dockin ops is a project used to handle the exec request for kubernetes under supervision

Dockin Ops - Dockin Operation service

License

English | 中文

Dockin operation and maintenance management system is a safe operation and maintenance management service that optimizes exec execution performance and supports command authority management

For more Dockin components, please visit https://github.com/WeBankFinTech/Dockin

Architecture

Demo Show

Exec

2b95d08c-6154-42b8-b195-92ff0097c8d3.gif

CMDB

c84bcbdb-857e-4680-8174-5f18b160ac59.gif

Quick Guide

1. Preparation

  • k8s cluster
  • Deploy Docking rm in advance, opserver needs to call rm interface to get information
  • Prepare redis, you can quickly run redis with the following command:
docker run -p 6379:6379 -d redis:latest redis-server
  • Plan to deploy opserver server, record the ip

2. Compile

2.1 Dockin-opserver

  • Modify the configuration file application.yaml, the main thing to note is the address of rm
rm-address: http://127.0.0.1:10002/rmController # RM access address
batch-timeout: 5000
http-port: 8084 # listening port of opserver
cmd-filter-type: blacklist
while-list-update-time: 60000
limits:
  exec-forbidden:
    -vi
  file-max-size: 1000
  upload-file-max-size: 500
  download-file-max-size: 4000
  vi-file-max-size: 10
  k8s-qos: 40
  k8s-burst: 60
opagent-port: 8085 # listening port of opagent
redis:
  expiration: 120000
accounts: # User information of opserver, currently configured in the configuration file
  -account:
      user-name: app
      passwd: passwd
  • Compile: execute the following command
make

2.2 Dockin-opsctl

  • Modify opserver access address
# File to be modified: internal/common/url.go, change the constant RemoteHost to the ip and port corresponding to opserver
const RemoteHost = "127.0.0.1:8084"
  • Compile: execute the make command
make

2.3 Dockin-opagent

  • Modify the configuration file application.yaml, the access address of rm should be noted
app:
  rm:
    api: http://127.0.0.1:10002/rmController # RM access address
  container:
    ticker: 30
  http:
    port: 8085
  debug:
    port: 10102
  ims:
    logroot: /data/logs/
  docker:
    sock: unix:///var/run/docker.sock
  qos:
    path: /data/cgroup
  logs:
    cmd-white-list:
      -grep
      -zgrep
      -cat
      -head
      -tail
      -awk
      -uniq
      -sort
      -ls
    cmd-timeout: 5000
    max-file-size: 3000
    max-line: 1000
    root: /data/logs/
  • Compile and package opagent to docker image
make docker-build

3. Installation And Running

3.1 dockin-opagent

  1. Opagent runs in the k8s cluster as a daemonSet. You can directly refer to the daemonSet sample in the internal/docs directory of the project, modify the corresponding mirror information and apply it directly to the k8s cluster.

3.2 dockin-opagent

  1. Export the configuration file of the k8s cluster that needs to be managed, place it in the configs/cluster directory, and add a dockin section on the basis of the original configuration file. The example is shown below. Please see the corresponding notes for those who need attention:
apiVersion: v1
clusters:
-cluster: # The access address and name of the cluster can be declared multiple
    insecure-skip-tls-verify: true
    server: https://127.0.0.1:6443
  name: kubernetes
contexts: # Context information, mainly used to correspond to the above cluster information, set up some configurations
-context:
    cluster: kubernetes # cluster name, corresponding to the cluster name in the cluster section
    namespace: test # Use the namespace of the configuration operation
    user: kubernetes-readonly-user # The user used to access the cluster
  name: readonly-user
current-context: readonly-user # Context used by default
kind: Config
preferences: {}
users:
-name: kubernetes-readonly-user # User information, corresponding to the user in the context section
  user:
    password: your_password # User password
    username: readonly-user # username
dockin: # Additional custom configuration, the user declares the rules applicable to the cluster and the corresponding cluster id, and declares the default whitelist
  cluster-id: test
  rule: test
  whitelist:
    -127.0.0.1
  1. Upload the start.sh, configs directories and compiled executable files in the project to the server, and execute the following commands:
sh start.sh

3.3 dockin-opsctl

  • Copy the executable file to the server to use it, use the following command to view the help:
dockin-opsctl -h

Currently, dockin-opsctl already supports the dockin-opserver address compiled by the configuration file. The path of other configuration files is: $HOME/.opserver.yaml. At the same time, it also supports the use of -c or --config parameters to prepare configuration files. The configuration file uses a yaml file, and currently there is only one configuration:

Opserver: 127.0.0.1:8084
Owner
WeBankFinTech
WeBankFinTech
https://github.com/WeBankFinTech/Dockin-Ops
Similar Resources

This manager helps handle the life cycle of your eBPF programs

eBPF Manager This repository implements a manager on top of Cilium's eBPF library. This declarative manager simplifies attaching and detaching eBPF pr

Dec 1, 2022

A Kubernetes Operator used for pre-scaling applications in anticipation of load

Pre-Scaling Kubernetes Operator Built out of necessity, the Operator helps pre-scale applications in anticipation of load. At its core, it manages a c

Oct 14, 2021

Kubernetes Webhook used for image mutations

Table of Contents About Imagswap Getting Started Prerequisites Installation Usage Roadmap Contributing License Contact Acknowledgments About The Proje

Mar 7, 2022

This image is primarily used to ping/call a URL on regular intervals using Kubernetes (k8s) CronJob.

