一.Kubernetes概述1.docker以集群工作面临的问题2.Kubernetes简史3.Kubernetes架构二.Kubernete集群部署方式及大规模集群注意事项1.kubernetes集群部署方式2.kubectl是kubernetes集群的命令行工具3.大规模集群的注意事项三.部署Kubernetes集群1.K8S各节点环境准备2.软件包作用说明3.所有节点安装kubeadm,kubelet,kubectl4.初始化master节点5.配置所有worker节点加入k8s集群6.初始化网络组件7.添加自动补全功能8.测试网络的联通性(新手可跳过,讲师课堂演示参考)9.彩蛋10.高可用的etcd集群[待更新]四.Pod基础管理1.什么是Pod2.一个Pod运行单个容器案例3.一个Pod运行多个容器案例4.连接Pod并验证网络共享实战案例5.资源的增删改查5.1 查询5.2 删除5.3 更新5.4 创建5.5 故障排查相关命令5.5.1 describe命令5.5.2 log命令5.5.3 cp命令5.5.4 exec命令5.6 标签管理5.6.1 声明式【优点:持久化标签配置,缺点:修改配置文件并应用】5.6.2 响应式【优点: 不需要修改配置文件,立刻生效 缺点: 无法持久化,是临时的】6.args和command7.资源限制7.1 limits案例7.2 limits和requests案例7.3 综合案例8.镜像下载策略9.传递环境变量10.存储卷10.1 为什么需要存储卷10.2 emptyDir案例10.2.1 emptyDir概述10.2.2 挂载单个存储卷10.2.3 挂载多个存储卷10.3 hostPath案例10.3.1 hostPath概述10.3.2 挂载文件案例10.3.3 挂载目录案例10.4 nfs案例10.4.1 nfs概述10.4.2 部署nfs server10.4.3 参考案例10.4.4 参考案例10.5 configmap资源10.5.1 configmap概述10.5.2 configmap资源创建10.5.2.1 参考案例110.5.2.1 参考案例210.5.3 使用configmap资源10.5.3.1 基于存储卷的方式挂载10.5.3.2 基于环境变量的方式挂载10.6 secret资源10.6.1 secret概述10.6.2 secret资源创建10.6.3 使用secret资源10.6.3.1 基于存储卷的方式挂载10.6.3.2 基于环境变量的方式挂载10.7 subPath的使用方法10.7.1 同一个pod中多容器挂载同一个卷时提供隔离10.7.2 将configMap作为文件挂载到容器中而不覆盖挂载目录下的文件10.7.3 将secrets作为文件挂载到容器中而不覆盖挂载目录下的文件11.Pod的标签管理11.1 基于配置文件的方式修改标签11.2 基于命令行的方式修改标签12.名称空间12.1 什么是名称空间12.2 名称空间的基本管理13.3 使用名称空间案例13.Pod的重启策略14.探针(Probe)14.1 探针(probe)常用的方式14.2 健康检查(livenessProbe)14.2.1 exec检测方法14.2.2 httpGet检测方法14.2.3 tcpSocket检测方法14.3 可用性检查(readinessProbe)14.2.1 exec检测方法14.2.2 httpGet检测方法14.2.3 tcpSocket检测方法14.4 健康检查和可用性检查搭配使用14.5 可用性检查对svc资源ep列表的影响15.初始化容器16. 静态Pod(了解即可)17.Pod的阶段及容器状态(了解即可)18.补充知识-ports19.Pod的安全上下文securityContext20.Pod的创建和删除流程21.Pod的生命周期五.Pod工作负载调度1.replicationcontrollers控制器(了解即可)1.1 replicationcontrollers控制器概述1.2 rc参考案例1.3 rc资源的升级和回滚2.ReplicaSet控制器(新增内容)2.1 ReplicaSet控制器概述2.2 rs参考案例3.Deployment控制器(重点掌握)3.1 Deployment控制器概述3.2 deploy参考案例3.3 deploy升级策略-面试题3.4 部署redis3.5.部署wordpress3.5.1 引出问题-把鸡蛋放在同一个篮子里3.5.2 将Pod的容器进行拆分-新问题产生3.5.3 解决svc的IP地址变化及数据持久化问题3.6 deployment实现蓝绿发布3.7 deployment实现灰度发布3.8 响应式API管理deployment资源4.Job控制器【新增内容】4.1 Job概述4.2 计算Pi案例5.CronJob【新增内容】5.1 CronJob概述5.2 CronJob案例-每分钟打印出当前时间和问候消息6.DaemonSet控制器【新增内容】6.1 DaemonSet概述6.2 Daemonset案例-日志收集案例7.StatefulSets控制器【新增内容,需要先讲解pv,pvc,sc】7.1 StatefulSets概述7.2 StatefulSets控制器-网络唯一标识之headless7.3 StatefulSets控制器-独享存储8.玩转Pod调度8.1 污点8.1.1 污点的概述8.1.2 污点的管理命令8.1.3 NoSchedule影响度测试8.1.4 PreferNoSchedule影响度测试8.1.5 NoExecute影响度测试8.2 污点容忍tolerations[ˌtɑːləˈreɪʃn]8.3 亲和性(affinity)8.3.1 亲和性(affinity)概述8.3.2 节点亲和性(nodeAffinity)案例8.3.3 Pod亲和性(podAffinity)8.3.4 Pod反亲和性(podAntiAffinity)8.4 节点选择器六.网络服务访问篇1.service1.1 service概述1.2 ClusterIP类型案例1.3 NodePort类型案例1.4 LoadBalance案例1.5 ExternalName2.使用ep资源映射k8s集群外部服务2.1 K8S映射外部MySQL服务2.2 wordpress实战案例3.kube-proxy的工作模式1.kube-proxy的工作模式2.查看kube-proxy的工作3. 使用iptables查看Service的负载均衡案例(了解即可)4.所有worker节点加载ipvs的内核5.修改kube-proxy的工作模式为ipvs6.删除旧的kube-proxy7.验证kube-proxy组件工作模式是否生效4.ingress4.1 ingress控制器概述4.2 部署traefik ingress controller4.3 编写ingress http规则4.4.企业级ingress常用架构图解4.5 traefik ingress https配置4.6 nginx 控制器5.修改api-server支持的NodePort端口映射范围6.网络策略【新增内容】七.k8s的附加组件1.coreDNS1.1 coreDNS概述1.2 coreDNS的IP地址1.3 coreDNS的A记录1.4 使用coreDNS组件优化wordpress1.5 使用coreDNS组件优化tomcat案例1.6 测试coreDNS组件2.Dashboard2.1 Dashboard概述2.2 部署dashboard组件2.3 使用默认的token登录dashboard权限不足【学员可跳过此步骤,了解即可,讲师上课演示即可】2.4 权限不足解决方案-自定义登录用户2.5 使用kubeconfig登录2.6 dashboard的基本使用3.metric-server3.1 metric-server概述3.2 部署metric-server3.3 取消master节点的污点以部署flannel组件3.4 验证metric-server是否部署成功3.5 Pod水平自动伸缩HPA案例3.5.1 部署tomcat应用3.5.2 创建HPA规则3.5.3 压力测试tomcat,观察Pod的水平伸缩3.5.4 stress压力测试案例3.6 防坑指南3.7 VPA八.持久卷与动态存储1.为什么需要动态存储1.1 传统基于存储卷的方式挂载的缺点1.2 引入PV和PVC实现后端存储解耦1.3 引入动态存储类实现自动创建PV2.持久卷Persistent Volume(简称"PV")3.持久卷声明Persistent Volume Claim(简称"PVC")4.Pod引用PVC5.删除pvc验证pv的回收策略6.临时更改pv的回收策略7.部署nfs动态存储类【新增内容】8.测试nfs动态存储九.k8s安全框架【新增内容】1.k8s安全架构流程图2.RBAC3.基于用户授权案例3.1 使用k8s ca签发客户端证书3.2 生成kubeconfig授权文件3.3 创建RBAC授权策略4.基于用户组授权案例4.1 RBAC基于组的方式认证4.2 将"jasonyin2020"用户添加到oldboyedu组。4.3 修改RBAC权限,验证jasonyin2020用户和linux84用户是否会生效。5.基于服务账号授权案例5.15.25.3十.资源清单管理【新增内容】1.helm概述1.1 什么是helm1.2 为什么需要helm1.3 helm的版本说明2.部署helm2.1 下载helm软件包2.2 安装helm2.3 配置helm命令的自动补全-新手必备3.helm部署服务3.1 管理Chart生命周期初体验3.2 自定义Chart-不使用"values.yaml"3.3 自定义Chart-使用"values.yaml"4.基于helm升级4.1 部署chart4.2 基于values.yaml文件的方式进行升级4.3 基于命令行的方式进行升级5.基于helm回滚5.1 不指定发行版,默认回滚到上一个版本5.2 指定发行版,回滚到指定版本6.helm的公有仓库添加6.1 主流的Chart仓库概述6.2 添加仓库的方式6.3 搜索我们关心的chart6.4 拉取第三方的chart7.helm的私有仓库十一.项目1-jenkins和k8s集成1.Jenkins实现k8s持续集成项目流程图解2.快速部署jenkins服务3.模拟开发人员,将代码推送到远程代码仓库4.jenkins拉取代码5.参数化构建docker镜像6.jenkins一键更新镜像7.jenkins一键回滚镜像十二.项目2.日志收集【新增内容】1.项目架构图解2.部署es服务3.部署kibana4.部署filebeat5.查看kibana的数据十三.项目3.监控系统【新增内容】1.项目架构图2.实操案例十四-项目4-其他开源k8s二次开发产品实战【新增内容】十五.项目5-kubeadm部署高可用集群【新增内容】十六.项目6-二进制部署k8s集群【新增内容】十七.项目7-K8S集群的扩缩容1.kubeadm的token维护2.集群扩容3.集群缩容终章篇-今日作业作业2-参考案例1作业3-参考案例1作业3-参考案例2(了解即可)作业4-参考案例作业5-参考案例作业6-参考案例(了解即可)
一.Kubernetes概述
1.docker以集群工作面临的问题
xxxxxxxxxx151集群编排面临的问题如下:21.跨主机通信问题?32.多容器跨主机部署?43.容器发布,升级,回滚?54.容器挂掉后,如何自动拉起服务?65.当现有容器资源不足时,是否可以自动扩容?76.能够实现容器的健康检查,若不健康是否能自动恢复?87.如何将容器调度到集群特定节点?98.将容器从一个节点驱逐,下线节点如何操作?109.集群如何扩容?1110.集群如何监控?1211.集群日志如何收集?13...1415早期容器容器编排工具:docker inc swarm,Apache mesos marathon,Google Kubernetes(简称K8S)。
2.Kubernetes简史
xxxxxxxxxx3412014年 docker容器编排工具,立项232015年7月 发布kubernetes 1.0, 加入cncf基金会 孵化452016年,kubernetes干掉两个对手,docker swarm,mesos marathon 1.2版672017年 1.5 -1.9892018年 k8s 从cncf基金会 毕业项目1.10 1.11 1.12,1.1310112019年: 1.14,1.15,1.16,1.1712132020年: 1.18, 1.19,1.20,1.2114152021年: 1.2216172022年: 1.23,1.241819cncf :20cloud native compute foundation 孵化器2122kubernetes (k8s):23希腊语 舵手,领航者 容器编排领域,2425谷歌15年容器使用经验,26borg容器管理平台,使用golang重构borg,kubernetes27推荐阅读:29https://kubernetes.io/releases/patch-releases/#1-2230https://github.com/kubernetes/kubernetes31https://kubernetes.io/releases/release/32温馨提示:34k8s的称呼并非空穴来风,可百度搜索"i18n"(是“国际化”的简称,全称为"internationalization")。
3.Kubernetes架构
xxxxxxxxxx311Scheduler:2kube-scheduler根据调度算法为新创建的Pod选择一个Node节点,可以任意部署,可以部署在同一个节点上,也可以部署在不同的节点上。3Controller Manager:5Kube-controller-manager,处理集群中常规后台任务,一个资源对应一个控制器,而ControllerManager就是负责管理这些控制器的。67Cloud Controller Manager:8用在云平台上的Kube-controller-manager组件。如果我们直接在物理机上部署的话,可以不使用该组件。910API Server:11kube-apiserver,集群的统一入口,各组件协调者,以RESTFUL API提供接口服务,所有对象资源的增删改查和监听操作都交给APIServer处理后再提交给etcd存储。1213Etcd:14分布式键值存储系统,用于保存集群状态元数据信息,比如Pod,Service等对象信息。这个数据库是可以单独拿出来部署,只需要API server可以连接到该分布式数据库集群即可。1517kubelet:18可以理解为Master在工作节点上的Agent,管理本机运行容器的生命周期,比如创建容器,Pod挂载数据卷,下载secret,获取容器的节点状态等工作。kubelet将每一个Pod转换成一组容器。19kube-proxy:21在工作节点上实现Pod网络代理,维护网络规则和四层负载均衡工作。换句话说,就是用于负责Pod网络路由,用于对外提供访问的实现。可以找到你关心的项目所在的pod节点。2223POD:24用户划分容器的最小单位,一个POD可以存在多个容器。25docker/rocket(rkt,已停止支持):27容器引擎,用于运行容器。28参考链接:31https://kubernetes.io/zh/docs/concepts/overview/components/
二.Kubernete集群部署方式及大规模集群注意事项
1.kubernetes集群部署方式
xxxxxxxxxx361yum安装:2优点:3安装,配置很简单,适合新手学习。4缺点:5版本较低,目前仅支持K8S 1.5.2版本,很多功能不支持。6kind安装:9kind让你能够在本地计算机上运行Kubernetes。 kind要求你安装并配置好Docker。10推荐阅读:11https://kind.sigs.k8s.io/docs/user/quick-start/12minikube部署:15minikube是一个工具, 能让你在本地运行Kubernetes。16minikube在你本地的个人计算机(包括 Windows、macOS 和 Linux PC)运行一个单节点的Kubernetes集群,以便你来尝试 Kubernetes 或者开展每天的开发工作。因此很适合开发人员体验K8S。17推荐阅读:18https://minikube.sigs.k8s.io/docs/start/1921kubeadm:22你可以使用kubeadm工具来创建和管理Kubernetes集群,适合在生产环境部署。23该工具能够执行必要的动作并用一种用户友好的方式启动一个可用的、安全的集群。24推荐阅读:25https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/26https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/27https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/282930二进制部署:31安装步骤比较繁琐,但可以更加了解细节。适合运维人员生产环境中使用。32333435源码编译安装:36难度最大,请做好各种故障排查的心理准备。其实这样一点对于K8S二次开发的人员应该不是很难。
2.kubectl是kubernetes集群的命令行工具
xxxxxxxxxx41kubectl使得你可以对Kubernetes集群运行命令。 你可以使用kubectl来部署应用、监测和管理集群资源以及查看日志。2推荐阅读:4https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands
3.大规模集群的注意事项
xxxxxxxxxx21推荐阅读:2https://kubernetes.io/zh/docs/setup/best-practices/cluster-large/
三.部署Kubernetes集群
1.K8S各节点环境准备
