一个典型的应用部署到Kubernetes,其Deployment YAML往往是混乱的开始。配置散落在ConfigMap里,敏感信息要么通过CI/CD管道注入,要么更糟,被base64编码后提交到Git仓库。监控配置则完全是另一回事,需要SRE团队手动创建ServiceMonitor或修改Prometheus的静态配置。这种关注点分离带来的直接后果就是运维摩擦和潜在的安全风险。
我们看一个常见的部署片段:
apiVersion: apps/v1
kind: Deployment
metadata:
name: billing-service
spec:
replicas: 3
template:
spec:
containers:
- name: billing-service
image: my-registry/billing-service:1.2.0
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: url
- name: API_KEY_PROVIDER_X
valueFrom:
secretKeyRef:
name: provider-x-keys
key: api-key
# ...
---
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
data:
url: "cG9zdGdyZXM6Ly91c2VyOnBhc3NAdGhpcy1pc..." # Base64 encoded, static secret
# ...
---
# Somewhere else, in another repository, managed by another team...
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: billing-service-monitor
labels:
team: billing
spec:
endpoints:
- port: http-metrics
interval: 15s
selector:
matchLabels:
app: billing-service这里的核心痛点显而易见:
- 静态密钥管理:
db-credentialsSecret是静态的,轮换困难,生命周期与应用脱钩。 - 配置割裂:应用的部署定义、密钥来源、监控配置是三个独立的对象,需要手动协调。
- 运维负担:每次新应用上线或旧应用变更,都需要多方协作更新这些分散的配置,极易出错。
我们的目标是创建一个统一的、声明式的API,让开发者只需定义一个资源,就能描述应用的全部“外部依赖”——包括它需要哪些动态密钥,以及它应该如何被监控。Kubernetes Operator正是实现这一目标的最佳框架与工具。我们将构建一个VaultApp Operator,它在Azure AKS上运行,负责协调应用部署、从HashiCorp Vault注入动态密钥,并为Prometheus自动配置服务监控。
架构决策与技术选型
在着手构建之前,必须明确为什么选择这套技术栈,以及它们如何协同工作。
- Azure Kubernetes Service (AKS): 作为一个受管的Kubernetes服务,AKS免去了我们维护控制平面的麻烦。更重要的是,它与Azure生态(如Azure AD Workload Identity)的深度集成为我们连接外部系统(如Vault)提供了安全的身份验证机制。
- HashiCorp Vault: 我们不使用Vault Agent Injector。虽然它能很好地处理密钥注入,但我们的目标不止于此。我们需要一个中心控制器来协调多个系统。Operator可以实现更复杂的逻辑,比如根据密钥类型决定注入方式,或者在密钥轮换后执行特定动作(例如滚动重启Deployment),同时它还能管理与密钥无关的Prometheus配置。
- Prometheus Operator: 我们不直接操作Prometheus,而是利用其Operator提供的
ServiceMonitorCRD。这使得监控配置本身也变成了Kubernetes原生资源,我们的VaultAppOperator只需创建、更新或删除ServiceMonitor对象,剩下的工作就交给了Prometheus Operator。 - Kubebuilder (Go): 这是构建Operator的主流框架。它为我们生成了CRD定义、控制器骨架和所有样板代码,让我们可以专注于实现核心的调谐逻辑 (Reconciliation Loop)。
整个工作流程的架构如下:
graph TD
subgraph "Developer Workflow"
A[Developer] -- writes & applies --> B(VaultApp CR YAML);
end
subgraph "Azure AKS Cluster"
B -- is watched by --> C{VaultApp Operator};
C -- reads --> B;
C -- K8s API --> D{Reconciliation Loop};
D -- 1. Authenticate --> E[HashiCorp Vault];
E -- returns token --> D;
D -- 2. Fetch Secrets --> E;
E -- returns secrets --> D;
D -- 3. Creates/Updates --> F[Kubernetes Secret];
D -- 4. Creates/Updates --> G[Deployment];
D -- 5. Creates/Updates --> H[ServiceMonitor];
G -- mounts --> F;
I[Prometheus Operator] -- watches --> H;
I -- configures --> J[Prometheus];
J -- scrapes metrics from --> G;
end
第一步:定义VaultApp API
一切始于API设计。我们需要一个Custom Resource Definition (CRD)来承载我们的意图。这个VaultApp资源需要包含:
- 一个标准的
Deployment模板,用于定义应用本身。 - 一个
Vault配置段,用于指定要从Vault获取的密钥路径及其在最终生成的Kubernetes Secret中的键名。 - 一个
Monitoring配置段,用于描述Prometheus的抓取端点。
在Go中,这对应于api/v1alpha1/vaultapp_types.go文件中的结构体定义。
// api/v1alpha1/vaultapp_types.go
package v1alpha1
import (
appsv1 "k8s.io/api/apps/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// VaultSecretSpec defines the details of a secret to be fetched from Vault.
