我的书签
添加书签
移除书签Administrator configuration options
If you have cluster administrator permissions for your Knative installation, you can modify ConfigMaps to change the global default configuration options for Brokers on the cluster.
Knative Eventing provides a config-br-defaults ConfigMap that contains the configuration settings that govern default Broker creation.
The default config-br-defaults ConfigMap is as follows:
apiVersion: v1kind: ConfigMapmetadata:name: config-br-defaultsnamespace: knative-eventinglabels:eventing.knative.dev/release: develdata:# Configures the default for any Broker that does not specify a spec.config or Broker class.default-br-config: |clusterDefault:brokerClass: MTChannelBasedBrokerapiVersion: v1kind: ConfigMapname: config-br-default-channelnamespace: knative-eventing
Channel implementation options
The following example shows a Broker object where the spec.config configuration is specified in a config-br-default-channel ConfigMap:
apiVersion: eventing.knative.dev/v1kind: Brokermetadata:annotations:eventing.knative.dev/broker.class: MTChannelBasedBrokername: defaultspec:# Configuration specific to this broker.config:apiVersion: v1kind: ConfigMapname: config-br-default-channelnamespace: knative-eventing
A Broker object that does not have a spec.config specified uses the config-br-default-channel ConfigMap dy default because this is specified in the config-br-defaults ConfigMap.
However, if you have installed a different Channel implementation, for example, Kafka, and would like this to be used as the default Channel implementation for any Broker that is created, you can change the config-br-defaults ConfigMap to look as follows:
apiVersion: v1kind: ConfigMapmetadata:name: config-br-defaultsnamespace: knative-eventinglabels:eventing.knative.dev/release: develdata:# Configures the default for any Broker that does not specify a spec.config or Broker class.default-br-config: |clusterDefault:brokerClass: MTChannelBasedBrokerapiVersion: v1kind: ConfigMapname: kafka-channelnamespace: knative-eventing
Now every Broker created in the cluster that does not have a spec.config will be configured to use the kafka-channel ConfigMap.
For more information about creating a kafka-channel ConfigMap to use with your Broker, see the Kafka Channel ConfigMap documentation.
Changing the default Channel implementation for a namespace
You can modify the default Broker creation behavior for one or more namespaces.
For example, if you wanted to use the kafka-channel ConfigMap for all other Brokers created, but wanted to use config-br-default-channel ConfigMap for namespace-1 and namespace-2, you would use the following ConfigMap settings:
apiVersion: v1kind: ConfigMapmetadata:name: config-br-defaultsnamespace: knative-eventinglabels:eventing.knative.dev/release: develdata:# Configures the default for any Broker that does not specify a spec.config or Broker class.default-br-config: |clusterDefault:brokerClass: MTChannelBasedBrokerapiVersion: v1kind: ConfigMapname: config-kafka-channelnamespace: knative-eventingnamespaceDefaults:namespace-1:apiVersion: v1kind: ConfigMapname: config-br-default-channelnamespace: knative-eventingnamespace-2:apiVersion: v1kind: ConfigMapname: config-br-default-channelnamespace: knative-eventing
Configuring delivery spec defaults
You can configure default event delivery parameters for Brokers that are applied in cases where an event fails to be delivered:
apiVersion: v1kind: ConfigMapmetadata:name: config-br-defaultsnamespace: knative-eventinglabels:eventing.knative.dev/release: develdata:# Configures the default for any Broker that does not specify a spec.config or Broker class.default-br-config: |clusterDefault:brokerClass: MTChannelBasedBrokerapiVersion: v1kind: ConfigMapname: config-kafka-channelnamespace: knative-eventingdelivery:retry: 10backoffDelay: PT0.2SbackoffPolicy: exponentialnamespaceDefaults:namespace-1:apiVersion: v1kind: ConfigMapname: config-br-default-channelnamespace: knative-eventingdelivery:deadLetterSink:ref:kind: Servicenamespace: example-namespacename: example-serviceapiVersion: v1uri: example-uriretry: 10backoffPolicy: exponentialbackoffDelay: "PT0.2S"
Dead letter sink
You can configure the deadLetterSink delivery parameter so that if an event fails to be delivered it is sent to the specified event sink.