xxxxxxxxxx921(1)虚拟机操作系统环境准备2参考链接:3https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/45(2)关闭swap分区61)临时关闭7swapoff -a && sysctl -w vm.swappiness=082)基于配置文件关闭9sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab101112(3)确保各个节点MAC地址或product_uuid唯一13ifconfig eth0 | grep ether | awk '{print $2}'14cat /sys/class/dmi/id/product_uuid1516温馨提示:17一般来讲,硬件设备会拥有唯一的地址,但是有些虚拟机的地址可能会重复。18Kubernetes使用这些值来唯一确定集群中的节点。 如果这些值在每个节点上不唯一,可能会导致安装失败。192021(4)检查网络节点是否互通22简而言之,就是检查你的k8s集群各节点是否互通,可以使用ping命令来测试。232425(5)允许iptable检查桥接流量26cat <<EOF | tee /etc/modules-load.d/k8s.conf27br_netfilter28EOF2930cat <<EOF | tee /etc/sysctl.d/k8s.conf31net.bridge.bridge-nf-call-ip6tables = 132net.bridge.bridge-nf-call-iptables = 133EOF34sysctl --system353637(6)检查端口是否被占用38参考链接: https://kubernetes.io/zh/docs/reference/ports-and-protocols/394041(7)检查docker的环境42参考链接:43https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.15.md#unchanged441)配置docker源46curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo47curl -o /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo48sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo49yum list docker-ce --showduplicates50512)安装指定的docker版本52yum -y install docker-ce-18.09.9 docker-ce-cli-18.09.953yum -y install bash-completion54source /usr/share/bash-completion/bash_completion55563)打包软件包分发到其他节点部署docker(此步骤可跳过)57mkdir docker-rpm-18-09 && find /var/cache/yum -name "*.rpm" | xargs mv -t docker-rpm-18-09/58594)配置docker优化60mkdir -pv /etc/docker && cat <<EOF | sudo tee /etc/docker/daemon.json61{62"insecure-registries": ["k8s151.oldboyedu.com:5000"],63"registry-mirrors": ["https://tuv7rqqq.mirror.aliyuncs.com"],64"exec-opts": ["native.cgroupdriver=systemd"]65}66EOF675)配置docker开机自启动69systemctl enable --now docker70systemctl status docker717273(8)禁用防火墙74systemctl disable --now firewalld757677(9)禁用selinux78sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config79grep ^SELINUX= /etc/selinux/config808182(10)配置host解析83cat >> /etc/hosts <<'EOF'8410.0.0.151 k8s151.oldboyedu.com8510.0.0.152 k8s152.oldboyedu.com8610.0.0.153 k8s153.oldboyedu.com87EOF88cat /etc/hosts899091(11)在k8s151.oldboyedu.com节点启用docker registry的私有仓库92docker run -dp 5000:5000 --restart always --name oldboyedu-registry registry:2
2.软件包作用说明
xxxxxxxxxx111你需要在每台机器上安装以下的软件包:2kubeadm:3用来初始化集群的指令。4kubelet:5在集群中的每个节点上用来启动Pod和容器等。6kubectl:7用来与集群通信的命令行工具。89kubeadm不能帮你安装或者管理kubelet或kubectl,所以你需要确保它们与通过kubeadm安装的控制平面(master)的版本相匹配。 如果不这样做,则存在发生版本偏差的风险,可能会导致一些预料之外的错误和问题。1011然而,控制平面与kubelet间的相差一个次要版本不一致是支持的,但kubelet的版本不可以超过"API SERVER"的版本。 例如,1.7.0版本的kubelet可以完全兼容1.8.0版本的"API SERVER",反之则不可以。
3.所有节点安装kubeadm,kubelet,kubectl
xxxxxxxxxx311(1)配置软件源2cat > /etc/yum.repos.d/kubernetes.repo <<EOF3[kubernetes]4name=Kubernetes5baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/6enabled=17gpgcheck=08repo_gpgcheck=09EOF101112(2)查看kubeadm的版本(将来你要安装的K8S时请所有组件版本均保持一致!)13yum -y list kubeadm --showduplicates | sort -r141516(3)安装kubeadm,kubelet,kubectl软件包17yum -y install kubeadm-1.15.12-0 kubelet-1.15.12-0 kubectl-1.15.12-0181920(4)启动kubelet服务(若服务启动失败时正常现象,其会自动重启,因为缺失配置文件,初始化集群后恢复!此步骤可跳过!)21systemctl enable --now kubelet22systemctl status kubelet232425(5)温馨提示:(可以将k8s软件打包到其他节点安装哟,前提是得开启rpm包缓存。)26mkdir k8s-rpm && find /var/cache/yum -name "*.rpm" | xargs mv -t k8s-rpm27282930参考链接:31https://kubernetes.io/zh/docs/tasks/tools/install-kubectl-linux/
4.初始化master节点
x1(1)使用kubeadm初始化master节点2kubeadm init --kubernetes-version=v1.15.12 --image-repository registry.aliyuncs.com/google_containers --pod-network-cidr=10.244.0.0/16 --service-cidr=10.254.0.0/16 --service-dns-domain=oldboyedu.com345相关参数说明:6--kubernetes-version:7指定K8S master组件的版本号。8--image-repository:10指定下载k8s master组件的镜像仓库地址。11--pod-network-cidr:13指定Pod的网段地址。14--service-cidr:16指定SVC的网段1718--service-dns-domain:19指定service的域名。若不指定,默认为"cluster.local"。2022使用kubeadm初始化集群时,可能会出现如下的输出信息:23[init]24使用初始化的K8S版本。25[preflight]27主要是做安装K8S集群的前置工作,比如下载镜像,这个时间取决于你的网速。2829[certs]30生成证书文件,默认存储在"/etc/kubernetes/pki"目录哟。3132[kubeconfig]33生成K8S集群的默认配置文件,默认存储在"/etc/kubernetes"目录哟。3435[kubelet-start]36启动kubelet,37环境变量默认写入:"/var/lib/kubelet/kubeadm-flags.env"38配置文件默认写入:"/var/lib/kubelet/config.yaml"3940[control-plane]41使用静态的目录,默认的资源清单存放在:"/etc/kubernetes/manifests"。42此过程会创建静态Pod,包括"kube-apiserver","kube-controller-manager"和"kube-scheduler"4344[etcd]45创建etcd的静态Pod,默认的资源清单存放在:""/etc/kubernetes/manifests"46[wait-control-plane]48等待kubelet从资源清单目录"/etc/kubernetes/manifests"启动静态Pod。4950[apiclient]51等待所有的master组件正常运行。52[upload-config]54创建名为"kubeadm-config"的ConfigMap在"kube-system"名称空间中。55[kubelet]57创建名为"kubelet-config-1.22"的ConfigMap在"kube-system"名称空间中,其中包含集群中kubelet的配置5859[upload-certs]60跳过此节点,详情请参考”--upload-certs"61[mark-control-plane]63标记控制面板,包括打标签和污点,目的是为了标记master节点。64[bootstrap-token]66创建token口令,例如:"kbkgsa.fc97518diw8bdqid"。67如下图所示,这个口令将来在加入集群节点时很有用,而且对于RBAC控制也很有用处哟。6869[kubelet-finalize]70更新kubelet的证书文件信息7172[addons]73添加附加组件,例如:"CoreDNS"和"kube-proxy”74(2)拷贝授权文件,用于管理K8S集群77mkdir -p $HOME/.kube78sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config79sudo chown $(id -u):$(id -g) $HOME/.kube/config808182(3)查看集群节点83kubectl get cs
5.配置所有worker节点加入k8s集群
xxxxxxxxxx71(1)worker节点加入集群(如上图所示,下面的token及hash值需要根据您的集群环境而发生改变哟~)2kubeadm join 10.0.0.151:6443 --token pg399v.wxo32zunx09ekd6s \3--discovery-token-ca-cert-hash sha256:3de653e36b5bbe3d34189607f4c11e63bcc675354dd2d47b81496ca96b68db604(2)查看集群现有的worker节点7kubectl get no
6.初始化网络组件
xxxxxxxxxx191官方的貌似有问题:(不推荐使用!)2kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-legacy.yml34kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml567有效的连接:8kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yml91011验证flannel插件是否部署成功:12kubectl get nodes13kubectl get pods -A -o wide | grep flannel14151617参考链接:18https://kubernetes.io/zh/docs/concepts/cluster-administration/addons/19https://github.com/flannel-io/flannel/blob/master/Documentation/kubernetes.md
7.添加自动补全功能
xxxxxxxxxx11echo "source <(kubectl completion bash)" >> ~/.bashrc && source ~/.bashrc
8.测试网络的联通性(新手可跳过,讲师课堂演示参考)
xxxxxxxxxx241(1)测试网络是否正常2kubectl run oldboyedu-linux --image=alpine --replicas=3 -- sleep 30034(2)观察是否是runing状态:5kubectl get pods67(3)测试网络是否互通8建议使用alpine镜像的Pod进行测试即可。9101112温馨提示: (所有的worker节点做此操作即可)13问题引出:14如下图所示,"network: failed to find plugin "flannel" in path [/opt/cni/bin]]..."这样的报错。15解决方案:16wget https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz17tar xf cni-plugins-linux-amd64-v0.8.6.tgz19cp flannel /opt/cni/bin/212223温馨提示:24也可以不用cp步骤,直接执行“tar xf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin/ ./flannel”即可。
9.彩蛋
xxxxxxxxxx151(1)修改终端颜色2cat <<EOF >> ~/.bashrc3PS1='[\[\e[34;1m\]\u@\[\e[0m\]\[\e[32;1m\]\H\[\e[0m\]\[\e[31;1m\] \W\[\e[0m\]]# '4EOF5source ~/.bashrc678(2)内存回收小妙招9echo 3 > /proc/sys/vm/drop_caches10温馨提示:11drop_caches的值可以是0-3之间的数字,代表不同的含义120:不释放(系统默认值)131:释放页缓存142:释放dentries和inodes153:释放所有缓存
10.高可用的etcd集群[待更新]
xxxxxxxxxx81敬请期待...2345参考链接:6https://kubernetes.io/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/7https://kubernetes.io/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/
四.Pod基础管理
1.什么是Pod
xxxxxxxxxx71Pod是Kubernetes集群中最小部署单元,一个Pod由一个容器或多个容器组成,这些容器可以共享网络,存储等资源等。23Pod有以下特点:4(1)一个Pod可以理解成一个应用实例,提供服务;5(2)Pod中容器始终部署在同一个Node上;6(3)Pod中容器共享网络,存储资源;7(4)Kubernetes集群是直接管理Pod,而不是容器;
2.一个Pod运行单个容器案例
xxxxxxxxxx481(1)编写资源清单2cat > 01-pod-nginx.yaml <<'EOF'3# 声明资源的版本4apiVersion: v15# 声明类型6kind: Pod7# 声明资源的源数据信息8metadata:9# 声明资源的名称10name: oldboyedu-linux84-web11# 定义用户期望资源的状态12spec:13# 定义期望运行的容器信息14containers:15# 声明容器的名称16- name: myweb17# 指定容器运行哪个镜像18image: nginx:1.14.2-alpine19EOF202122(2)创建资源23kubectl create -f 01-pod-nginx.yaml242526(3)查看Pod资源27kubectl get pods28kubectl get pods -o wide # 主要查看IP地址29303132相关字段说明:33NAME34代表的是资源的名称。35READY36代表资源是否就绪。比如 0/1 ,表示一个Pod内有一个容器,而且这个容器还未运行成功。37STATUS38代表容器的运行状态。39RESTARTS40代表Pod重启次数,即容器被创建的次数。41AGE42代表Pod资源运行的时间。43IP44代表Pod的IP地址。45NODE46代表Pod被调度到哪个节点。47其他:48"NOMINATED NODE和"READINESS GATES"暂时先忽略哈。
3.一个Pod运行多个容器案例
xxxxxxxxxx371(1)编写资源清单2cat > 02-pod-nginx-alpine.yaml <<'EOF'3# 声明资源的版本4apiVersion: v15# 声明类型6kind: Pod7# 声明资源的源数据信息8metadata:9# 声明资源的名称10name: oldboyedu-linux84-web-alpine11# 给容器添加标签12labels:13class: linux8414school: oldboyedu15# apps: web16# 定义用户期望资源的状态17spec:18# 定义期望运行的容器信息19containers:20# 声明容器的名称21- name: myweb22# 指定容器运行哪个镜像23image: nginx:1.14.2-alpine24- image: alpine25# 为容器分配一个标准输入26stdin: true27name: mylinux28EOF293031(2)创建资源32kubectl apply -f 02-pod-nginx-alpine.yaml333435(3)查看Pod资源36kubectl get pods37kubectl get pods -o wide # 主要查看IP地址
4.连接Pod并验证网络共享实战案例
xxxxxxxxxx311(1)使用exec在Pod中执行命令2kubectl exec oldboyedu-linux83-web -- nginx -t3kubectl exec po/oldboyedu-linux83-web -- nginx -t45(2)连接容器6kubectl exec po/oldboyedu-linux83-web -it -- bash7kubectl exec oldboyedu-linux83-nginx-alpine -c linux83-alpine -it -- sh # 连接到指定容器。8910(3)同一个Pod的容器默认共享网络空间11测试见视频。12核心命令: wget 127.0.0.1:80 # 在alpine中镜像的容器中执行该命令即可。13141516温馨提示:17使用"kubectl api-resources"可以查看集群的所有资源,各字段解释如下:18NAME19资源的名称。2021SHORTNAMES22资源名称的简写形式。2324APIGROUP25资源属于哪个API组。2627NAMESPACED28是否属于某个名称空间。2930KIND31资源的类型。
5.资源的增删改查
5.1 查询
xxxxxxxxxx271kubectl get po,no2查看Pod,nodes的信息。(重点掌握)3kubectl get pods -o wide5查看Pod被调度的节点及IP地址等信息。 (重点掌握)6kubectl get pods -o yaml8查看Pod资源创建时的yaml文件,若用户为定义,此处会有默认字段。(了解即可)9kubectl get pods --show-labels11查看Pod及其标签信息。 (了解即可)12自定义列名称输出: (了解即可)15案例一:16kubectl get pod -o custom-columns=CONTAINER:.spec.containers[0].name1718案例二:19kubectl get pod -o custom-columns=CONTAINER:.spec.containers[0].name,IMAGE:.spec.containers[0].image20案例三:22kubectl get pods oldboyedu-linux80-nginx-alpine -o custom-columns=oldboyedu-container-name:.spec.containers[0].name,oldboyedu-stdin:.spec.containers[1].stdin,oldboyedu-image01:.spec.containers[0].image,oldboyedu-image02:.spec.containers[1].image232425参考链接:26https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get27https://kubernetes.io/docs/reference/kubectl/#custom-columns
