《OpenShift / RHEL / DevSecOps 汇总目录》
本文在 OpenShift 4.10 + RHACM 2.4 环境中进行验证。
什么是 RHACM
RHACM(Advanced Cluster Management for Kubernetes)是 RedHat 面向 OpenShift 的多云管理产品,可以用来对分布在多云环境中 自建或托管 OpenShift 集群以及经认证的 Kubernetes 集群进行生命周期管理、发布和升级应用、统一安全策略管理、运行集中监控。
在 RHACM 的多云管理运行环境中包含以下两种角色:
1)Hub 是多云管理的控制平面,它可以运行在任一个 OpenShift 集群上。
2)Managed Cluster 是被管理的集群,它通过运行在本地的 Agent 接受 Hub 的管理指令。
安装 RHACM
- 在 OpenShift 控制台的 OperatorHub 中使用缺省选项安装 Advanced Cluster Management for Kubernetes。
- 在 Advanced Cluster Management for Kubernetes Operator 中使用缺省配置创建 MultiClusterHub。
- 在创建完 MultiClusterHub 后可以在 open-cluster-management 项目中的拓扑中看到如下部署资源:
- 同时还可查看在 open-cluster-management-hub 项目中部署的资源。
$ oc get pods -n open-cluster-management-hub
NAME READY STATUS RESTARTS AGE
cluster-manager-placement-controller-d6555c767-g8cr4 1/1 Running 0 151m
cluster-manager-placement-controller-d6555c767-hgc2l 1/1 Running 0 151m
cluster-manager-placement-controller-d6555c767-l6cdd 1/1 Running 0 151m
cluster-manager-registration-controller-d9897cb77-7bnl4 1/1 Running 0 151m
cluster-manager-registration-controller-d9897cb77-rgqgj 1/1 Running 0 151m
cluster-manager-registration-controller-d9897cb77-ztg9t 1/1 Running 0 151m
cluster-manager-registration-webhook-6bc9dbd77f-dkr2r 1/1 Running 0 151m
cluster-manager-registration-webhook-6bc9dbd77f-k6l29 1/1 Running 0 151m
cluster-manager-registration-webhook-6bc9dbd77f-r9s7c 1/1 Running 0 151m
cluster-manager-work-webhook-7784f8f5df-8xhfm 1/1 Running 0 151m
cluster-manager-work-webhook-7784f8f5df-9956t 1/1 Running 0 151m
cluster-manager-work-webhook-7784f8f5df-bdthm 1/1 Running 0 151m
- 安装 MultiClusterHub 的过程会自动将当前 OpenShift 集群加入到 RHACM 的被管集群中。因此可以执行以下命令确认在当前 OpenShift 集群中自动创建了 open-cluster-management-agent 和 open-cluster-management-agent-addon 项目,并在项目中部署了 Agent 等资源。
$ oc get pods -n open-cluster-management-agent
NAME READY STATUS RESTARTS AGE
klusterlet-5984dd44bc-rkfw2 1/1 Running 0 145m
klusterlet-registration-agent-59b87cb5cb-697nj 1/1 Running 0 145m
klusterlet-registration-agent-59b87cb5cb-7t297 1/1 Running 0 145m
klusterlet-registration-agent-59b87cb5cb-bxw6h 1/1 Running 0 145m
klusterlet-work-agent-578bd497f7-4z25k 1/1 Running 0 145m
klusterlet-work-agent-578bd497f7-f447n 1/1 Running 0 145m
klusterlet-work-agent-578bd497f7-sht5h 1/1 Running 1 (145m ago) 145m
$ oc get pods -n open-cluster-management-agent-addon
NAME READY STATUS RESTARTS AGE
klusterlet-addon-appmgr-695bd6c6d9-qvx7g 1/1 Running 0 143m
klusterlet-addon-certpolicyctrl-786987c447-v8l49 1/1 Running 0 143m
klusterlet-addon-iampolicyctrl-99dd4bff7-xjmh2 1/1 Running 0 143m
klusterlet-addon-operator-c5559f597-m6qjs 1/1 Running 0 143m
