kubernetes - 通过 Kustomize 将对象添加到 yaml 中的数组

Question

如何通过 Kustomize 将对象添加到数组？因此，我希望将两个 ServiceAccount 添加到 subjects 中，如下所示:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: name
    namespace: test1
  - kind: ServiceAccount
    name: name
    namespace: test2

我正在尝试使用该补丁:

- op: add
  path: "/subjects/0"
  value:
    kind: ServiceAccount
    name: name
    namespace: test1

还有第二个环境的另一个补丁:

- op: add
  path: "/subjects/1"
  value:
    kind: ServiceAccount
    name: name
    namespace: test2

但结果我得到了重复的主题，所以这当然是错误的:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: name
    namespace: test1 // the same...
  - kind: ServiceAccount
    name: name
    namespace: test1 // ...as here

添加它的正确方法是什么？

Answer 1

如果我从 crb.yaml 中如下所示的 ClusterRoleBinding 开始:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects: []

我创建了一个 kustomization.yaml 文件，如下所示:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - crb.yaml

patches:
  - target:
      kind: ClusterRoleBinding
      name: binding
    patch: |
      - op: add
        path: /subjects/0
        value:
          kind: ServiceAccount
          name: name
          namespace: test1

  - target:
      kind: ClusterRoleBinding
      name: binding
    patch: |
      - op: add
        path: /subjects/1
        value:
          kind: ServiceAccount
          name: name
          namespace: test2

然后我得到输出:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: name
  namespace: test1
- kind: ServiceAccount
  name: name
  namespace: test2

我想这就是您正在寻找的东西。这有帮助吗？请注意，不要在 path 中显式设置索引，例如:

path: /subjects/0

我们可以指定:

path: /subjects/-

这意味着“附加到列表”，在这种情况下将生成相同的输出。