5.2 删除
xxxxxxxxxx111kubectl delete -f 02-pod-nginx-alpine.yaml2基于文件删除资源。(重点掌握)3kubectl delete pods oldboyedu-linux80-web5基于Pods的名称进行删除。(重点掌握)6kubectl delete pods -l apps=myweb8基于标签进行删除,即匹配标签名称为"apps=myweb"的所有Pod类型。(了解即可)9kubectl delete pod --all11删除所有的Pod信息。(了解即可)
5.3 更新
xxxxxxxxxx21kubectl apply -f 01-pod-nginx.yaml2apply命令是一个高级命令,若资源不存在,则会创建,若资源存在,可以用于更新。(重点掌握)
5.4 创建
xxxxxxxxxx21kubectl create -f 01-pod-nginx.yaml2将指定文件的资源进行创建,不能多次执行。该命令逐渐被apply命令所替代使用。(了解即可)
5.5 故障排查相关命令
5.5.1 describe命令
xxxxxxxxxx251kubectl describe po/oldboyedu-linux80-env-secret-demo2只查看名称为"oldboyedu-linux80-env-secret-demo"的Pod详细信息。(重点掌握)3kubectl describe po oldboyedu-linux80-volume5查看Pod前缀名称包含"oldboyedu-linux80-volume"的所有的详细信息。(了解即可)6kubectl describe -f 01-pod-nginx.yaml8查看"01-pod-nginx.yaml"资源清单的资源详细信息。(了解即可)9kubectl describe po -l apps=myweb (了解即可)11查看标签名称为"apps=myweb"的所有po资源详细信息。12新手推荐关注"Events:"字段,各字段说明如下:16Type:17事件的类型。18Reason:19事件的原因。20Age:21事件发生距离现在的时间。22From:23代表从哪个节点上报的事件信息。24Message25详细信息。
5.5.2 log命令
xxxxxxxxxx191kubectl logs -f oldboyedu-linux80-env-secret-demo (重点掌握)2查看名称为"oldboyedu-linux80-env-secret-demo"的Pod日志信息。3若一个Pod内只有一个容器,则无序使用"-c"选项。45kubectl logs -f oldboyedu-linux80-nginx-alpine -c linux80-web(了解即可)6查看"oldboyedu-linux80-nginx-alpine "的Pod内名称为"linux80-web"容器日志。7使用"-c"选项一般多用于一个Pod内有多个容器的场景。8kubectl logs -f oldboyedu-linux80-nginx-alpine -c linux80-web --timestamps --since=10m (了解即可)11--since=10m12表示查看当前时间最近10分钟的日志信息。13--timestamps14查看时间戳。15kubectl logs -f oldboyedu-linux81-web --since-time="2022-07-28T16:22:30+08:00" (了解即可)18--since-time19作用和--since基本相同,只不过写法不一样!因为其要求的时间格式为"RFC3339"
5.5.3 cp命令
xxxxxxxxxx161kubectl cp 01-pod-nginx.yaml oldboyedu-linux81-nginx-alpine:/2将本地的01-pod-nginx.yaml文件拷贝到oldboyedu-linux81-nginx-alpine内的"/"路径下。3kubectl cp 01-pod-nginx.yaml oldboyedu-linux81-nginx-alpine:/ -c linux81-alpine5将本地的01-pod-nginx.yaml文件拷贝到oldboyedu-linux81-nginx-alpine内的"/"路径下指定的linux81-alpine容器中。678kubectl cp oldboyedu-linux81-nginx-alpine:/etc -c linux81-alpine ./9将容器的目录拷贝到当前目录。10kubectl cp oldboyedu-linux81-nginx-alpine:/os-release -c linux81-alpine ./test12将容器的文件拷贝到当前目录。13温馨提示:16(1)我曾尝试在Pod手动创建一个tar包,并尝试将该tar拷贝出来,发现最终还是失败了,测试的版式1.15.12。
5.5.4 exec命令
xxxxxxxxxx81kubectl exec oldboyedu-linux81-web -- cat /etc/hosts2在一个Pod中执行命令。这种命令适用于一个Pod内仅有一个容器的案例。3kubectl exec oldboyedu-linux81-nginx-alpine -c linux81-alpine -- hostname -i5在一个Pod中的linux81-alpine容器执行一个命令。这种命令适用于一个Pod内有多个容器的案例。6kubectl exec oldboyedu-linux81-nginx-alpine -c linux81-alpine -it -- sh8连接到指定的容器。
5.6 标签管理
5.6.1 声明式【优点:持久化标签配置,缺点:修改配置文件并应用】
xxxxxxxxxx241cat > 01-pod-nginx.yaml <<EOF2# 部署的资源类型3kind: Pod4# API的版本号5apiVersion: v16# 元数据信息7metadata:8# 资源的名称9name: oldboyedu-linux81-web10# 为资源配置标签,KEY和VALUES都是有用户自定义的11labels:12apps: web13class: linux8114school: oldboyedu15address: shahe16# 自定义Pod资源的配置17spec:18# 定义容器相关信息19containers:20# 定义容器的名称21- name: linux80-web22# 定义容器基于哪个镜像启动23image: nginx:1.1824EOF
5.6.2 响应式【优点: 不需要修改配置文件,立刻生效 缺点: 无法持久化,是临时的】
xxxxxxxxxx111基于资源名称创建标签:2kubectl label pods oldboyedu-linux81-nginx-alpine school=oldboyedu class=linux8134基于文件的方式创建标签:5kubectl label -f 02-pod-nginx-alpine.yaml address=ShaHe67覆盖已经存在的KEY值:8kubectl label --overwrite pod oldboyedu-linux81-web address=ShaHeJiaoShiWu910删除已经存在的标签KEY:11kubectl label pods oldboyedu-linux81-web address-
6.args和command
xxxxxxxxxx191cat > 05-pod-command-args.yaml <<'EOF'2kind: Pod3apiVersion: v14metadata:5name: oldboyedu-linux80-command-args6labels:7apps: myweb8spec:9containers:10- name: linux80-web11image: nginx:1.1812# command会覆盖镜像的ENTRYPOINT13command:14- "tail"15# args会覆盖镜像的CMD指令16args:17- "-f"18- "/etc/hosts"19EOF
7.资源限制
7.1 limits案例
xxxxxxxxxx181kind: Pod2apiVersion: v13metadata:4name: oldboyedu-resources-limits5labels:6apps: myweb7spec:8containers:9- name: linux80-web10image: nginx:1.1811# 配置容器的资源限制12resources:13# 设置资源的上线14limits:15# 配置内存限制16memory: "200Mi"17# 配置CPU的显示,CPU的换算公式: 1core = 1000m18cpu: "500m"
7.2 limits和requests案例
xxxxxxxxxx221kind: Pod2apiVersion: v13metadata:4name: oldboyedu-resources-limits-requests5labels:6apps: myweb7spec:8containers:9- name: linux80-web10image: nginx:1.1811# 配置容器的资源限制12resources:13# 设置资源的上线14limits:15# 配置内存限制16memory: "200Mi"17# 配置CPU的显示,CPU的换算公式: 1core = 1000m18cpu: "500m"19# 配置容器期望的资源,如果所有节点不符合期望的资源,则无法完成调度20requests:21memory: "100Mi"22cpu: "500m"
7.3 综合案例
xxxxxxxxxx351(1)编写资源清单2cat > 07-pods-resources-stress.yaml <<'EOF'3kind: Pod4apiVersion: v15metadata:6name: oldboyedu-linux80-stress7labels:8apps: myweb9spec:10containers:11- name: linux80-web12image: jasonyin2020/oldboyedu-linux-tools:v0.113resources:14limits:15memory: "1Gi"16cpu: "500m"17requests:18memory: "100Mi"19cpu: "200m"20command:21- "tail"22args:23- "-f"24- "/etc/hosts"25EOF2627(2)创建Pod28kubectl apply -f 07-pods-resources.yaml2930(3)执行压力测试命令31kubectl exec oldboyedu-linux80-stress -- stress --cpu 8 --io 4 --vm 7 --vm-bytes 128M --timeout 10m --vm-keep323334(4)观察Pod使用资源状态35如上图所示。
8.镜像下载策略
xxxxxxxxxx531(1)编写资源清单2cat > 08-pods-imagePullPolicy.yaml <<'EOF'3kind: Pod4apiVersion: v15metadata:6name: oldboyedu-linux80-imagepullpolicy7labels:8apps: myweb9spec:10# 将Pod调度到指定到节点名称11# 注意,节点名称不能乱写,必须是在"kubectl get nodes"指令中存在.12nodeName: k8s202.oldboyedu.com13containers:14- name: linux80-web15image: k8s201.oldboyedu.com:5000/nginx:1.1816# 指定镜像的下载策略,其值为: Always, Never, IfNotPresent17# Always:18# 总是去拉取最新的镜像,这是默认值.19# 如果本地镜像存在同名称的tag,其会取出该镜像的RepoDigests(镜像摘要)和远程仓库的RepoDigests进行比较20# 若比较结果相同,则直接使用本地缓存镜像,若比较结果不同,则会拉取远程仓库最新的镜像21# Never:22# 如果本地有镜像,则尝试启动容器;23# 如果本地没有镜像,则永远不会去拉取尝试镜像。24# IfNotPresent:25# 如果本地有镜像,则尝试启动容器,并不会去拉取镜像。26# 如果本地没有镜像,则会去拉取镜像。27imagePullPolicy: Always28stdin: true29EOF3031(2)常见资源清单32kubectl apply -f 08-pods-imagePullPolicy.yaml33(3)验证35略,见视频。36373839Note:40在生产环境中部署容器时,你应该避免使用 :latest 标签,因为这使得正在运行的镜像的版本难以追踪,并且难以正确地回滚。41相反,应指定一个有意义的标签,如 v1.42.0。424344删除镜像451)删除元数据信息46docker exec oldboyedu-registry rm -rf /var/lib/registry/docker/registry/v2/repositories/nginx472)回收数据49docker exec oldboyedu-registry registry garbage-collect /etc/docker/registry/config.yml505152参考链接:53https://kubernetes.io/zh/docs/concepts/containers/images/
9.传递环境变量
xxxxxxxxxx341(1)编写资源清单2cat > 09-pods-env.yaml <<'EOF'3kind: Pod4apiVersion: v15metadata:6name: oldboyedu-linux80-env7labels:8apps: myweb9spec:10nodeName: k8s202.oldboyedu.com11containers:12- name: linux80-web13image: k8s201.oldboyedu.com:5000/nginx:1.1814imagePullPolicy: Always15stdin: true16# 向容器传递环境变量.17env:18# 指定环境变量的名称.19- name: OLDBOYEDU_LINUX80_ADMIN20# 指定环境变量的值.21value: wanyan22- name: OLDBOYEDU_linux80_dev23value: heyingnan24- name: oldboyedu_linux80_ops25value: wangdongli26EOF272829(2)创建资源30kubectl apply -f 09-pods-env.yaml313233(3)验证34kubectl exec oldboyedu-linux80-env env
10.存储卷
10.1 为什么需要存储卷
xxxxxxxxxx101容器部署过程中一般有三种数据:2(1)启动时需要的初始数据,比如配置文件,比如: wordpress,zabbix等等。3(2)启动过程中产生的临时数据,该数据需要多个容器间共享,比如: nginx + filebeat;4(3)启动容器过程中产生的持久化数据,比如:mysql。5综上所述,数据卷的作用就是为了解决上面三种情况产生的数据进行持久化的方案。789参考链接:10https://kubernetes.io/zh/docs/concepts/storage/volumes/
10.2 emptyDir案例
10.2.1 emptyDir概述
xxxxxxxxxx321什么是emptyDir:2是一个临时存储卷,与Pod的生命周期绑定到一起,如果Pod被删除了,这意味着数据也被随之删除。3emptyDir作用:5(1)可以实现持久化;6(2)同一个Pod的多个容器可以实现数据共享,多个不同的Pod之间不能进行数据通信;7(3)随着Pod的生命周期而存在,当我们删除Pod时,其数据也会被随之删除;8emptyDir的应用场景:11(1)临时缓存空间,比如基于磁盘的归并排序;12(2)为较耗时计算任务提供检查点,以便任务能方便的从崩溃前状态恢复执行;13(3)存储Web访问日志及错误日志等信息;14emptyDir优缺点:17优点:18(1)可以实现同一个Pod内多个容器之间数据共享;19(2)当Pod内的某个容器被强制删除时,数据并不会丢失,因为Pod没有删除;20缺点:21(1)当Pod被删除时,数据也会被随之删除;22(2)不同的Pod之间无法实现数据共享;23参考链接:26https://kubernetes.io/docs/concepts/storage/volumes#emptydir27温馨提示:301)启动pods后,使用emptyDir其数据存储在"/var/lib/kubelet/pods"路径下对应的POD_ID目录哟!31/var/lib/kubelet/pods/${POD_ID}/volumes/kubernetes.io~empty-dir/322)可以尝试验证上一步找到的目录,并探讨为什么Pod删除其数据会被随之删除的真正原因,见视频。
10.2.2 挂载单个存储卷
xxxxxxxxxx311kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-volume5 labels6 appsmyweb7spec8 nodeNamek8s202.oldboyedu.com9 # 声明存储卷类型和名称10 volumes11emptyDir12 namedata0113namedata0214 emptyDir15namedata0316 emptyDir17 containers18namelinux80-web19 imagek8s201.oldboyedu.com5000/nginx1.20.120 # 挂载指定的存储卷21 volumeMounts22 # 指定存储卷的名称23namedata0124 # 指定容器的挂载点.25 mountPath/oldboyedu-linux80-data26namelinux80-linux27 imagek8s201.oldboyedu.com5000/alpine28 stdintrue29 volumeMounts30namedata0131 mountPath/oldboyedu-linux-data-001
10.2.3 挂载多个存储卷