klusterlet-addon-policyctrl-config-policy-569fddbd57-jr56w 1/1 Running 0 143m
klusterlet-addon-policyctrl-framework-769677c5bd-lxhsx 2/2 Running 1 (142m ago) 143m
klusterlet-addon-workmgr-84f5b564f5-svbfh 1/1 Running 0 143m
- 在 OpenShift 控制台中可以看到已经多了 “Advanced Cluster Management” 视图。
也可运行以下命令获得 ACM 控制台的访问地址。
$ oc get route multicloud-console -n open-cluster-management -o jsonpath --template="https://{.spec.host}/multicloud/clusters{'\n'}"
- 可以在 Overview 中查看当前 ACM 管理的集群资源。
- 其中 Clusters 中目前只有一个 local-cluster 集群,即 ACM Hub 部署运行的 OpenShift 集群。
- 可以查看被管集群的节点。
导入已有 OpenShift 集群
- 在 Clusters 中找到 “Import cluster” 并进入。在 Import mode 中选择 server URL and API token 一项,然后提供这个集群的 APIServer 地址和访问 Token。
- 在导入后会自动向被管集群安装 Add-on 运行环境。
可以在被管集群中查看部署在 open-cluster-management-agent 和 open-cluster-management-agent-addon 项目中的资源。
$ oc get pods -n open-cluster-management-agent
NAME READY STATUS RESTARTS AGE
klusterlet-b48d64b8c-zmzbw 1/1 Running 0 11m
klusterlet-registration-agent-7c98c88ddd-4zkgp 1/1 Running 0 11m
klusterlet-registration-agent-7c98c88ddd-td8r6 1/1 Running 0 11m
klusterlet-registration-agent-7c98c88ddd-wnsz9 1/1 Running 0 11m
klusterlet-work-agent-77d97d4f7c-flwgr 1/1 Running 1 (11m ago) 11m
klusterlet-work-agent-77d97d4f7c-kwxhs 1/1 Running 0 11m
klusterlet-work-agent-77d97d4f7c-zw8r5 1/1 Running 0 11m
$ oc get pods -n open-cluster-management-agent-addon
NAME READY STATUS RESTARTS AGE
klusterlet-addon-appmgr-87cd7545-clbct 1/1 Running 0 7m42s
klusterlet-addon-certpolicyctrl-6b889f64c-jgskj 1/1 Running 0 7m42s
klusterlet-addon-iampolicyctrl-ccb6986f7-rxbg6 1/1 Running 0 7m42s
klusterlet-addon-operator-d99bb9c79-vbrw2 1/1 Running 0 8m5s
klusterlet-addon-policyctrl-config-policy-c9876fbcf-8zwwz 1/1 Running 0 7m42s
klusterlet-addon-policyctrl-framework-7dcf977d9c-znnrd 3/3 Running 0 7m42s
klusterlet-addon-search-6dc4cbcc44-sj9qv 1/1 Running 0 7m42s
klusterlet-addon-workmgr-7dfdfbf78-95nrv 1/1 Running 0 7m42s
- 可以在 Clusters 的 Managed clusters 中看到被成功导入的集群。
添加“观察”功能
RHACM 可以集中监控被管节点的运行情况,这是通过运行在 RHACM Hub 上的 Observatorium 实现的。RHACM Hub 通过 Observatorium 从被管集群获取到观察数据后再通过 Thanos 保存到 S3 对象存储中,并通过 Grafana 进行数据展示。
以下示例将使用 minio 来存储观察数据:
- 执行命令安装 minio 环境。
$ oc new-project open-cluster-management-observability
$ git clone https://github.com/liuxiaoyu-git/multicluster-observability-operator.git
$ oc apply -k multicluster-observability-operator/examples/minio/ -n open-cluster-management-observability
secret/thanos-object-storage created
service/minio created
persistentvolumeclaim/minio created
deployment.apps/minio created
- 执行命令可以查看为 thanos 提供的 S3 存储访问方式。
$ oc extract secret/thanos-object-storage --to=- -n open-cluster-management-observability