type VaultSecretSpec struct {
// Path is the full path to the secret in Vault (e.g., "kv/data/billing/database").
// +kubebuilder:validation:Required
Path string `json:"path"`
// Key is the specific key within the secret data to retrieve.
// +kubebuilder:validation:Required
Key string `json:"key"`
// TargetKey is the key name to be used in the resulting Kubernetes Secret.
// +kubebuilder:validation:Required
TargetKey string `json:"targetKey"`
}
// VaultSpec defines the Vault integration configuration.
type VaultSpec struct {
// Role is the Vault Kubernetes Auth Role to use for authentication.
// +kubebuilder:validation:Required
Role string `json:"role"`
// Secrets is a list of secrets to fetch from Vault.
// +kubebuilder:validation:MinItems=1
Secrets []VaultSecretSpec `json:"secrets"`
}
// MonitoringSpec defines the Prometheus monitoring configuration.
type MonitoringSpec struct {
// Enabled indicates if monitoring should be set up.
// +kubebuilder:validation:Required
Enabled bool `json:"enabled"`
// Port is the name of the container port to scrape metrics from.
// +kubebuilder:validation:Optional
Port string `json:"port,omitempty"`
// Path is the metrics endpoint path. Defaults to "/metrics".
// +kubebuilder:validation:Optional
// +kubebuilder:default:="/metrics"
Path string `json:"path,omitempty"`
}
// VaultAppSpec defines the desired state of VaultApp
type VaultAppSpec struct {
// DeploymentSpec is the template for the application Deployment.
// The operator will manage a Deployment based on this spec.
// +kubebuilder:validation:Required
DeploymentSpec appsv1.DeploymentSpec `json:"deploymentSpec"`
// Vault defines the integration with HashiCorp Vault.
// +kubebuilder:validation:Required
Vault VaultSpec `json:"vault"`
// Monitoring defines the Prometheus ServiceMonitor configuration.
// +kubebuilder:validation:Optional
Monitoring *MonitoringSpec `json:"monitoring,omitempty"`
}
// VaultAppStatus defines the observed state of VaultApp
type VaultAppStatus struct {
// Conditions represent the latest available observations of an object's state.
Conditions []metav1.Condition `json:"conditions,omitempty"`
// SecretName is the name of the managed Kubernetes Secret.
SecretName string `json:"secretName,omitempty"`
// LastSecretUpdateTime is the last time the secret was successfully updated from Vault.
LastSecretUpdateTime *metav1.Time `json:"lastSecretUpdateTime,omitempty"`
}
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
// VaultApp is the Schema for the vaultapps API
type VaultApp struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultAppSpec `json:"spec,omitempty"`
Status VaultAppStatus `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
// VaultAppList contains a list of VaultApp
type VaultAppList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultApp `json:"items"`
}
func init() {
SchemeBuilder.Register(&VaultApp{}, &VaultAppList{})
}
这份定义非常清晰。它将所有相关配置聚合到一个VaultApp资源中。接下来,我们将实现控制器的核心逻辑来响应这个资源的变更。
第二步:实现核心调谐逻辑 (Reconciliation Loop)
控制器的核心是Reconcile函数。每当VaultApp资源被创建、更新或删除时,或者其管理的子资源(如Deployment、Secret)发生变化时,这个函数就会被调用。它的职责是读取VaultApp的Spec(期望状态),获取集群中的实际状态,然后执行必要的操作使实际状态与期望状态保持一致。
// internal/controller/vaultapp_controller.go
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
func (r *VaultAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := log.FromContext(ctx)
var vaultApp v1alpha1.VaultApp
if err := r.Get(ctx, req.NamespacedName, &vaultApp); err != nil {
if apierrors.IsNotFound(err) {
// Object was deleted. The sub-objects are owned by it, so they will be garbage collected.