xxxxxxxxxx351kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-volume-0015 labels6 appsmyweb7spec8 nodeNamek8s202.oldboyedu.com9 volumes10emptyDir11 namedata0112namedata0213 emptyDir14namedata0315 emptyDir16 containers17namelinux80-web18 imagek8s201.oldboyedu.com5000/nginx1.20.119 volumeMounts20namedata0121 mountPath/oldboyedu-linux80-data22namedata0223 mountPath/oldboyedu-linux80-data00224namedata0325 mountPath/oldboyedu-linux80-data00326namelinux80-linux27 imagek8s201.oldboyedu.com5000/alpine28 stdintrue29 volumeMounts30namedata0131 mountPath/oldboyedu-linux-data-00132namedata0233 mountPath/oldboyedu-linux-data-00234namedata0335 mountPath/oldboyedu-linux-data-003
10.3 hostPath案例
10.3.1 hostPath概述
xxxxxxxxxx181hotsPath数据卷:2挂载Node文件系统(Pod所在节点)上文件或者目录到Pod中的容器。如果Pod删除了,宿主机的数据并不会被删除。345应用场景:6Pod中容器需要访问宿主机文件。789hotsPath优缺点:10优点:11(1)可以实现同一个Pod不同容器之间的数据共享;12(2)可以实现同一个Node节点不同Pod之间的数据共享;1314缺点:15无法满足跨节点Pod之间的数据共享。1617推荐阅读:18https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
10.3.2 挂载文件案例
xxxxxxxxxx241kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-volume-hostpath-015labels:6apps: myweb7spec:8nodeName: k8s202.oldboyedu.com9# 声明存储卷类型和名称10volumes:11- name: data0112hostPath:13# 指定宿主机的路径,如果源数据是文件14path: /root/pods/config/nginx.conf15containers:16- name: linux80-web17image: k8s201.oldboyedu.com:5000/nginx:1.20.118command: ["sleep","3600"]19volumeMounts:20- name: data0121# 挂载点也必须是文件22mountPath: /etc/nginx/nginx.conf23# 以只读的方式挂载,默认值是false。24# readOnly: true
10.3.3 挂载目录案例
xxxxxxxxxx221kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-volume-hostpath-035labels:6apps: myweb7spec:8nodeName: k8s203.oldboyedu.com9volumes:10- name: data0111hostPath:12# 如果源数据是目录13path: /root/pods/config/14containers:15- name: linux80-web16image: k8s201.oldboyedu.com:5000/nginx:1.20.117command: ["sleep","3600"]18volumeMounts:19- name: data0120# 对应的挂载点应该也是目录21mountPath: /etc/nginx/22# readOnly: true
10.4 nfs案例
10.4.1 nfs概述
xxxxxxxxxx111NFS数据卷:2提供对NFS挂载支持,可以自动将NFS共享路径挂载到Pod中。345NFS:6英文全称为"Network File System"(网络文件系统),是由SUN公司研制的UNIX表示层协议(presentation layer protocol),能使使用者访问网络上别处的文件就像在使用自己的计算机一样。7NFS是一个主流的文件共享服务器,但存在单点故障,我们需要对数据进行备份哟,如果有必要可以使用分布式文件系统哈。8910推荐阅读:11https://kubernetes.io/docs/concepts/storage/volumes/#nfs
10.4.2 部署nfs server
xxxxxxxxxx181(1)所有节点安装nfs相关软件包2yum -y install nfs-utils34(2)k8s151节点设置共享目录5mkdir -pv /oldboyedu/data/kubernetes6cat > /etc/exports <<'EOF'7/oldboyedu/data/kubernetes *(rw,no_root_squash)8EOF910(3)配置nfs服务开机自启动11systemctl enable --now nfs1213(4)服务端检查NFS挂载信息,如上图所示。14exportfs1516(5)客户端节点手动挂载测试17mount -t nfs k8s151.oldboyedu.com:/oldboyedu/data/kubernetes /mnt/18umount /mnt
10.4.3 参考案例
xxxxxxxxxx201kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-volume-nfs-015 labels6 appsmyweb7spec8 nodeNamek8s203.oldboyedu.com9 volumes10namemyweb11 # 配置NFS挂载12 nfs13 server10.0.0.20114 path/oldboyedu/data/kubernetes15 containers16namelinux80-web17 imagek8s201.oldboyedu.com5000/nginx1.20.118 volumeMounts19namemyweb20 mountPath/usr/share/nginx/html
10.4.4 参考案例
xxxxxxxxxx211cat 15-pod-volume-nfs-02.yaml 2kindPod3apiVersionv14metadata5 nameoldboyedu-linux80-volume-nfs-026 labels7 appsmyweb8spec9 nodeNamek8s202.oldboyedu.com10 volumes11namemyweb12 # 配置NFS挂载13 nfs14 server10.0.0.20115 path/oldboyedu/data/kubernetes16 containers17namelinux80-web18 imagek8s201.oldboyedu.com5000/nginx1.20.119 volumeMounts20namemyweb21 mountPath/usr/share/nginx/html
10.5 configmap资源
10.5.1 configmap概述
xxxxxxxxxx131configmap数据会存储在etcd数据库,其应用场景主要在于应用程序配置。23configMap支持的数据类型:4(1)键值对;5(2)多行数据;6Pod使用configmap资源有两种常见的方式:8(1)变量注入;9(2)数据卷挂载10推荐阅读:12https://kubernetes.io/docs/concepts/storage/volumes/#configmap13https://kubernetes.io/docs/concepts/configuration/configmap/
10.5.2 configmap资源创建
10.5.2.1 参考案例1
xxxxxxxxxx211apiVersion: v12kind: ConfigMap3metadata:4name: oldboyedu-database-config5data:6# 单行数据7name: "Wang Yan"8age: "20"910# 多行数据11my.cnf: |12host: 10.0.0.20113port: 1330614socket: /tmp/mysql.sock15username: root16password: oldboyedu1718redis.conf: |19host: 10.0.0.29320port: 637921requirepass: oldboyedu
10.5.2.1 参考案例2
xxxxxxxxxx471apiVersion: v12kind: ConfigMap3metadata:4name: oldboyedu-nginx5data:6nginx.conf: |7worker_processes 1;8events {9worker_connections 1024;10}11http {12include mime.types;13default_type application/octet-stream;14sendfile on;15keepalive_timeout 65;16# include /usr/local/nginx/conf/conf.d/*.conf;17server {18listen 81;19root /usr/local/nginx/html/bird/;20server_name game01.oldboyedu.com;21}22server {24listen 82;25root /usr/local/nginx/html/pinshu/;26server_name game02.oldboyedu.com;27}28server {30listen 83;31root /usr/local/nginx/html/tanke/;32server_name game03.oldboyedu.com;33}34server {36listen 84;37root /usr/local/nginx/html/pingtai/;38server_name game04.oldboyedu.com;39}40server {42listen 85;43root /usr/local/nginx/html/chengbao/;44server_name game05.oldboyedu.com;45}46}47
10.5.3 使用configmap资源
10.5.3.1 基于存储卷的方式挂载
xxxxxxxxxx381kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-volume-configmap-v25 labels6 appsmyweb7spec8 nodeNamek8s202.oldboyedu.com9 volumes10namemyweb11 # 定义数据卷类型是configMap.12 configMap13 # 引用configMap的名称.14 nameoldboyedu-nginx15 # 引用configMap的具体的Key相关信息.16 items17 # 指定configmap的key名称,该名称必须在cm资源中存在.18keynginx.conf19 # 可以暂时理解为挂载到容器的名称.20 patholdboyedu-linux80-nginx.conf21nameoldboyedu-db22 configMap23 nameoldboyedu-database-config24 items25keymy.cnf26 patholdboyedu-linux80-my.cnf27keyname28 patholdboyedu-linux80-name29keyredis.conf30 patholdboyedu-linux80-redis.conf31 containers32namelinux80-web33 imagek8s201.oldboyedu.com5000/nginx1.20.134 volumeMounts35namemyweb36 mountPath/oldboyedu-linux80/37nameoldboyedu-db38 mountPath/oldboyedu-linux80-databases-all
10.5.3.2 基于环境变量的方式挂载
xxxxxxxxxx311kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-env-configmap-demo5 labels6 appsmyweb7spec8 nodeNamek8s202.oldboyedu.com9 containers10namelinux80-web11 imagek8s201.oldboyedu.com5000/nginx1.20.112 env13nameoldboyedu-linux80-mysql14 # 指定从哪里取值15 valueFrom16 # 指定从configMap去引用数据17 configMapKeyRef18 # 指定configMap的名称19 nameoldboyedu-database-config20 # 指定configmap的key,即引用哪条数据!21 keymy.cnf22nameoldboyedu-linux80-redis 23 valueFrom24 configMapKeyRef25 nameoldboyedu-database-config26 keyredis.conf27nameoldboyedu-linux80-nginx28 valueFrom29 configMapKeyRef30 nameoldboyedu-nginx31 keynginx.conf
10.6 secret资源
10.6.1 secret概述
xxxxxxxxxx71与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。23使用secret主要存储的是凭据信息。456参考链接:7https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types
10.6.2 secret资源创建
xxxxxxxxxx101apiVersionv12kindSecret3metadata4 namedb-user-passwd5# Opaque类型是用户自定义类型.6typeOpaque7data8 # 定义两条数据,其值必须是base64编码后的数据,否则创建会报错哟~9 usernameYWRtaW4K10 passwordb2xkYm95ZWR1Cg==
10.6.3 使用secret资源
10.6.3.1 基于存储卷的方式挂载
xxxxxxxxxx281kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-volume-secret5labels:6apps: myweb7spec:8nodeName: k8s202.oldboyedu.com9volumes:10- name: myweb11# 定义数据卷类型是secret12secret:13# 引用secret的名称.14secretName: db-user-passwd15# 引用secret具体的Key相关信息.16items:17# 指定secret的key名称,该名称必须在secret资源中存在.18- key: username19# 可以暂时理解为挂载到容器的名称.20path: username.txt21- key: password22path: password.txt23containers:24- name: linux80-web25image: k8s201.oldboyedu.com:5000/nginx:1.20.126volumeMounts:27- name: myweb28mountPath: /oldboyedu-linux80/
10.6.3.2 基于环境变量的方式挂载
xxxxxxxxxx261kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-env-secret-demo5 labels6 appsmyweb7spec8 nodeNamek8s202.oldboyedu.com9 containers10namelinux80-web11 imagek8s201.oldboyedu.com5000/nginx1.20.112 env13nameoldboyedu-linux80-username14 # 指定从哪里取值15 valueFrom16 # 指定从secret去引用数据17 secretKeyRef18 # 指定secret的名称19 namedb-user-passwd20 # 指定secret的key,即引用哪条数据!21 keyusername22nameoldboyedu-linux80-password23 valueFrom24 secretKeyRef25 namedb-user-passwd26 keypassword
10.7 subPath的使用方法
xxxxxxxxxx31subPath的使用方法一共有两种:2(1)同一个pod中多容器挂载同一个卷时提供隔离;3(2)将configMap和secret作为文件挂载到容器中而不覆盖挂载目录下的文件;
10.7.1 同一个pod中多容器挂载同一个卷时提供隔离
xxxxxxxxxx261kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-subpath5 labels6 appsmyweb7spec8 nodeNamek8s202.oldboyedu.com9 volumes10namedata0111 emptyDir12 containers13namelinux80-web14 imagek8s201.oldboyedu.com5000/nginx1.20.115 volumeMounts16namedata0117 mountPath/oldboyedu-linux80-data18 # 当挂载相同当存储卷时,如果subPath的值相同则共享数据,若不同,则隔离两者容器的数据共享。19 subPath"oldboyedu-linux80-c1"20namelinux80-alpine21 imagek8s201.oldboyedu.com5000/alpine22 command"sleep""600"23 volumeMounts24namedata0125 mountPath/oldboyedu-linux-data-00126 subPath"oldboyedu-linux80-c2"
10.7.2 将configMap作为文件挂载到容器中而不覆盖挂载目录下的文件
