从特性门控中学习权限读写限制

这里通过特性门控的实现学习到如何通过不同的接口来实现权限读写限制,为应用初始化和业务调用分别提供不同的接口。

如果不了解 k8s 的特性门控,需要先阅读参考文章后再来看这部分的代码实现。

首先当我们自己在使用特性门控时,代码如下:

  1. 创建自定义门控列表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
package feature


import (
    "k8s.io/component-base/featuregate"
)


var (
		// DefaultMutableFeatureGate 是 DefaultFeatureGate 的可变版本。
		// 只有顶级命令 / 选项设置以及 k8s.io/component-base/featuregate/testing 包应该使用这个。
		// 需要在测试期间修改特性门控的测试应该使用:
		// defer featuregatetesting.SetFeatureGateDuringTest (t, utilfeature.DefaultFeatureGate, features.<FeatureName>, <value>)()
		
		// MutableFeatureGate 接口定义: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/component-base/featuregate/feature_gate.go\#L124
    DefaultMutableFeatureGate featuregate.MutableFeatureGate = featuregate.NewFeatureGate()


		// DefaultFeatureGate是一个共享的全局功能门。
		// 需要修改此功能门的顶级命令/选项设置应使用DefaultMutableFeatureGate。
		
		// 这个门控只读,可以供业务调用时使用,避免在业务执行过程中不小心修改门控的信息
		// 所以虽然这个 DefaultFeatureGate 的值为 DefaultMutableFeatureGate,但是通过不同的接口限制,限制该对象的用法,用来限制权限
		
		// FeatureGate 接口定义:https://github.com/kubernetes/kubernetes/blob/93844abbe2ec93ce25ab96ff20cc75e750957fe5/staging/src/k8s.io/component-base/featuregate/feature_gate.go\#L109
    DefaultFeatureGate featuregate.FeatureGate = DefaultMutableFeatureGate
)
  • DefaultMutableFeatureGate: 这个门控可写,用来在应用初始化时使用
  • DefaultFeatureGate:
    • 这个门控只读,可以供业务调用时使用,避免在业务执行过程中不小心修改门控的信息
    • 所以虽然这个 DefaultFeatureGate 的值为 DefaultMutableFeatureGate,但是通过不同的接口限制,限制该对象的用法,用来限制权限
  1. 新增功能门控
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
package feature


import (
    "k8s.io/apimachinery/pkg/util/runtime"
    "k8s.io/component-base/featuregate"
)


// Define a new feature gate.
const MyNewFeature featuregate.Feature = "MyNewFeature"


func init() {
    // runtime.Must(utilfeature.DefaultMutableFeatureGate.Add(defaultFeatureGates))
    runtime.Must(DefaultMutableFeatureGate.Add(defaultFeatureGates))
}


// defaultFeatureGates consists of all known specific feature keys.
// To add a new feature, define a key for it above and add it here.
var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
    // owner: @colin404
    // Deprecated: v1.31
    //
    // An example feature gate.
    MyNewFeature: {Default: false, PreRelease: featuregate.Alpha},
}
  1. 注册功能门控
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package main


import (
    "fmt"
    "os"


    "github.com/spf13/pflag"
    "github.com/superproj/k8sdemo/featuregates/feature"
)


func main() {
    // Create a new FlagSet for managing command-line flags
    fs := pflag.NewFlagSet("feature", pflag.ExitOnError)


    // Set the usage function to provide a custom help message
    fs.Usage = func() {
        fmt.Fprintf(os.Stderr, "Usage of %s:\n", os.Args[0])
        fs.PrintDefaults()
    }


    // Define a boolean flag for displaying help
    help := fs.BoolP("help", "h", false, "Show this help message.")


    // Add the feature gates to the flag set
    feature.DefaultMutableFeatureGate.AddFlag(fs)


    // Parse the command-line flags
    fs.Parse(os.Args[1:])


    // Display help message if the help flag is set
    if *help {
        fs.Usage()
        return
    }


    // Check if the MyNewFeature feature gate is enabled
    if feature.DefaultFeatureGate.Enabled(feature.MyNewFeature) {
        // Logic when the new feature is enabled
        fmt.Println("Feature Gates: MyNewFeature is opened")
    } else {
        // Logic when the new feature is disabled
        fmt.Println("Feature Gates: MyNewFeature is closed")
    }
}
  1. 应用启动时给特性门控初始化
1
2
3
4
5
6
7
8
9
10
11
 $ go run main.go -h
Usage of /tmp/go-build224395384/b001/exe/main:
      --feature-gates mapStringBool   A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
                                      AllAlpha=true|false (ALPHA - default=false)
                                      AllBeta=true|false (BETA - default=false)
                                      MyNewFeature=true|false (ALPHA - default=false)
  -h, --help                          Show this help message.
$ go run main.go  --feature-gates=MyNewFeature=false
Feature Gates: MyNewFeature is closed
$ go run main.go  --feature-gates=MyNewFeature=true
Feature Gates: MyNewFeature is opened

📎 参考文章

代码笔记
#k8s
从特性门控中学习权限读写限制
https://yangfanbin.cn/代码笔记/从特性门控中学习权限读写限制/
作者
Yang Fanbin
发布于
2025年8月8日
许可协议