diff --git a/go.mod b/go.mod index b5a9828da..e997f2852 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,6 @@ require ( github.com/bitly/go-simplejson v0.5.0 github.com/blang/semver v3.5.1+incompatible github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect - github.com/casbin/casbin v1.9.1 // indirect github.com/casbin/casbin/v2 v2.1.2 github.com/chartmuseum/storage v0.5.0 github.com/coreos/etcd v3.3.15+incompatible diff --git a/go.sum b/go.sum index 38bbc9307..be0e56daf 100644 --- a/go.sum +++ b/go.sum @@ -109,8 +109,6 @@ github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dR github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= github.com/brancz/gojsontoyaml v0.0.0-20190425155809-e8bd32d46b3d/go.mod h1:IyUJYN1gvWjtLF5ZuygmxbnsAyP3aJS6cHzIuZY50B0= github.com/campoy/embedmd v1.0.0/go.mod h1:oxyr9RCiSXg0M3VJ3ks0UGfp98BpSSGr0kpiX3MzVl8= -github.com/casbin/casbin v1.9.1 h1:ucjbS5zTrmSLtH4XogqOG920Poe6QatdXtz1FEbApeM= -github.com/casbin/casbin v1.9.1/go.mod h1:z8uPsfBJGUsnkagrt3G8QvjgTKFMBJ32UP8HpZllfog= github.com/casbin/casbin/v2 v2.1.2 h1:bTwon/ECRx9dwBy2ewRVr5OiqjeXSGiTUY74sDPQi/g= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= github.com/cenk/backoff v2.0.0+incompatible/go.mod h1:7FtoeaSnHoZnmZzz47cM35Y9nSW7tNyaidugnHTaFDE= diff --git a/pkg/auth/filter/filter.go b/pkg/auth/filter/filter.go index 18e3dc989..2dee0792a 100644 --- a/pkg/auth/filter/filter.go +++ b/pkg/auth/filter/filter.go @@ -20,6 +20,10 @@ package filter import ( "fmt" + "net/http" + "strings" + "unicode" + "github.com/go-openapi/inflect" "golang.org/x/net/context" "k8s.io/apimachinery/pkg/runtime" @@ -29,13 +33,12 @@ import ( genericfilters "k8s.io/apiserver/pkg/endpoints/filters" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/apiserver/pkg/endpoints/request" - "net/http" - "strings" + "k8s.io/klog" + "tkestack.io/tke/api/registry" commonapiserverfilter "tkestack.io/tke/pkg/apiserver/filter" "tkestack.io/tke/pkg/platform/apiserver/filter" "tkestack.io/tke/pkg/util/log" - "unicode" ) const ( @@ -52,7 +55,7 @@ const ( // WithTKEAuthorization passes all tke-auth authorized requests on to handler, and returns a forbidden error otherwise. func WithTKEAuthorization(handler http.Handler, a authorizer.Authorizer, s runtime.NegotiatedSerializer, ignoreAuthPathPrefixes []string) http.Handler { if a == nil { - log.Warn("TKE Authorization is disabled") + klog.Warningf("TKE Authorization is disabled") return handler } allIgnorePathPrefixes := commonapiserverfilter.MakeAllIgnoreAuthPathPrefixes(ignoreAuthPathPrefixes) @@ -94,7 +97,7 @@ func WithTKEAuthorization(handler http.Handler, a authorizer.Authorizer, s runti log.Debug("Convert to tke tkeAttributes", log.String("user name", tkeAttributes.GetUser().GetName()), log.String("resource", tkeAttributes.GetResource()), log.String("resource", tkeAttributes.GetName()), log.String("verb", tkeAttributes.GetVerb())) - authorized, reason, err = a.Authorize(ctx, tkeAttributes) + authorized, reason, err = a.Authorize(tkeAttributes) } // an authorizer like RBAC could encounter evaluation errors and still allow the request, so authorizer decision is checked before error here.