xxxxxxxxxx661configMap资源创建:2apiVersion: v13kind: ConfigMap4metadata:5name: oldboyedu-linux816data:7# 定义单行数据8school: oldboyedu9class: linux811011# 定义多行数据12student.txt: |13张宁宁14乔建伟15童银浩16孙 菊17田祎平1819# 定义nginx的配置文件20nginx.conf: |21user nginx;22worker_processes 1;23error_log /var/log/nginx/error.log warn;24pid /var/run/nginx.pid;25events {26worker_connections 1024;27}28http {29include /etc/nginx/mime.types;30default_type application/octet-stream;31log_format main '$remote_addr - $remote_user [$time_local] "$request" '32'$status $body_bytes_sent "$http_referer" '33'"$http_user_agent" "$http_x_forwarded_for"';34access_log /var/log/nginx/access.log main;35sendfile on;36keepalive_timeout 65;37include /etc/nginx/conf.d/*.conf;38}39404142Pod资源引用:43kind: Pod44apiVersion: v145metadata:46name: oldboyedu-volumes-subpath47labels:48apps: myweb49spec:50nodeName: k8s152.oldboyedu.com51volumes:52- name: data0153configMap:54name: oldboyedu-linux8155items:56- key: nginx.conf57path: linux81-nginx.conf58containers:59- name: myweb60image: k8s151.oldboyedu.com:5000/myweb:v0.161command: ["tail","-f","/etc/hosts"]62volumeMounts:63- name: data0164mountPath: /etc/nginx/nginx.conf65# 当subPath的值与CM的path相同时,mountPath的路径为文件。66subPath: linux81-nginx.conf
10.7.3 将secrets作为文件挂载到容器中而不覆盖挂载目录下的文件
xxxxxxxxxx661secrets资源创建:2apiVersion: v13kind: Secret4metadata:5name: oldboyedu-linux81-secret6data:7username: YWRtaW4K8password: b2xkYm95ZWR1Cg==9salary: MjAwMDAK10111213Pod引用:14kind: Pod15apiVersion: v116metadata:17name: oldboyedu-volumes-secrets-00318labels:19apps: myweb20spec:21nodeName: k8s152.oldboyedu.com22volumes:23- name: data0124# 引用secrets资源25secret:26# 引用secret资源的名称27secretName: oldboyedu-linux81-secret28# 引用secret的数据29items:30# 代表的是secret的KEY值31- key: username32# 可以暂时理解将来挂载的文件名称33path: oldboyedu-username.txt34- key: password35path: oldboyedu-password.txt36- key: salary37path: oldboyedu-salary.txt38containers:39- name: myweb40image: k8s151.oldboyedu.com:5000/myweb:v0.141env:42- name: OLDBOYEDU_SECRET_USERNAME_11111111111111111111143# 引用环境变量44valueFrom:45# 引用secret的环境变量46secretKeyRef:47# secret的名称48name: oldboyedu-linux81-secret49# secret的KEY50key: username51- name: OLDBOYEDU_SECRET_PASSWORD_22222222222222222222252valueFrom:53secretKeyRef:54name: oldboyedu-linux81-secret55key: password56- name: OLDBOYEDU_SECRET_SALARY_333333333333333333357valueFrom:58secretKeyRef:59name: oldboyedu-linux81-secret60key: salary61volumeMounts:62- name: data0163# mountPath: /oldboyedu-linux81-secrets64mountPath: /etc/nginx/oldboyedu-linux81-admin.log65# subPath: oldboyedu-password.txt66subPath: oldboyedu-username.txt
11.Pod的标签管理
11.1 基于配置文件的方式修改标签
xxxxxxxxxx271(1)编写资源清单2cat > 21-pod-label.yaml <<'EOF'3kind: Pod4apiVersion: v15metadata:6name: oldboyedu-linux80-label7labels:8school: oldboyedu9class: linux8010address: shahe_oldboyedu11spec:12containers:13- name: linux80-web14image: k8s201.oldboyedu.com:5000/nginx:1.20.115EOF1617(2)创建资源清单18kubectl apply -f 21-pod-label.yaml192021(3)查看标签22kubectl get -f 21-pod-label.yaml --show-labels23kubectl get po -l school=oldboyedu --show-labels242526(4)修改标签27见视频。使用apply应用修改的labels字段即可。
11.2 基于命令行的方式修改标签
xxxxxxxxxx101(1)一次性打多个标签2kubectl label -f 21-pod-label.yaml title=linux price=6666 brand=k8s3kubectl label po oldboyedu-linux80-label title=linux price=6666 brand=k8s45(2)一次性移除多个标签6kubectl label -f 21-pod-label.yaml title- price- brand-7kubectl label po oldboyedu-linux80-label title- price- brand-89(3)修改标签10kubectl label -f 21-pod-label.yaml --overwrite school=oldboyedu2022
12.名称空间
12.1 什么是名称空间
xxxxxxxxxx131名称空间是用来隔离K8S集群的资源。我们通常使用名称空间对企业业务进行逻辑上划分。23K8S集群一切皆资源,有的资源是不支持名称空间的,我们将其称为全局资源,而支持名称空间的资源我们称之为局部资源。456我们可以通过"kubectl api-resources"命令来判断一个资源是否支持名称空间。7891011温馨提示:12(1)在同一个名称空间下,同一个资源类型是不能出现重名的;13(2)在不同的名称空间下,相同的资源类型是能出现同名的;
12.2 名称空间的基本管理
xxxxxxxxxx201kubectl get namespaces2查看现有的名称空间。3kubectl get pods,cm,secret -n kube-system5查看kube-system名称空间的所有pod,cm,secret等信息。6若创建/查看资源时,未使用"-n"选项显式指定名称空间,则默认使用"default"名称空间。78kubectl get pods,cm,secret -A9查看所有名称空间的pod,cm,secret等信息。1011kubectl create namespace oldboyedu-linux8012基于命令行的方式创建名称空间。13kubectl delete namespaces oldboyedu-linux8015基于命令行的方式删除名称空间.1617温馨提示:19(1)删除名称空间时,会将该名称空间下的所有资源都会被随之删除哟~20(2)判断K8S集群资源是否支持名称空间,可以根据"kubectl api-resources"字段的NAMESPACE来判断;
13.3 使用名称空间案例
xxxxxxxxxx811apiVersionv12kindNamespace3metadata4 nameoldboyedu-linux8056---78kindPod9apiVersionv110metadata11 nameoldboyedu-linux80-pod-ns12 namespaceoldboyedu-linux8013 labels14 schoololdboyedu15 classlinux8016spec17 containers18namelinux80-web19 imagek8s201.oldboyedu.com5000/nginx1.20.12021---2223apiVersionv124kindConfigMap25metadata26 nameoldboyedu-nginx27 namespaceoldboyedu-linux8028data29 nginx.conf30 worker_processes 1;31 events {32 worker_connections 1024;33 }34 http {35 include mime.types;36 default_type application/octet-stream;37 sendfile on;38 keepalive_timeout 65;39 # include /usr/local/nginx/conf/conf.d/*.conf;40 server {41 listen 81;42 root /usr/local/nginx/html/bird/;43 server_name game01.oldboyedu.com;44 }45 46 server {47 listen 82;48 root /usr/local/nginx/html/pinshu/;49 server_name game02.oldboyedu.com;50 }51 52 server {53 listen 83;54 root /usr/local/nginx/html/tanke/;55 server_name game03.oldboyedu.com;56 }57 58 server {59 listen 84;60 root /usr/local/nginx/html/pingtai/;61 server_name game04.oldboyedu.com;62 }63 64 server {65 listen 85;66 root /usr/local/nginx/html/chengbao/;67 server_name game05.oldboyedu.com;68 }69 }7071---7273apiVersionv174kindSecret75metadata76 namedb-user-passwd77 namespaceoldboyedu-linux8078typeOpaque79data80 usernameYWRtaW4K81 passwordb2xkYm95ZWR1Cg==
13.Pod的重启策略
xxxxxxxxxx811Pod的spec中包含一个restartPolicy字段,其可能取值包括 Always、OnFailure和Never。默认值是Always。2 Always3 容器退出时,始终重启容器(即创建新容器),默认策略。4 Never5 容器退出时,不重启容器(即不创建新容器)。6 OnFailure7 当容器异常退出时(kill -9时容器的退出码非0,貌似是137),重启容器(即创建新容器)。8 当容器正常退出(docker stop,退出码为0)不重启容器。910当Pod中的容器退出时,kubelet会按指数回退方式计算重启的延迟(10s、20s、40s、...),其最长延迟为5分钟。 一旦某容器执行了 10分钟并且没有出现问题,kubelet对该容器的重启回退计时器执行重置操作。11121314温馨提示15 (1)无论容器的重启策略是什么,当我们手动使用它docker移除容器时,K8S均会自动拉起并不会记录重启次数;16 (2)当容器非正常退出(即异常退出,可以使用kill -9模拟)时,Always和OnFailure这两种策略会重新拉起POD并会记录重启次数;17 (3)当任务正常退出时,只有Always可以重启任务并记录重启次数;18192021推荐阅读22 https://kubernetes.io/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy23 24 25 2627参考案例28kindPod29apiVersionv130metadata31 nameoldboyedu-restartpolicy-onfailure32 labels33 appsmyweb34spec35 nodeNamek8s152.oldboyedu.com36 restartPolicyOnFailure37 containers38namemyweb39 imagek8s151.oldboyedu.com5000/mywebv0.140 imagePullPolicyAlways41 command42"sleep"43"10"4445--- 4647kindPod48apiVersionv149metadata50 nameoldboyedu-restartpolicy-never51 labels52 appsmyweb53spec54 nodeNamek8s152.oldboyedu.com55 restartPolicyNever56 containers57namemyweb58 imagek8s151.oldboyedu.com5000/mywebv0.159 imagePullPolicyAlways60 command61"sleep"62"10"6364--- 6566kindPod67apiVersionv168metadata69 nameoldboyedu-restartpolicy-always70 labels71 appsmyweb72spec73 nodeNamek8s152.oldboyedu.com74 restartPolicyAlways75 containers76namemyweb77 imagek8s151.oldboyedu.com5000/mywebv0.178 imagePullPolicyAlways79 command80"sleep"81"10"
14.探针(Probe)
14.1 探针(probe)常用的方式
xxxxxxxxxx401常用的探针(Probe):2livenessProbe:3健康状态检查,周期性检查服务是否存活,检查结果失败,将"重启"容器(删除源容器并重新创建新容器)。4如果容器没有提供健康状态检查,则默认状态为Success。5readinessProbe:6可用性检查,周期性检查服务是否可用,从而判断容器是否就绪。7若检测Pod服务不可用,则会将Pod从svc的ep列表中移除。8若检测Pod服务可用,则会将Pod重新添加到svc的ep列表中。9如果容器没有提供可用性检查,则默认状态为Success。10startupProbe: (1.16+之后的版本才支持)11如果提供了启动探针,则所有其他探针都会被禁用,直到此探针成功为止。12如果启动探测失败,kubelet将杀死容器,而容器依其重启策略进行重启。13如果容器没有提供启动探测,则默认状态为 Success。141516探针(Probe)检测Pod服务方法:17exec:18执行一段命令,根据返回值判断执行结果。返回值为0或非0,有点类似于"echo $?"。19httpGet:21发起HTTP请求,根据返回的状态码来判断服务是否正常。22200: 返回状态码成功23301: 永久跳转24302: 临时跳转25401: 验证失败26403: 权限被拒绝27404: 文件找不到28413: 文件上传过大29500: 服务器内部错误30502: 无效的请求31504: 后端应用网关响应超时32...33tcpSocket:35测试某个TCP端口是否能够链接,类似于telnet,nc等测试工具。36参考链接:40https://kubernetes.io/zh/docs/concepts/workloads/pods/pod-lifecycle/#types-of-probe
14.2 健康检查(livenessProbe)
14.2.1 exec检测方法
xxxxxxxxxx481kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux81-exec-0015labels:6apps: myweb7spec:8containers:9- name: linux81-exec10image: nginx:1.1811command:12- /bin/bash13- -c14- touch /tmp/oldboyedu-linux81-healthy; sleep 5; rm -f /tmp/oldboyedu-linux81-healthy; sleep 60015# 健康状态检查,周期性检查服务是否存活,检查结果失败,将重启容器。16livenessProbe:17# 使用exec的方式去做健康检查18exec:19# 自定义检查的命令20command:21- cat22- /tmp/oldboyedu-linux81-healthy23# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!24failureThreshold: 325# 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。26initialDelaySeconds: 1527# 指定探针检测的频率,默认是10s,最小值为1.28periodSeconds: 129# 检测服务成功次数的累加值,默认值为1次,最小值1.30successThreshold: 131# 一次检测周期超时的秒数,默认值是1秒,最小值为1.32timeoutSeconds: 133温馨提示:37在验证探针是否检查失败时,可以使用describe命令查看时间关于Reason内容包含"Unhealthy"所在的行,如下所示:38Events:39Type Reason Age From Message40---- ------ ---- ---- -------41Normal Scheduled 6m5s default-scheduler Successfully assigned default/oldboyedu-linux81-exec-001 to k8s153.oldboyedu.com42......43Warning Unhealthy 3m23s (x10 over 5m47s) kubelet, k8s153.oldboyedu.com Liveness probe failed: cat: /tmp/oldboyedu-linux81-healthy: No such file or directory44454647注意观察:48“(x10 over 5m47s)”的内容,表示第10次检查失败,其中距离第一次检查失败已经经过了"5m47s"秒,而开始调度成功的时间是"6m5s"之前,两者时间差详见,得出第一次检测失败的时间是"18s".
