kubernetes中的kustomize merge是重写的

g2ieeal7  于 2023-10-17  发布在  Kubernetes
关注(0)|答案(3)|浏览(99)

我试图使用Kustomize做一个补丁战略合并以下yaml。
y1:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/thanos-compactor]

y2:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]

我正在使用以下kustoomization文件:

resources:
- y1.yaml

patchesStrategicMerge:
- y2.yaml

我的要求是,我希望YAML像这样被clubbed:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/thanos-compactor]
oaxa6hgo

oaxa6hgo1#

StrategicMerge无法根据https://github.com/kubernetes-sigs/kustomize/issues/3265#issuecomment-733335803附加到任意列表。
您可以尝试使用json6902补丁,如下所示:Patching list in kubernetes manifest with Kustomize

l0oc07j2

l0oc07j22#

实际上,可以使用Kustomize openapi来合并列表,从而在Kustomize中更改补丁策略。
然而,这个精确的CR iam.cnrm.cloud.google.com/v1beta1/IAMPolicy将不起作用,因为根据its schemabindings字段没有与x-kubernetes-patch-merge-key一起使用的唯一键。
如果它有这样的东西,它可以工作,但不幸的是,它没有。

bindings:
- id: xyz
  role: roles/iam.workloadIdentityUser
  members:
    - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]

有关在Kustomize中使用OpenAPI的更多详细信息:Set OpenAPI patch strategy for Kubernetes Custom Resources

ylamdve6

ylamdve63#

我开发了Merger,这是一个Kustomize,它使合并变得更加容易(使用无模式的StrategicMerge)。
我已经将您的示例添加到常见用例中。
这里是如何使用合并使用你的情况。
档案:
假设您的文件y1.yamly2.yaml已经在同一目录中创建。

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

generators:
- merger.yaml
# merger.yaml
apiVersion: generators.kustomize.aabouzaid.com/v1alpha1
kind: Merger
metadata:
  name: merge
  annotations:
    # Containerized KRM function.
    config.kubernetes.io/function: |
      container:
        image: ghcr.io/aabouzaid/kustomize-generator-merger:1.1.0
        mounts:
        - type: bind
          src: ./
          dst: /mnt
spec:
  resources:
  - name: my-iam-policy
    input:
      method: overlay
      files:
        root: /mnt
        # The source overrides the destination.
        sources:
        - y1.yaml
        destination: y2.yaml
    merge:
      strategy: append
    output:
      format: raw

版本号:

kustomize build --enable-alpha-plugins --as-current-user .

输出量:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  bindings:
  - members:
    - serviceAccount:mysten-sui.svc.id.goog[monitoring/thanos-compactor]
    role: roles/iam.workloadIdentityUser
  - members:
    - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]
    role: roles/iam.workloadIdentityUser
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system

如果您有其他用例,请随时在项目存储库中创建an issue

相关问题