// No need to do anything.
log.Info("VaultApp resource not found. Ignoring since object must be deleted.")
return ctrl.Result{}, nil
}
log.Error(err, "unable to fetch VaultApp")
return ctrl.Result{}, err
}
// 1. Initialize Vault client
// In a real project, Vault address and other configs should come from environment variables or a config map.
vaultClient, err := r.getVaultClient(ctx, &vaultApp)
if err != nil {
log.Error(err, "failed to initialize Vault client")
// Update status and requeue
return ctrl.Result{}, r.updateStatusCondition(ctx, &vaultApp, "VaultClientReady", metav1.ConditionFalse, "VaultClientInitFailed", err.Error())
}
// ... Update status to ready ...
// 2. Reconcile Vault Secret
secretName := fmt.Sprintf("%s-vault-secrets", vaultApp.Name)
secretData, err := r.fetchSecretsFromVault(vaultClient, vaultApp.Spec.Vault.Secrets)
if err != nil {
log.Error(err, "failed to fetch secrets from Vault")
return ctrl.Result{RequeueAfter: 1 * time.Minute}, r.updateStatusCondition(ctx, &vaultApp, "SecretsFetched", metav1.ConditionFalse, "VaultFetchFailed", err.Error())
}
if err := r.reconcileK8sSecret(ctx, &vaultApp, secretName, secretData); err != nil {
log.Error(err, "failed to reconcile Kubernetes Secret")
return ctrl.Result{}, err // Requeue immediately on K8s API errors
}
// ... Update status to show secrets are fetched and secret name...
// 3. Reconcile Deployment
if err := r.reconcileDeployment(ctx, &vaultApp, secretName); err != nil {
log.Error(err, "failed to reconcile Deployment")
return ctrl.Result{}, err
}
// ... Update status for Deployment...
// 4. Reconcile ServiceMonitor
if err := r.reconcileServiceMonitor(ctx, &vaultApp); err != nil {
log.Error(err, "failed to reconcile ServiceMonitor")
return ctrl.Result{}, err
}
// ... Update status for ServiceMonitor...
log.Info("Successfully reconciled VaultApp")
return ctrl.Result{RequeueAfter: 5 * time.Minute}, nil // Periodically re-sync, e.g., to check for secret rotation.
}Reconcile函数本身是一个调度器,它将复杂的任务分解为几个独立的、幂等的子函数。让我们深入其中几个关键的实现。
核心库:与Vault交互
与Vault的交互是这个Operator的核心功能。我们需要一个健壮的客户端,它能使用Kubernetes服务账户令牌进行认证。
首先,需要在Vault中配置Kubernetes认证后端。这通常由平台团队一次性完成:
# Enable Kubernetes auth method
$ vault auth enable kubernetes
# Configure the Kubernetes auth method to talk to our AKS cluster
$ vault write auth/kubernetes/config \
kubernetes_host="https://<AKS_API_SERVER_URL>" \
kubernetes_ca_cert=@ca.crt \
token_reviewer_jwt=@reviewer-sa-token.jwt
# Create a role that binds a Vault policy to a Kubernetes service account
$ vault write auth/kubernetes/role/billing-app \
bound_service_account_names=vaultapp-controller-manager \
bound_service_account_namespaces=vaultapp-system \
policies=read-billing-secrets \
ttl=20m这里的billing-app角色授权给了我们的Operator的ServiceAccount (vaultapp-controller-manager)。接下来是Go代码的实现,这段代码将成为我们Operator的核心库之一。
// internal/controller/vault_client.go
package controller
import (
"context"
"fmt"
"os"
vault "github.com/hashicorp/vault/api"
auth "github.com/hashicorp/vault/api/auth/kubernetes"
)
// getVaultClient initializes and authenticates a new Vault client
// using the Kubernetes Auth Method.
func (r *VaultAppReconciler) getVaultClient(ctx context.Context, app *v1alpha1.VaultApp) (*vault.Client, error) {
// A production-grade operator would have a more sophisticated client caching/pooling mechanism.