14.2.2 httpGet检测方法
xxxxxxxxxx281kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-httpget-0015labels:6apps: myweb7spec:8containers:9- name: linux80-httpget10image: nginx:1.1811# 健康状态检查,周期性检查服务是否存活,检查结果失败,将重启容器。12livenessProbe:13# 使用httpGet的方式去做健康检查14httpGet:15# 指定访问的端口号16port: 8017# 检测指定的访问路径18path: /index.html19# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!20failureThreshold: 321# 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。22initialDelaySeconds: 1523# 指定探针检测的频率,默认是10s,最小值为1.24periodSeconds: 125# 检测服务成功次数的累加值,默认值为1次,最小值1.26successThreshold: 127# 一次检测周期超时的秒数,默认值是1秒,最小值为1.28timeoutSeconds: 1
14.2.3 tcpSocket检测方法
xxxxxxxxxx291kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-tcpsocket-0015labels:6apps: myweb7spec:8containers:9- name: linux80-tcpsocket10image: nginx:1.1811command:12- /bin/bash13- -c14- nginx ; sleep 10; nginx -s stop ; sleep 60015# 健康状态检查,周期性检查服务是否存活,检查结果失败,将重启容器。16livenessProbe:17# 使用tcpSocket的方式去做健康检查18tcpSocket:19port: 8020# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!21failureThreshold: 322# 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。23initialDelaySeconds: 1524# 指定探针检测的频率,默认是10s,最小值为1.25periodSeconds: 126# 检测服务成功次数的累加值,默认值为1次,最小值1.27successThreshold: 128# 一次检测周期超时的秒数,默认值是1秒,最小值为1.29timeoutSeconds: 1
14.3 可用性检查(readinessProbe)
14.2.1 exec检测方法
xxxxxxxxxx321kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-readinessprobe-exec-0015labels:6apps: myweb7spec:8containers:9- name: linux80-exec10image: nginx:1.1811command:12- /bin/bash13- -c14- touch /tmp/oldboyedu-linux80-healthy; sleep 5; rm -f /tmp/oldboyedu-linux80-healthy; sleep 60015# 可用性检查,周期性检查服务是否可用,从而判断容器是否就绪.16readinessProbe:17# 使用exec的方式去做健康检查18exec:19# 自定义检查的命令20command:21- cat22- /tmp/oldboyedu-linux80-healthy23# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!24failureThreshold: 325# 指定多久之后进行可用性检查,在此之前,Pod始终处于未就绪状态。26initialDelaySeconds: 1527# 指定探针检测的频率,默认是10s,最小值为1.28periodSeconds: 129# 检测服务成功次数的累加值,默认值为1次,最小值1.30successThreshold: 131# 一次检测周期超时的秒数,默认值是1秒,最小值为1.32timeoutSeconds: 1
14.2.2 httpGet检测方法
xxxxxxxxxx281kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-readinessprobe-httpget-0015labels:6apps: myweb7spec:8containers:9- name: linux80-exec10image: nginx:1.1811# 可用性检查,周期性检查服务是否可用,从而判断容器是否就绪.12readinessProbe:13# 使用httpGet的方式去做健康检查14httpGet:15# 指定访问的端口号16port: 8017# 检测指定的访问路径18path: /index.html19# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!20failureThreshold: 321# 指定多久之后进行可用性检查,在此之前,Pod始终处于未就绪状态。22initialDelaySeconds: 1523# 指定探针检测的频率,默认是10s,最小值为1.24periodSeconds: 325# 检测服务成功次数的累加值,默认值为1次,最小值1.26successThreshold: 127# 一次检测周期超时的秒数,默认值是1秒,最小值为1.28timeoutSeconds: 1
14.2.3 tcpSocket检测方法
xxxxxxxxxx291kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-readinessprobe-tcpsocket-0015 labels6 appsmyweb7spec8 containers9namelinux80-tcpsocket10 imagenginx1.1811 command12/bin/bash13-c14sleep 25; nginx -g "daemon off;"15 # 可用性检查,周期性检查服务是否可用,从而判断容器是否就绪.16 readinessProbe17 # 使用tcpSocket的方式去做健康检查18 tcpSocket19 port8020 # 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!21 failureThreshold322 # 指定多久之后进行可用性检查,在此之前,Pod始终处于未就绪状态。23 initialDelaySeconds1524 # 指定探针检测的频率,默认是10s,最小值为1.25 periodSeconds126 # 检测服务成功次数的累加值,默认值为1次,最小值1.27 successThreshold128 # 一次检测周期超时的秒数,默认值是1秒,最小值为1.29 timeoutSeconds1
14.4 健康检查和可用性检查搭配使用
xxxxxxxxxx411apiVersionextensions/v1beta12kindDeployment3metadata4 nameoldboyedu-linux80-deploy-nginx-0015spec6 replicas57 selector8 matchLabels9 appsoldboyedu-web10 strategy11 typeRollingUpdate12 rollingUpdate13 maxSurge214 maxUnavailable115 template16 metadata17 namelinux80-pod18 labels19 appsoldboyedu-web20 spec21 containers22namelinux80-web23 imagenginx1.20.124 livenessProbe25 httpGet26 port8027 path/index.html28 failureThreshold329 initialDelaySeconds1530 periodSeconds131 successThreshold132 timeoutSeconds133 readinessProbe34 httpGet35 port8036 path/oldboyedu-linux80.html37 failureThreshold338 initialDelaySeconds1539 periodSeconds340 successThreshold141 timeoutSeconds1
14.5 可用性检查对svc资源ep列表的影响
xxxxxxxxxx641apiVersionextensions/v1beta12kindDeployment3metadata4 namedeploy-nginx-probe-svc-0015spec6 replicas57 selector8 matchLabels9 appsoldboyedu-web10 strategy11 typeRollingUpdate12 rollingUpdate13 maxSurge214 maxUnavailable115 template16 metadata17 namelinux80-pod18 labels19 appsoldboyedu-web20 spec21 containers22namelinux80-web23 imagenginx1.20.124 livenessProbe25 httpGet26 port8027 path/index.html28 failureThreshold329 initialDelaySeconds1530 periodSeconds131 successThreshold132 timeoutSeconds133 readinessProbe34 httpGet35 port8036 path/oldboyedu-linux80.html37 failureThreshold338 initialDelaySeconds1539 periodSeconds340 successThreshold141 timeoutSeconds14243---4445apiVersionv146kindService47metadata48 nameoldboyedu-linux80-nginx-svc49spec50 typeClusterIP51 selector52 appsoldboyedu-web53 ports54port8055 protocolTCP56 targetPort8057 58 59 60温馨提示61 (1)当livenessProbe和readinessProbe检查成功时,Pod才会被关联到SVC的endpoints列表中哟;62 (2)当readinessProbe检查失败时,SVC当endpoints列表会自动剔除未就绪的Pod哟;63 (3)可以使用脚本实时测试访问页面状态,参考脚本如下:(下面的"10.254.74.162"是svc的VIP地址哟)64 for i in `seq 1000`; do curl 10.254.74.162/oldboyedu-linux80.html; sleep 1; done;
15.初始化容器
xxxxxxxxxx411[root@k8s151.oldboyedu.com po]# cat 23-pods-initContainer.yaml2kind: Pod3apiVersion: v14metadata:5labels:6school: oldboyedu7class: linux848name: oldboyedu-linux84-initcontainers-0029spec:10nodeName: k8s153.oldboyedu.com11volumes:12- name: data13emptyDir: {}14initContainers:15- name: init-data-00116image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/centos:717# command: ['/bin/bash','-c',"for i in `seq 1 5`;do echo '<h1>'$i page access time at $(date +%F_%T) '</h1>' >> /data/index.html;sleep 3;done"]18command:19- '/bin/bash'20- '-c'21- "for i in `seq 1 5`;do echo '<h1>'$i page access time at $(date +%F_%T) '</h1>' >> /data/index.html;sleep 3;done"22volumeMounts:23- mountPath: "/data"24name: data25- name: init-data-00226image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/busybox:1.2827# command: ['/bin/sh','-c',"/bin/chmod 644 /data/* -R"]28command:29- '/bin/sh'30- '-c'31- "/bin/chmod 604 /data/* -R"32volumeMounts:33- mountPath: "/data"34name: data35containers:36- name: myweb37image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.16.0-alpine38volumeMounts:39- mountPath: "/usr/share/nginx/html"40name: data41[root@k8s151.oldboyedu.com po]#
16. 静态Pod(了解即可)
xxxxxxxxxx131vim /var/lib/kubelet/config.yaml2...3staticPodPath: /etc/kubernetes/manifests4567温馨提示:8(1)静态Pod是由kubelet启动时通过"staticPodPath"配置参数指定路径9(2)静态Pod创建的Pod名称会自动加上kubelet节点的主机名,比如"-k8s151.oldboyedu.com",会忽略"nodeName"字段哟;10(3)静态Pod的创建并不依赖API-Server,而是直接基于kubelet所在节点来启动Pod;11(4)静态Pod的删除只需要将其从staticPodPath指定的路径移除即可;12(5)静态Pod路径仅对Pod资源类型有效,其他类型资源将不被创建哟13(6)咱们的kubeadm部署方式就是基于静态Pod部署的哟;
17.Pod的阶段及容器状态(了解即可)
| 取值 | 描述 |
|---|---|
Pending(悬决) | Pod 已被 Kubernetes 系统接受,但有一个或者多个容器尚未创建亦未运行。此阶段包括等待 Pod 被调度的时间和通过网络下载镜像的时间。 |
Running(运行中) | Pod 已经绑定到了某个节点,Pod 中所有的容器都已被创建。至少有一个容器仍在运行,或者正处于启动或重启状态。 |
Succeeded(成功) | Pod 中的所有容器都已成功终止,并且不会再重启。 |
Failed(失败) | Pod 中的所有容器都已终止,并且至少有一个容器是因为失败终止。也就是说,容器以非 0 状态退出或者被系统终止。 |
Unknown(未知) | 因为某些原因无法取得 Pod 的状态。这种情况通常是因为与 Pod 所在主机通信失败。 |
x1Pod的阶段如上表所示。 Pod遵循一个预定义的生命周期,起始于 Pending 阶段,如果至少其中有一个主要容器正常启动,则进入Running,之后取决于Pod中是否有容器以失败状态结束而进入Succeeded或者Failed阶段。2Pod内容器的状态主要有以下三种:5Waiting (等待)6如果容器并不处在 Running 或 Terminated 状态之一,它就处在 Waiting 状态。 处于 Waiting 状态的容器仍在运行它完成启动所需要的操作:例如,从某个容器镜像 仓库拉取容器镜像,或者向容器应用 Secret 数据等等。 当你使用 kubectl 来查询包含 Waiting 状态的容器的 Pod 时,你也会看到一个 Reason 字段,其中给出了容器处于等待状态的原因。78Running(运行中)9Running 状态表明容器正在执行状态并且没有问题发生。 如果配置了 postStart 回调,那么该回调已经执行且已完成。 如果你使用 kubectl 来查询包含 Running 状态的容器的 Pod 时,你也会看到关于容器进入Running状态的信息。1011Terminated(已终止)12处于 Terminated 状态的容器已经开始执行并且或者正常结束或者因为某些原因失败。 如果你使用kubectl来查询包含 Terminated 状态的容器的 Pod 时,你会看到 容器进入此状态的原因、退出代码以及容器执行期间的起止时间。13如果容器配置了 preStop 回调,则该回调会在容器进入 Terminated 状态之前执行。1416推荐阅读:17https://kubernetes.io/zh/docs/concepts/workloads/pods/pod-lifecycle/18https://kubernetes.io/zh/docs/concepts/containers/container-lifecycle-hooks/
18.补充知识-ports
xxxxxxxxxx211kindPod2apiVersionv13metadata4 nameoldboyedu-linux82-ports-0015spec6 nodeNamek8s152.oldboyedu.com7 containers8namelinux82-web9 imagek8s151.oldboyedu.com5000/oldboyedu-web/nginx1.20.110 # 定义容器的端口映射相关信息11 ports12 # 容器内服务监听的端口13containerPort8014 # 指定绑定的宿主机IP地址15 hostIP0.0.0.016 # 指定宿主机的端口,k8s1.5.2会监听端口,K8S1.15.12不会监听端口但能访问哟!17 hostPort1888818 # 给映射的端口起名字,要求唯一19 namemyweb20 # 指定协议,有效值为: UDP, TCP, or SCTP.21 protocolTCP
19.Pod的安全上下文securityContext