A simple webhook caller This image is primarily used to ping/call a URL on regular intervals using Kubernetes (k8s) CronJob. A sample job would look s

Nov 30, 2021

A tool used for developing using Kubernetes

A tool used for developing using Kubernetes

A tool used for developing using Kubernetes. It allows you to easily inject your own code in place of a running service.

Dec 10, 2022

Basic Kubernetes operator that have multiple versions in CRD. This operator can be used to experiment and understand Operator/CRD behaviors.

add-operator Basic Kubernetes operator that have multiple versions in CRD. This operator can be used to experiment and understand Operator/CRD behavio

Dec 15, 2021

pr-bullet is a tool for copying pull request to multiple repositories.

pr-bullet pr-bullet is a tool for copying pull request to multiple repositories. Usage First, create original pull request ( ex. https://github.com/k1

Oct 5, 2022

An action that comments PipeCD's PlanPreview result on GitHub pull request.

An action that comments PipeCD's PlanPreview result on GitHub pull request.

actions-plan-preview An action that comments PipeCD's PlanPreview result on GitHub pull request. This action can be used for all application kinds: Ku

Apr 6, 2022

GitHub Action: Compose multiple (conditional) checks into a single check based on file paths in a pull request

GitHub Action: Compose multiple (conditional) checks into a single check based on file paths in a pull request

GitHub Action: Composite Example Usage --- name: All Checks on: pull_request: branches: - main jobs: meta: runs-on: - ubuntu-20.

Dec 29, 2022
Comments
  • shuortcut key does not support in parse the shell response

    shuortcut key does not support in parse the shell response

    image

    when i click the ctrl-a to set the cursor to the begin about a word, and then typed some character, the error occurred. may be bug in parse the shell response

  • seperate the dockin configuration from the kubeconfig file

    seperate the dockin configuration from the kubeconfig file

    these content has no business with kubeconfig, It might be clearer to separate them

    dockin: # Additional custom configuration, the user declares the rules applicable to the cluster and the corresponding cluster id, and declares the default whitelist
  cluster-id: ft01 # cluster id
  rule: test # Rule group, if you need to manage different whitelists for a certificate, you can use rule extension
  whitelist:
    -127.0.0.1 # Permitted ip whitelist, the cluster corresponding to the current certificate, only these ips are allowed to access
  • Cannot change the dockin-opserver endpoint because it was hard coded

    Cannot change the dockin-opserver endpoint because it was hard coded

    Currently, dockin-opsctl cannot specify the dockin-opserver after compiled. If you want to change the dockin-opserver endpoint, you should update the 'remoteHost' in internal/common/url.go.

    It should be optimized in the future.

Related tags
DevOps Tools Dockin-Ops
Carina: an high performance and ops-free local storage for kubernetes
 Carina: an high performance and ops-free local storage for kubernetes

Carina English | 中文 Background Storage systems are complex! There are more and more kubernetes native storage systems nowadays and stateful applicatio

Dec 30, 2022
OpenYurt - Extending your native Kubernetes to edge(project under CNCF)
 OpenYurt - Extending your native Kubernetes to edge(project under CNCF)

openyurtio/openyurt English | 简体中文 What is NEW! Latest Release: September 26th, 2021. OpenYurt v0.5.0. Please check the CHANGELOG for details. First R

Jan 7, 2023
ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run, exec, cp, logs, stop)
 ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run, exec, cp, logs, stop)

English / 日本語 ecsk ECS + Task = ecsk ?? ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run

Dec 13, 2022
github-actions-merger is github actions that merges pull request with commit message including pull request labels.

github-actions-merger github-actions-merger is github actions that merges pull request with commit message including pull request labels. Usage Write

Dec 7, 2022
A replacement for "kubectl exec" that works over WebSocket connections.

kubectl-execws A replacement for "kubectl exec" that works over WebSocket connections. Kubernetes API server has support for exec over WebSockets, but

Sep 23, 2022
A tool to bring existing Azure resources under Terraform's management

Azure Terrafy A tool to bring your existing Azure resources under the management of Terraform. Install go install github.com/magodo/aztfy@latest Usage

Dec 9, 2021
A tool to bring existing Azure resources under Terraform's management

Azure Terrafy A tool to bring your existing Azure resources under the management of Terraform. Goal Azure Terrafy imports the resources inside a resou

Jan 1, 2023
kubernetes Display Resource (CPU/Memory/Gpu/PodCount) Usage and Request and Limit.
 kubernetes Display Resource (CPU/Memory/Gpu/PodCount) Usage and Request and Limit.

kubectl resource-view A plugin to access Kubernetes resource requests, limits, and usage. Display Resource (CPU/Memory/Gpu/PodCount) Usage and Request

Apr 22, 2022
A simple project (which is visitor counter) on kubernetesA simple project (which is visitor counter) on kubernetes

k8s playground This project aims to deploy a simple project (which is visitor counter) on kubernetes. Deploy steps kubectl apply -f secret.yaml kubect

Dec 16, 2022
Kubernetes OS Server - Kubernetes Extension API server exposing OS configuration like sysctl via Kubernetes API

KOSS is a Extension API Server which exposes OS properties and functionality using Kubernetes API, so it can be accessed using e.g. kubectl. At the moment this is highly experimental and only managing sysctl is supported. To make things actually usable, you must run KOSS binary as root on the machine you will be managing.

May 19, 2021