// For this example, we create a new client on each reconciliation.
config := vault.DefaultConfig()
// VAULT_ADDR should be set in the operator's deployment manifest.
config.Address = os.Getenv("VAULT_ADDR")
if config.Address == "" {
return nil, fmt.Errorf("VAULT_ADDR environment variable not set")
}
client, err := vault.NewClient(config)
if err != nil {
return nil, fmt.Errorf("failed to create vault client: %w", err)
}
// The path to the service account token is automatically mounted by Kubernetes.
k8sAuth, err := auth.NewKubernetesAuth(
app.Spec.Vault.Role,
auth.WithServiceAccountTokenPath("/var/run/secrets/kubernetes.io/serviceaccount/token"),
)
if err != nil {
return nil, fmt.Errorf("failed to create kubernetes auth method: %w", err)
}
authInfo, err := client.Auth().Login(ctx, k8sAuth)
if err != nil {
return nil, fmt.Errorf("failed to log in with kubernetes auth: %w", err)
}
if authInfo == nil {
return nil, fmt.Errorf("no auth info was returned after login")
}
return client, nil
}
// fetchSecretsFromVault iterates through the requested secrets in the spec,
// fetches them from Vault, and returns a map ready for a Kubernetes Secret.
func (r *VaultAppReconciler) fetchSecretsFromVault(client *vault.Client, secrets []v1alpha1.VaultSecretSpec) (map[string][]byte, error) {
secretData := make(map[string][]byte)
for _, s := range secrets {
// This assumes KVv2 engine. A real implementation needs to handle different secret engines.
logical := client.Logical()
vaultSecret, err := logical.Read(s.Path)
if err != nil {
return nil, fmt.Errorf("failed to read secret from path %s: %w", s.Path, err)
}
if vaultSecret == nil || vaultSecret.Data == nil {
return nil, fmt.Errorf("no secret found at path %s", s.Path)
}
// For KVv2, the data is nested under a "data" key.
data, ok := vaultSecret.Data["data"].(map[string]interface{})
if !ok {
return nil, fmt.Errorf("unexpected secret format at path %s, expected KVv2 format", s.Path)
}
value, ok := data[s.Key].(string)
if !ok {
return nil, fmt.Errorf("key '%s' not found or not a string in secret at path %s", s.Key, s.Path)
}
secretData[s.TargetKey] = []byte(value)
}
return secretData, nil
}这里的代码非常务实。它硬编码了Service Account Token的路径,因为这是Kubernetes的标准。它假设使用KVv2引擎,并在注释中明确指出了这一点——这是一个常见的错误来源,不明确指出会给使用者带来困惑。错误处理也很具体,能准确告诉用户是认证失败、路径错误还是键名不存在。
同步Kubernetes Secret和Deployment
获取到密钥后,我们需要将它们写入一个Kubernetes Secret,然后确保应用的Deployment挂载了这个Secret。controller-runtime库让这个过程变得非常优雅。
// internal/controller/k8s_resources.go
func (r *VaultAppReconciler) reconcileK8sSecret(ctx context.Context, app *v1alpha1.VaultApp, name string, data map[string][]byte) error {
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: app.Namespace,
},
}
// Use CreateOrUpdate to ensure the secret is in the desired state.