xxxxxxxxxx811Pod的安全上下文securityContext2kubectl explain po.spec.containers.securityContext3kubectl explain po.spec.securityContext4参考案例:7(1)编写dockerfile8[root@docker101.oldboyedu.com securityContext]# cat Dockerfile9FROM centos:71011LABEL school=oldboyedu \12class=linux841314# RUN sed -e 's|^mirrorlist=|#mirrorlist=|g' \15# -e 's|^#baseurl=http://mirror.centos.org|baseurl=https://mirrors.tuna.tsinghua.edu.cn|g' \16# -i.bak \17# /etc/yum.repos.d/CentOS-*.repo1819RUN curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo2021RUN yum -y install iptables-services net-tools && rm -rf /var/cache/yum2223RUN useradd -u 666 oldboyedu2425CMD ["tail","-f","/etc/hosts"]26[root@docker101.oldboyedu.com securityContext]#27[root@docker101.oldboyedu.com securityContext]# cat build.sh28#!/bin/bash293031docker image build -t harbor.oldboyedu.com/oldboyedu-linux84-k8s/centos7-iptabls:v0.1 .32docker login -u admin -p 1 harbor.oldboyedu.com33docker image push harbor.oldboyedu.com/oldboyedu-linux84-k8s/centos7-iptabls:v0.134docker logout harbor.oldboyedu.com35[root@docker101.oldboyedu.com securityContext]#3637(2)部署pod测试40[root@k8s151.oldboyedu.com po]# cat 12-pod-securityContext.yaml41apiVersion: v142kind: Pod43metadata:44name: oldboyedu-linux84-securitycontext-p1-00745labels:46apps: p147spec:48nodeName: k8s153.oldboyedu.com49containers:50- name: c151image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/centos7-iptabls:v0.152# args:53# - tail54# - -f55# - /etc/hosts56# 配置Pod的安全相关属性57securityContext:58# 配置容器为特权容器,若配置了特权容器,可能对capabilities测试有影响哟!59# privileged: true60# 自定义LINUX内核特性61# 推荐阅读:62# https://man7.org/linux/man-pages/man7/capabilities.7.html63# https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop64capabilities:65# 添加所有的Linux内核功能66add:67- ALL68# 移除指定Linux内核特性69drop:70# 代表禁用网络管理的配置,71- NET_ADMIN72# 代表禁用UID和GID,表示你无法使用chown命令哟73# 比如执行"useradd oldboyedu"时会创建"/home/oldboyedu"目录,并执行chown修改目录权限为"oldboyedu"用户,此时你会发现可以创建用户成功,但无法修改"/home/oldboyedu"目录的属主和属组。74- CHOWN75# # 代表禁用chroot命令76- SYS_CHROOT77# 如果容器的进程以root身份运行,则禁止容器启动!78runAsNonRoot: true79# 指定运行程序的用户UID,注意,该用户的UID必须存在!80runAsUser: 66681[root@k8s151.oldboyedu.com po]#
20.Pod的创建和删除流程
x1- 创建Pod2- 完成Pod调度流程3- initContainer4- 容器启动并执行postStart5- livessProbe6- 进入Running状态7- readinessProbe8- service关联Pod9- 接收客户端请求10- 删除Pod13- Pod被设置为Terminating状态,从service的endPoints列表中删除并不在接收客户端请求14- 执行PreStop15- k8s向pod中的容器发送SIGTERM信号(正常终止信号)终止Pod里面的主进程,这个信号让容器知道自己很快将会被关闭。16- 经过可选的配置参数terminationGracePeriodSeconds终止等待期,如果有设置宽限时间,则等待宽限时间到期,否则最多等待30秒。17- k8S等待指定的时间称为优雅终止宽限期,默认情况下是30秒,值得注意的是等待期与preStop Hook和SIGTERM信号并行执行,即K8S可能不会等待preStop Hook完成(最长30秒之后主进程还没有介绍就强制终止Pod)。18- SIGKILL信号被发送到Pod,并删除Pod。
21.Pod的生命周期
x1[root@k8s151.oldboyedu.com po]# cat 24-pods-postStart-preStop.yaml2apiVersion: v13kind: Pod4metadata:5name: oldboyedu-linux84-lifecycle-0046spec:7nodeName: k8s152.oldboyedu.com8volumes:9- name: data10hostPath:11path: /oldboyedu-linux8412# 在pod优雅终止时,定义延迟发送kill信号的时间,此时间可用于pod处理完未处理的请求等状况。13# 默认单位是秒,若不设置默认值为30s。14terminationGracePeriodSeconds: 6015containers:16- name: myweb17image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/centos:718stdin: true19volumeMounts:20- name: data21mountPath: /data22# 定义Pod的生命周期。23lifecycle:24# Pod启动之后做的事情25postStart:26exec:27command:28- "/bin/bash"29- "-c"30- "echo \"postStart at $(date +%F_%T)\" >> /data/postStart.log"31# Pod停止之前做的事情32preStop:33exec:34command:35- "/bin/bash"36- "-c"37- "echo \"preStop at $(date +%F_%T)\" >> /data/preStop.log"38[root@k8s151.oldboyedu.com po]#
五.Pod工作负载调度
1.replicationcontrollers控制器(了解即可)
1.1 replicationcontrollers控制器概述
xxxxxxxxxx11replicationcontrollers控制器简称"rc",可以保证指定数量的Pod始终存活,rc通过标签选择器来关联Pod。
1.2 rc参考案例
xxxxxxxxxx411[root@k8s151.oldboyedu.com rc]# cat 01-replicationcontrollers.yaml2apiVersion: v13kind: ReplicationController4metadata:5name: oldboyedu-linux84-rc-0026labels:7school: oldboyedu8class: linux849spec:10# 代表启动几个Pod副本11replicas: 512# 标签管理器,他用于关联Pod的标签,通常情况下,和模板的标签要设置一致!13selector:14address: oldboyedu15# 代表创建Pod的模板,所有的副本都要基于模板进行创建16template:17# 声明pod的源数据信息18metadata:19labels:20address: oldboyedu21# 期望Pod的资源状态22spec:23containers:24- name: c125image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1826command:27- tail28- -f29- /etc/hosts30readinessProbe:31failureThreshold: 332initialDelaySeconds: 1533periodSeconds: 134successThreshold: 135timeoutSeconds: 136httpGet:37scheme: HTTP38port: 8039path: /40[root@k8s151.oldboyedu.com rc]#
1.3 rc资源的升级和回滚
xxxxxxxxxx1151rc资源有两大缺陷:2(1)不支持声明式更新镜像;3(2)升级的时候有时候需要运维人员介入解决svc无法自动关联Pod的现象;4为了避免这种现象发生,将rc资源的selector和svc的selector定义成不一样的关联即可。见视频。5678基于rc升级和回滚:91.创建原始版本10kubectl apply -f 01-rc-svc.yaml -f 02-rc-nginx-old.yaml11122.测试访问服务13curl -I 10.0.0.53:300881415163.升级17kubectl rolling-update oldboyedu-linux84-rc-web-old -f 03-rc-nginx-update-new.yaml --update-period=1s18oldboyedu-linux84-rc-web-old:19表示现有的(旧的)rc名称。20-f 03-rc-nginx-update-new.yaml21基于哪个文件升级或回滚。22--update-period=1s23升级的间隔时间。24254.升级后运行需要解决用户无法访问Pod的情况26方案一:27使用旧的svc,即给新的pod打标签。28kubectl label pods --all class=linux8429# kubectl label pods --all class- # 删除标签3031方案二:32使用新的svc。33kubectl delete -f 01-rc-svc.yaml34kubectl apply -f 04-rc-svc-new.yaml3536375.回滚38kubectl rolling-update oldboyedu-linux84-rc-web-new -f 02-rc-nginx-old.yaml --update-period=1s39kubectl delete -f 04-rc-svc-new.yaml40kubectl apply -f 01-rc-svc.yaml41424344资源清单:45[root@k8s151.oldboyedu.com update-rollback]# cat 01-rc-svc.yaml46apiVersion: v147kind: Service48metadata:49name: linux84-svc-web-nodeport-00250spec:51type: NodePort52ports:53- port: 999954targetPort: 8055nodePort: 3008856selector:57class: linux8458[root@k8s151.oldboyedu.com update-rollback]#59[root@k8s151.oldboyedu.com update-rollback]# cat 02-rc-nginx-old.yaml60kind: ReplicationController61apiVersion: v162metadata:63name: oldboyedu-linux84-rc-web-old64spec:65replicas: 366selector:67school: oldboyedu68template:69metadata:70name: linux84-web71labels:72school: oldboyedu73class: linux8474spec:75containers:76- name: web77image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.14.2-alpine78[root@k8s151.oldboyedu.com update-rollback]#79[root@k8s151.oldboyedu.com update-rollback]#80[root@k8s151.oldboyedu.com update-rollback]# cat 03-rc-nginx-update-new.yaml81kind: ReplicationController82apiVersion: v183metadata:84name: oldboyedu-linux84-rc-web-new85spec:86replicas: 387selector:88school: oldboyedu-new89template:90metadata:91name: linux84-web92labels:93school: oldboyedu-new94address: beijing-linux8495spec:96containers:97- name: web98image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.16.0-alpine99[root@k8s151.oldboyedu.com update-rollback]#100[root@k8s151.oldboyedu.com update-rollback]#101[root@k8s151.oldboyedu.com update-rollback]# cat 04-rc-svc-new.yaml102apiVersion: v1103kind: Service104metadata:105name: linux84-svc-web-nodeport-002-new106spec:107type: NodePort108ports:109- port: 9999110targetPort: 80111nodePort: 30088112selector:113school: oldboyedu-new114address: beijing-linux84115[root@k8s151.oldboyedu.com update-rollback]#
2.ReplicaSet控制器(新增内容)
2.1 ReplicaSet控制器概述
xxxxxxxxxx11ReplicaSet控制器简称rs资源。也是用于控制Pod的副本数量,我们即将学习的Deployment资源底层使用的就是该资源。
2.2 rs参考案例
xxxxxxxxxx241apiVersion: extensions/v1beta12kind: ReplicaSet3metadata:4name: oldboyedu-linux84-rs5labels:6school: oldboyedu7class: linux848spec:9# 指定创建Pod的副本数量,默认值为1.10replicas: 111# 定义标签选择器,rs资源基于标签选择器关联对应的Pod哟~12selector:13matchLabels:14apps: oldboyedu-web15# 定义Pod资源创建的模板16template:17metadata:18name: linux84-pod19labels:20apps: oldboyedu-web21spec:22containers:23- name: linux84-web24image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.18
3.Deployment控制器(重点掌握)
3.1 Deployment控制器概述
xxxxxxxxxx61Deployment是用于部署服务的资源,是最常用的控制器,有以下几个功能:2(1)管理RS,通过RS资源创建Pod;3(2)具有上线部署,副本设置,滚动升级,回滚等功能;4(3)提供声明式更新,即可以使用apply命令进行更新镜像版本之类的;5Deployment应用场景: 部署服务,例如网站,API,微服务等。
3.2 deploy参考案例
xxxxxxxxxx261apiVersion: extensions/v1beta12kind: Deployment3metadata:4name: oldboyedu-linux81-deploy-web5labels:6school: oldboyedu7class: linux818spec:9# 指定创建Pod的副本数量,默认值为1.10replicas: 311# 定义标签选择器,rs资源基于标签选择器关联对应的Pod哟~12selector:13matchLabels:14apps: oldboyedu-web15# 定义Pod资源创建的模板16template:17metadata:18name: linux80-pod19labels:20apps: oldboyedu-web21address: ChangPing-ShaHe22spec:23containers:24- name: linux80-web25image: nginx:1.1826# image: nginx:1.20.1
3.3 deploy升级策略-面试题
| 升级次数 | old | New | 条件 |
|---|---|---|---|
| 第一次升级 | 4 | 3 | maxSurge=2,maxUnavailable=1,pods=5 |
| 第二次升级 | 4-3 = 1 | 3 +2 =5 | |
| 第三次清理 | 0 | 5 |