Retries
You can set a minimum number of times that the delivery must be retried before the event is sent to the dead letter sink, by configuring the retry delivery parameter with an integer value.
Back off delay
You can set the backoffDelay delivery parameter to specify the time delay before an event delivery retry is attempted after a failure. The duration of the backoffDelay parameter is specified using the ISO 8601 format.
Back off policy
The backoffPolicy delivery parameter can be used to specify the retry back off policy. The policy can be specified as either linear or exponential. When using the linear back off policy, the back off delay is the time interval specified between retries. When using the exponential backoff policy, the back off delay is equal to backoffDelay*2^<numberOfRetries>.
Broker class options
When a Broker is created without a specified BrokerClass annotation, the default MTChannelBasedBroker Broker class is used, as specified in the config-br-defaults ConfigMap.
The following example creates a Broker called default in the default namespace, and uses MTChannelBasedBroker as the implementation:
Create a YAML file for your Broker using the following example:
apiVersion: eventing.knative.dev/v1kind: Brokermetadata:name: defaultnamespace: default
Apply the YAML file by running the command:
kubectl apply -f <filename>.yaml
Where
<filename>is the name of the file you created in the previous step.
Configuring the Broker class
To configure a Broker class, you can modify the eventing.knative.dev/broker.class annotation and spec.config for the Broker object. MTChannelBasedBroker is the Broker class default.
Modify the
eventing.knative.dev/broker.classannotation. ReplaceMTChannelBasedBrokerwith the class type you want to use:apiVersion: eventing.knative.dev/v1kind: Brokermetadata:annotations:eventing.knative.dev/broker.class: MTChannelBasedBrokername: defaultnamespace: default
Configure the
spec.configwith the details of the ConfigMap that defines the backing Channel for the Broker class:apiVersion: eventing.knative.dev/v1kind: Brokermetadata:annotations:eventing.knative.dev/broker.class: MTChannelBasedBrokername: defaultnamespace: defaultspec:config:apiVersion: v1kind: ConfigMapname: config-br-default-channelnamespace: knative-eventing
Configuring the default BrokerClass for the cluster
You can configure the clusterDefault Broker class so that any Broker created in the cluster that does not have a BrokerClass annotation uses this default class.
Example
apiVersion: v1kind: ConfigMapmetadata:name: config-br-defaultsnamespace: knative-eventinglabels:eventing.knative.dev/release: develdata:# Configures the default for any Broker that does not specify a spec.config or Broker class.default-br-config: |clusterDefault:brokerClass: MTChannelBasedBroker
Configuring the default BrokerClass for namespaces
You can modify the default Broker class for one or more namespaces.
For example, if you want to use a KafkaBroker class for all other Brokers created on the cluster, but you want to use the MTChannelBasedBroker class for Brokers created in namespace-1 and namespace-2, you would use the following ConfigMap settings:
apiVersion: v1kind: ConfigMapmetadata:name: config-br-defaultsnamespace: knative-eventinglabels:eventing.knative.dev/release: develdata:# Configures the default for any Broker that does not specify a spec.config or Broker class.default-br-config: |clusterDefault:brokerClass: KafkaBrokernamespaceDefaults:namespace1:brokerClass: MTChannelBasedBrokernamespace2:brokerClass: MTChannelBasedBroker
Integrating Istio with Knative Brokers
Protect a Knative Broker by using JSON Web Token (JWT) and Istio
Prerequisites
- You have installed Knative Eventing.
- You have installed Istio.
