Extending kubernetes API with CRD

Intorduction CRD

What is? CRD

stay Kubernetes API in ,resources Is stored API Object collection endpoint. for example , built-in Pod resource contain Pod A collection of objects . When we want to expand API, Native Kubernetes Can't meet our needs , At this time CRD (CustomResourceDefinition) And that's what happened . stay Kubernetes Created in CRD after , You can use it like any other native Kubernetes Use it like an object , Thus make use of Kubernetes All functions of 、 Such as security 、API service 、RBAC etc. .

Kubernetes 1.7 After that, I added the right CRD Customize the secondary development capability of resources to expand Kubernetes API, adopt CRD We can approach Kubernetes API Add new resource type , Without modification Kubernetes Source code to create custom API server, This feature greatly improves Kubernetes The ability to expand .

establish CRD

Prerequisite ： Kubernetes The server version must be at least version 1.16

Create a new CustomResourceDefinition（CRD） when ,Kubernetes API The server generates a for each version specified RESTful The resource path of .（ That is to define a Restful API）.CRD It can be namespace Scoped , It can also be cluster Scoped , Depending on CRD Of scope Field settings . Like other existing built-in objects , Delete one namespace when , The namespace All custom objects under will also be deleted .CustomResourceDefinition It is not limited by the name space , Available for all namespaces .

for example , Write a firewall port The rules ：

# 1.16 Fixed format after version 
apiVersion: apiextensions.k8s.io/v1
#  type crd
kind: CustomResourceDefinition
metadata:
  #  It has to be for name=spec.names.plural + spec.group
  name: ports.firewalld.fedoraproject.org
spec:
  # api Medium group
  # /apis/<group>/<version>/<plural>
  group: firewalld.fedoraproject.org
  #  this crd Act on   Optional Namespaced|Cluster
  scope: Namespaced
  names:
    #  Plural form of first name , be used for api
    plural: ports
    #  The singular form of the name . For command line 
    singular: port
    #  species , Resource list type 
    kind: PortRule
    #  Short name , Similar permission  CLI  A resource that matches a shorter string on the 
    shortNames: 
    - fp
  versions:
  #  Define the type of version 
  - name: v1
  #  adopt  served  Flag to enable or disable 
    served: true
  #  One and only one version must be marked as a storage version 
    storage: true
  #  Customize the default authentication mode of resources 
    schema:
  #  Version used 
      openAPIV3Schema:
        #  Define a parameter as an object type 
        type: object
        #  The type of this parameter 
        properties:
        #  Parameter properties spec
          spec:
            # spec The type of attribute is object 
            type: object
            #  Object properties 
            properties:
              # spec attribute name
              name:
              #  The type is string
                type: string
              port:
                type: integer
              host:
                type: string
              isPermanent:
                type: boolean

It should be noted that v1.16 The version has been GA 了 , It uses v1 edition , Before is vlbeta1, There are some changes in the definition specification , So pay attention to version changes .

The definition of this place is similar to our definition of common resource objects , We say we can define a custom resource object at will , But when creating resources , Certainly not to let us write at will YAML Of documents , When we put the above CRD The document is submitted to Kubernetes after ,Kubernetes The declaration documents submitted by us will be verified , As can be seen from the definition CRD Is based on OpenAPIv3 schem Carry out standardized . Of course, this verification is just Verify the type of field , It's junior , If you want more complex verification , This is the time to pass Kubernetes Of admission webhook To implement the . More usage of validation , You can go to the official documents to view .

Create a crd Type resources

apiVersion: "firewalld.fedoraproject.org/v1"
kind: PortRule
metadata:
  name: http-port
spec:
  name: "nginx"
  port: 80
  host: "10.0.0.3"
  isPermanent: false

View the created crd

# kubectl get t
NAME                                CREATED AT
firewallds.port.fedoraproject.org   2022-06-19T09:27:09Z

Reference

CRD

CRD Definition