// It will create the secret if it doesn't exist, or update it if it does.
op, err := controllerutil.CreateOrUpdate(ctx, r.Client, secret, func() error {
// Set owner reference so the secret gets garbage collected when the VaultApp is deleted.
if err := controllerutil.SetControllerReference(app, secret, r.Scheme); err != nil {
return err
}
secret.Type = corev1.SecretTypeOpaque
secret.Data = data
return nil
})
if err != nil {
return fmt.Errorf("failed to CreateOrUpdate secret %s: %w", name, err)
}
log := log.FromContext(ctx)
if op != controllerutil.OperationResultNone {
log.Info("Kubernetes secret reconciled", "operation", op)
}
return nil
}
func (r *VaultAppReconciler) reconcileDeployment(ctx context.Context, app *v1alpha1.VaultApp, secretName string) error {
dep := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: app.Name,
Namespace: app.Namespace,
},
}
// Again, use CreateOrUpdate for idempotency.
op, err := controllerutil.CreateOrUpdate(ctx, r.Client, dep, func() error {
// Start with the user-provided spec.
desiredSpec := *app.Spec.DeploymentSpec.DeepCopy()
// *** CRITICAL MODIFICATION ***
// We must inject the volume and volumeMount for our managed secret.
// This is the core value proposition of the operator.
volumeName := "vault-secrets"
desiredSpec.Template.Spec.Volumes = append(desiredSpec.Template.Spec.Volumes, corev1.Volume{
Name: volumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: secretName,
},
},
})
// Inject into ALL containers defined in the spec.
for i := range desiredSpec.Template.Spec.Containers {
desiredSpec.Template.Spec.Containers[i].VolumeMounts = append(
desiredSpec.Template.Spec.Containers[i].VolumeMounts,
corev1.VolumeMount{
Name: volumeName,
ReadOnly: true,
MountPath: "/etc/secrets/vault",
},
)
}
// This is a simple strategy for secret rotation. When the secret content changes,
// we add an annotation to the pod template, which triggers a rolling update.
secretHash := calculateMapHash(app.Status.LastSecretData) // pseudo-code
if desiredSpec.Template.Annotations == nil {
desiredSpec.Template.Annotations = make(map[string]string)
}
desiredSpec.Template.Annotations["vaultapp.techweaver.io/secret-version"] = secretHash
// Apply the modified spec
dep.Spec = desiredSpec
return controllerutil.SetControllerReference(app, dep, r.Scheme)
})
if err != nil {
return fmt.Errorf("failed to CreateOrUpdate deployment: %w", err)
}
log := log.FromContext(ctx)
if op != controllerutil.OperationResultNone {
log.Info("Deployment reconciled", "operation", op)
}
return nil
}reconcileDeployment函数是魔术发生的地方。它不是简单地应用用户的DeploymentSpec,而是对其进行了注入:强制性地添加了Volume和VolumeMount,确保无论用户提供了什么模板,我们的密钥总是会被挂载到指定路径。
另外,通过在Pod模板中添加一个基于密钥内容的哈希注解,我们实现了一个简单有效的密钥轮换触发机制。当Vault中的密钥更新,我们的Operator会更新Kubernetes Secret,然后下一次调谐时计算出新的哈希值,更新Deployment的template.metadata.annotations。Kubernetes检测到Pod模板的变化,就会自动执行滚动更新,新的Pod将挂载到新的Secret内容。
自动化Prometheus监控
最后一步是动态创建ServiceMonitor资源。
// internal/controller/monitoring.go
import (
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
)
func (r *VaultAppReconciler) reconcileServiceMonitor(ctx context.Context, app *v1alpha1.VaultApp) error {
log := log.FromContext(ctx)
// If monitoring is not enabled in the spec, we should ensure the ServiceMonitor does not exist.
if app.Spec.Monitoring == nil || !app.Spec.Monitoring.Enabled {
sm := &monitoringv1.ServiceMonitor{
ObjectMeta: metav1.ObjectMeta{Name: app.Name, Namespace: app.Namespace},
}
if err := r.Delete(ctx, sm); err != nil && !apierrors.IsNotFound(err) {
return fmt.Errorf("failed to delete ServiceMonitor: %w", err)
}
if err == nil {
log.Info("Deleted obsolete ServiceMonitor")
}
return nil
}
sm := &monitoringv1.ServiceMonitor{
ObjectMeta: metav1.ObjectMeta{
Name: app.Name,
Namespace: app.Namespace,
},
}
op, err := controllerutil.CreateOrUpdate(ctx, r.Client, sm, func() error {
// The selector must match the labels on the service that exposes the application pods.