Procedure
Label the
knative-eventingnamespace, so that Istio can handle JWT-based user authentication, by running the command:kubectl label namespace knative-eventing istio-injection=enabled
Restart the broker ingress pod, so that the
istio-proxycontainer can be injected as a sidecar, by running the command:kubectl delete pod <broker-ingress-pod-name> -n knative-eventing
Where
<broker-ingress-pod-name>is the name of your broker ingress pod.The pod now has two containers:
knative-eventing <broker-ingress-pod-name> 2/2 Running 1 175m
Create a broker, then use get the URL of your broker by running the command:
kubectl get broker <broker-name>
Example output:
NAMESPACE NAME URL AGE READY REASONdefault my-broker http://broker-ingress.knative-eventing.svc.cluster.local/default/my-broker 6s True
Start a
curlpod:kubectl -n default run curl --image=radial/busyboxplus:curl -i --tty
Send a CloudEvent with an HTTP POST against the broker URL:
curl -X POST -v \-H "content-type: application/json" \-H "ce-specversion: 1.0" \-H "ce-source: my/curl/command" \-H "ce-type: my.demo.event" \-H "ce-id: 0815" \-d '{"value":"Hello Knative"}' \<broker-URL>
Where
<broker-URL>is the URL of your broker. For example:curl -X POST -v \-H "content-type: application/json" \-H "ce-specversion: 1.0" \-H "ce-source: my/curl/command" \-H "ce-type: my.demo.event" \-H "ce-id: 0815" \-d '{"value":"Hello Knative"}' \http://broker-ingress.knative-eventing.svc.cluster.local/default/my-broker
You will receive a
202HTTP response code, that the broker did accept the request:...* Mark bundle as not supporting multiuse< HTTP/1.1 202 Accepted< allow: POST, OPTIONS< date: Tue, 15 Mar 2022 13:37:57 GMT< content-length: 0< x-envoy-upstream-service-time: 79< server: istio-envoy< x-envoy-decorator-operation: broker-ingress.knative-eventing.svc.cluster.local:80/*
Apply a
AuthorizationPolicyobject in theknative-eventingnamespace to describe that the path to the Broker is restricted to a given user:apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: require-jwtnamespace: knative-eventingspec:action: ALLOWrules:- from:- source:requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]to:- operation:methods: ["POST"]paths: ["/default/my-broker"]
Create a
RequestAuthenticationobject for the userrequestPrincipalin theistio-systemnamespace:apiVersion: security.istio.io/v1beta1kind: RequestAuthenticationmetadata:name: "jwt-example"namespace: istio-systemspec:jwtRules:- issuer: "testing@secure.istio.io"jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.13/security/tools/jwt/samples/jwks.json"
Now retrying the
curlcommand results in a403 - Forbiddenresponse code from the server:...* Mark bundle as not supporting multiuse< HTTP/1.1 403 Forbidden< content-length: 19< content-type: text/plain< date: Tue, 15 Mar 2022 13:47:53 GMT< server: istio-envoy< connection: close< x-envoy-decorator-operation: broker-ingress.knative-eventing.svc.cluster.local:80/*
To access the Broker, add the Bearer JSON Web Token as part of the request:
TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.13/security/tools/jwt/samples/demo.jwt -s)curl -X POST -v \-H "content-type: application/json" \-H "Authorization: Bearer ${TOKEN}" \-H "ce-specversion: 1.0" \-H "ce-source: my/curl/command" \-H "ce-type: my.demo.event" \-H "ce-id: 0815" \-d '{"value":"Hello Knative"}' \<broker-URL>
The server now responds with a
202response code, indicating that it has accepted the HTTP request:* Mark bundle as not supporting multiuse< HTTP/1.1 202 Accepted< allow: POST, OPTIONS< date: Tue, 15 Mar 2022 14:05:09 GMT< content-length: 0< x-envoy-upstream-service-time: 40< server: istio-envoy< x-envoy-decorator-operation: broker-ingress.knative-eventing.svc.cluster.local:80/*