# thanos.yaml
type: s3
config:
bucket: "thanos"
endpoint: "minio:9000"
insecure: true
access_key: "minio"
secret_key: "minio123"
- 执行命令在 RHACM Hub 中安装“观察”功能。
$ oc apply -f https://raw.githubusercontent.com/liuxiaoyu-git/rhacm-workshop/master/03.Observability/exercise/multiclusterobservability.yaml -n open-cluster-management-observability
- 安装后可以查看在 open-cluster-management-observability 中运行的的 Pod 和部署的资源。
$ oc get pods -n open-cluster-management-observability
NAME READY STATUS RESTARTS AGE
minio-8b9dfc5bc-gt6tz 1/1 Running 0 9m52s
observability-alertmanager-0 3/3 Running 0 9m16s
observability-alertmanager-1 3/3 Running 0 8m49s
observability-alertmanager-2 3/3 Running 0 8m18s
observability-grafana-7855cfb5d9-jbgpn 2/2 Running 0 9m16s
observability-grafana-7855cfb5d9-k9z7l 2/2 Running 0 9m16s
observability-observatorium-api-655748549-rclq4 1/1 Running 0 8m54s
observability-observatorium-api-655748549-t6h8f 1/1 Running 0 8m54s
observability-observatorium-operator-78b49598dc-2vs7m 1/1 Running 0 9m16s
observability-rbac-query-proxy-598bcd6db8-vn9lm 2/2 Running 0 9m15s
observability-rbac-query-proxy-598bcd6db8-xm2d4 2/2 Running 0 9m15s
observability-thanos-compact-0 1/1 Running 0 8m54s
observability-thanos-query-768679f974-6xzdm 1/1 Running 0 8m54s
observability-thanos-query-768679f974-lfjxg 1/1 Running 0 8m54s
observability-thanos-query-frontend-749864469d-sjrd7 1/1 Running 0 8m54s
observability-thanos-query-frontend-749864469d-xpwq5 1/1 Running 0 8m54s
observability-thanos-query-frontend-memcached-0 2/2 Running 0 8m54s
observability-thanos-query-frontend-memcached-1 2/2 Running 0 8m37s
observability-thanos-query-frontend-memcached-2 2/2 Running 0 8m21s
observability-thanos-receive-controller-5b5d8bd59d-n5k7r 1/1 Running 0 8m54s
observability-thanos-receive-default-0 1/1 Running 0 8m54s
observability-thanos-receive-default-1 1/1 Running 0 8m29s
observability-thanos-receive-default-2 1/1 Running 0 8m7s
observability-thanos-rule-0 2/2 Running 0 8m54s
observability-thanos-rule-1 2/2 Running 0 8m28s
observability-thanos-rule-2 2/2 Running 0 8m2s
observability-thanos-store-memcached-0 2/2 Running 0 8m54s
observability-thanos-store-memcached-1 2/2 Running 0 8m36s
observability-thanos-store-memcached-2 2/2 Running 0 8m21s
observability-thanos-store-shard-0-0 1/1 Running 0 8m54s
observability-thanos-store-shard-1-0 1/1 Running 0 8m54s
observability-thanos-store-shard-2-0 1/1 Running 2 (8m36s ago) 8m54s
成功部署“观察”后可以在 ACM 控制台的 Clusters 页面中右上方看到 Grafana 链接。
进入 Grafana 后可以看到被管集群的运行状态。
进入上图的一个集群,可以查看该集群的运行情况。
参考
https://github.com/michaelkotelnikov/rhacm-workshop
版权声明:本文为weixin_43902588原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。