// A robust operator would also manage the Service resource or have a way to discover its labels.
// For simplicity, we assume the service labels match the deployment's pod labels.
selector := app.Spec.DeploymentSpec.Selector
sm.Spec = monitoringv1.ServiceMonitorSpec{
Selector: *selector,
Endpoints: []monitoringv1.Endpoint{
{
Port: app.Spec.Monitoring.Port,
Path: app.Spec.Monitoring.Path,
Interval: "30s", // Could be configurable in the CRD
},
},
}
return controllerutil.SetControllerReference(app, sm, r.Scheme)
})
if err != nil {
return fmt.Errorf("failed to CreateOrUpdate ServiceMonitor: %w", err)
}
if op != controllerutil.OperationResultNone {
log.Info("ServiceMonitor reconciled", "operation", op)
}
return nil
}这个函数同样是幂等的。如果monitoring.enabled为false,它会确保ServiceMonitor被删除。如果为true,它会创建或更新ServiceMonitor,使其与VaultApp的Spec保持一致。
最终成果:一个统一的应用定义
经过以上实现,我们最初那个分散、混乱的部署定义,现在可以被一个单一、内聚的VaultApp资源所取代:
apiVersion: app.techweaver.io/v1alpha1
kind: VaultApp
metadata:
name: billing-service
namespace: default
spec:
# 1. Deployment definition is embedded
deploymentSpec:
replicas: 3
selector:
matchLabels:
app: billing-service
template:
metadata:
labels:
app: billing-service
spec:
containers:
- name: billing-service
image: my-registry/billing-service:1.3.0
ports:
- name: http-metrics
containerPort: 8081
# No secrets in ENV, they will be mounted from the operator-managed volume
# The application now reads secrets from /etc/secrets/vault/db_url
# and /etc/secrets/vault/provider_x_api_key
# 2. Vault integration is declaratively defined
vault:
role: billing-app # Vault role for this app's identity
secrets:
- path: "kv/data/billing/database"
key: "url"
targetKey: "db_url" # Filename in the final K8s Secret
- path: "kv/data/billing/provider-x"
key: "key"
targetKey: "provider_x_api_key"
# 3. Monitoring is part of the same resource
monitoring:
enabled: true
port: http-metrics
path: /actuator/prometheus现在,开发者只需要关心这一个文件。他们声明了应用需要什么,而不是如何获取。密钥轮换、部署更新、监控配置全部由VaultApp Operator在后台自动处理。这正是平台工程的核心价值:通过构建更高层次的抽象,降低认知负荷,提升开发和运维效率。
局限性与未来迭代
这个Operator实现了一个强大的模式,但它并非没有局限性。在真实项目中,它只是一个起点。
- 密钥轮换的优雅程度:当前的滚动更新策略虽然有效,但对某些应用可能过于粗暴。一个更高级的方案是结合Vault Agent Sidecar模式,由Operator注入Sidecar,应用则通过本地文件系统或HTTP API从Sidecar读取密钥,实现无需重启的热加载。我们的Operator可以负责配置这个Sidecar。
- 错误处理与可观测性:生产级的Operator需要更精细的状态报告。
Status字段应该包含更丰富的条件(Conditions),详细说明调谐的每一步状态,如VaultAuthSuccess、SecretsSynced、DeploymentReady等。同时,Operator本身也需要暴露Prometheus指标,用于监控调谐延迟、错误率等。 - 支持更多资源:当前只管理了
Deployment,但真实应用可能还需要Service、Ingress、StatefulSet等。Operator可以被扩展为一个完整的应用生命周期管理器。 - 测试策略:Operator的测试至关重要。除了单元测试,使用如
envtest的集成测试框架在内存控制平面中测试调谐逻辑,是保证其稳定性的关键。
这个模式的适用边界也很清晰。它最适合那些希望为内部开发者提供标准化、自动化平台的团队。对于小型项目或一次性部署,其前期投入可能过高。然而,一旦组织规模扩大,这种通过自定义Kubernetes API来封装操作复杂性的方法,将带来巨大的回报。