xxxxxxxxxx401apiVersionextensions/v1beta12kindDeployment3metadata4 nameoldboyedu-linux81-deploy-web-strategy5 labels6 schoololdboyedu7 classlinux818spec9 # 指定创建Pod的副本数量,默认值为1.10 replicas511 # 定义标签选择器,rs资源基于标签选择器关联对应的Pod哟~12 selector13 matchLabels14 appsoldboyedu-web15 # 定义升级策略16 strategy17 # 升级的类型,"Recreate" or "RollingUpdate"18 # Recreate:19 # 先停止所有的Pod运行,然后在批量创建更新。20 # 生产环节中不推荐使用这种策略,因为升级过程中用户将无法访问服务!21 # RollingUpdate:22 # 滚动更新,即先实现部分更新,逐步替换原有的pod,是默认策略。23 typeRollingUpdate24 # 自定义滚动更新的策略25 rollingUpdate26 # 在原有Pod的副本基础上,多启动Pod的数量。27 maxSurge228 # 在升级过程中最大不可访问的Pod数量.29 maxUnavailable130 # 定义Pod资源创建的模板31 template32 metadata33 namelinux80-pod34 labels35 appsoldboyedu-web36 spec37 containers38namelinux80-web39 imagenginx1.1640 # image: nginx:1.14
3.4 部署redis
xxxxxxxxxx531cat > 01-deploy-redis.yaml <<'EOF'2apiVersion: apps/v13kind: Deployment4metadata:5name: redis-leader6labels:7app: redis8role: leader9tier: backend10spec:11replicas: 112selector:13matchLabels:14app: redis15template:16metadata:17labels:18app: redis19role: leader20tier: backend21spec:22containers:23- name: leader24image: "docker.io/redis:6.0.5"25resources:26requests:27cpu: 100m28memory: 100Mi29ports:30- containerPort: 6379313233---3435apiVersion: v136kind: Service37metadata:38name: redis-leader39labels:40app: redis41role: leader42tier: backend43spec:44type: NodePort45ports:46- port: 637947targetPort: 637948nodePort: 3008049selector:50app: redis51role: leader52tier: backend53EOF
3.5.部署wordpress
3.5.1 引出问题-把鸡蛋放在同一个篮子里
xxxxxxxxxx501(1)编写资源清单2cat > 01-deploy-wordpresss.yaml <<'EOF'3apiVersion: extensions/v1beta14kind: Deployment5metadata:6name: wordpress7spec:8replicas: 29selector:10matchLabels:11app: wordpress12template:13metadata:14labels:15app: wordpress16spec:17containers:18- name: mysql19image: k8s201.oldboyedu.com:5000/mysql:5.720ports:21- containerPort: 330622env:23- name: MYSQL_ROOT_PASSWORD24value: somewordpress25- name: MYSQL_DATABASE26value: wordpress27- name: MYSQL_USER28value: wordpress29- name: MYSQL_PASSWORD30value: wordpress31- name: wordpress32image: k8s201.oldboyedu.com:5000/wordpress:latest33ports:34- containerPort: 8035env:36- name: WORDPRESS_DB_HOST37value: 127.0.0.138- name: WORDPRESS_DB_USER39value: wordpress40- name: WORDPRESS_DB_PASSWORD41value: wordpress42EOF434445(2)暴露服务46kubectl expose -f 01-deploy-wordpresss.yaml --type=NodePort474849(3)测试50尝试扩容2个副本,并访问webUI,抛出问题。
3.5.2 将Pod的容器进行拆分-新问题产生
xxxxxxxxxx651(1)拆分mysql2cat > deploy-mysql.yaml <<'EOF'3apiVersion: extensions/v1beta14kind: Deployment5metadata:6name: oldboyedu-mysql7spec:8replicas: 19selector:10matchLabels:11app: oldboyedu-mysql12template:13metadata:14labels:15app: oldboyedu-mysql16spec:17containers:18- name: oldboyedu-mysql19image: k8s201.oldboyedu.com:5000/mysql:5.720ports:21- containerPort: 330622env:23- name: MYSQL_ROOT_PASSWORD24value: somewordpress25- name: MYSQL_DATABASE26value: wordpress27- name: MYSQL_USER28value: wordpress29- name: MYSQL_PASSWORD30value: wordpress31EOF3233(2)拆分wordpress34cat > deploy-wordpresss.yaml <<'EOF'35apiVersion: extensions/v1beta136kind: Deployment37metadata:38name: oldboyedu-wordpress39spec:40replicas: 341selector:42matchLabels:43app: oldboyedu-wordpress44template:45metadata:46labels:47app: oldboyedu-wordpress48spec:49containers:50- name: oldboyedu-wordpress51image: k8s201.oldboyedu.com:5000/wordpress:latest52ports:53- containerPort: 8054env:55- name: WORDPRESS_DB_HOST56# 写mysql的Pod的IP地址哟~57value: 10.244.1.16358- name: WORDPRESS_DB_USER59value: wordpress60- name: WORDPRESS_DB_PASSWORD61value: wordpress62EOF6364(3)暴露workpress服务65kubectl expose deployment oldboyedu-wordpress --type=NodePort
3.5.3 解决svc的IP地址变化及数据持久化问题
xxxxxxxxxx1091(1)部署mysql服务2cat > 01-deploy-mysql.yaml <<'EOF'3apiVersion: extensions/v1beta14kind: Deployment5metadata:6name: oldboyedu-mysql7spec:8replicas: 19selector:10matchLabels:11app: oldboyedu-mysql12template:13metadata:14labels:15app: oldboyedu-mysql16spec:17volumes:18- name: data19nfs:20server: 10.0.0.20121path: /oldboyedu/data/kubernetes22containers:23- name: oldboyedu-mysql24image: k8s201.oldboyedu.com:5000/mysql:5.725volumeMounts:26- name: data27mountPath: /var/lib/mysql28ports:29- containerPort: 330630env:31- name: MYSQL_ROOT_PASSWORD32value: somewordpress33- name: MYSQL_DATABASE34value: wordpress35- name: MYSQL_USER36value: wordpress37- name: MYSQL_PASSWORD38value: wordpress3940---4142apiVersion: v143kind: Service44metadata:45name: oldboyedu-mysql46spec:47clusterIP: 10.254.131.22248selector:49app: oldboyedu-mysql50ports:51- port: 330652targetPort: 330653EOF545556(2)部署wordpress服务57cat > 02-deploy-wordpresss.yaml <<'EOF'58apiVersion: extensions/v1beta159kind: Deployment60metadata:61name: oldboyedu-wordpress62spec:63replicas: 364selector:65matchLabels:66apps: oldboyedu-wordpress67template:68metadata:69labels:70apps: oldboyedu-wordpress71spec:72containers:73- name: oldboyedu-wordpress74image: k8s201.oldboyedu.com:5000/wordpress:latest75ports:76- containerPort: 8077env:78- name: WORDPRESS_DB_HOST79value: 10.254.131.22280- name: WORDPRESS_DB_USER81value: wordpress82- name: WORDPRESS_DB_PASSWORD83value: wordpress8485---8687apiVersion: v188kind: Service89metadata:90name: oldboyedu-wordpress91spec:92type: NodePort93selector:94apps: oldboyedu-wordpress95ports:96- port: 8097targetPort: 8098nodePort: 3008899EOF100101102(3)创建服务103kubectl apply -f .104105(4)验证数据是否丢失106kubectl delete pod --all107108(5)回收资源109kubectl delete -f .
3.6 deployment实现蓝绿发布
xxxxxxxxxx1951蓝绿部署(Blue/Green)部署简介:3蓝绿部署特点:4不需要停止老版本代码(不影响上一版本访问),而是在另外一套环境部署新版本然后进行测试。5测试通过后将用户流量切换到新版本,其特点为业务无中断,升级风险相对较小。6- 实现机制:9- 1.部署当前版本10- 2.部署service11- 3.部署新版本(使用新的deployment名称,新的label标签)12- 4.切换service标签到新的pod131416蓝绿部署案例:17(1) 部署蓝环境18[root@k8s151.oldboyedu.com blue-green]# cat blue.yaml19kind: Deployment20apiVersion: extensions/v1beta121metadata:22name: oldboyedu-blue23spec:24replicas: 325selector:26matchLabels:27app: blue28template:29metadata:30labels:31app: blue32spec:33containers:34- name: myweb35image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.14.2-alpine3637---3839kind: Service40apiVersion: v141metadata:42name: oldboyedu-app-svc43spec:44type: NodePort45ports:46- port: 8047targetPort: 8048nodePort: 3008049selector:50app: blue51#app: green52[root@k8s151.oldboyedu.com blue-green]#535455(2)部署绿环境56[root@k8s151.oldboyedu.com blue-green]# cat green.yaml57kind: Deployment58apiVersion: extensions/v1beta159metadata:60name: oldboyedu-green61spec:62replicas: 363selector:64matchLabels:65app: green66template:67metadata:68labels:69app: green70spec:71containers:72- name: myweb73image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.16.0-alpine74[root@k8s151.oldboyedu.com blue-green]#757677(3)切换svc的标签,如下所示:78kind: Service79apiVersion: v180metadata:81name: oldboyedu-app-svc82spec:83type: NodePort84ports:85- port: 8086targetPort: 8087nodePort: 3008088selector:89#app: blue90app: green91(4)测试访问94while true ; do sleep 0.5;curl -I 10.0.0.153:30080; done95
3.7 deployment实现灰度发布
xxxxxxxxxx1821灰度/金丝雀(Canary)部署简介:2金丝雀发布也叫灰度发布,是指在黑与白之间,能够平滑度过的一种发布方式,恢复发布是增量发布的一种类型,灰度发布是在原有版本可用的情况下,同时部署一个新版本应用作为"金丝雀"(小白鼠),测试新版本的性能和表现,以保障整个体系稳定的情况下,尽早发现,调整问题。3"金丝雀"的由来: 17世纪,英国矿工工人发现,金丝雀对瓦斯这种气体十分敏感,空气哪怕有极其微量的瓦斯,金丝雀也会停止歌唱,而当瓦斯超过一定限度时,虽然人类毫无察觉,金丝雀却早已毒发身亡,当时在采矿设备相对简陋的条件下,工人们每次下井都会带上一只金丝雀作为"瓦斯检测指标",以便在危险情况下紧急撤离。456- 实现机制:7- 1.部署当前版本,使用多副本;(最开始是3个副本)8- 2.部署service,匹配一个label标签;9- 3.部署新版本(使用deployment名称,但是label标签和之前保持一致),新版本runing之后service会自动匹配label并将pod添加service的endpoints接收客户端请求;(最开始)10- 4.灰度版本测试没有问题,将灰度版本的pod副本数逐渐增加为生产数量;11- 5.将旧版本pod逐渐调低至为0,此时数流量将全部转发至新版本;12131415灰度发布实战案例:16(1)部署旧版本(先将副本数设置为3,随着新版本的创建,将副本逐渐调低到0)17[root@k8s151.oldboyedu.com canary]# cat old.yaml18kind: Deployment19apiVersion: extensions/v1beta120metadata:21name: oldboyedu-old22spec:23replicas: 324selector:25matchLabels:26app: web27template:28metadata:29labels:30app: web31spec:32containers:33- name: myweb34image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.14.2-alpine3536---3738kind: Service39apiVersion: v140metadata:41name: oldboyedu-web-svc42spec:43type: NodePort44ports:45- port: 8046targetPort: 8047nodePort: 3008148selector:49app: web50[root@k8s151.oldboyedu.com canary]#515253(2)部署新版本(先将副本数设置为1,随着新版本的稳定,将副本逐渐调高到3)54[root@k8s151.oldboyedu.com canary]# cat new.yaml55kind: Deployment56apiVersion: extensions/v1beta157metadata:58name: oldboyedu-new59spec:60replicas: 161selector:62matchLabels:63app: web64template:65metadata:66labels:67app: web68spec:69containers:70- name: myweb71image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.16.0-alpine72[root@k8s151.oldboyedu.com canary]#737475(3)修改副本数量76将旧的副本数量手动修改从3-0,与此同时,将新的副本数量从1-3。777879(4)测试访问80while true ; do sleep 0.5;curl -I 10.0.0.153:30081; done
3.8 响应式API管理deployment资源
x1创建deployment:2kubectl create deployment oldboyedu-linux --image=harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.14.2-alpine345删除deployment:6kubectl delete deployment oldboyedu-linux7修改deployment:91)资源清单配置文件修改[交互式]10kubectl edit deployments oldboyedu-linux11122)修改容器的镜像[非交互式]13kubectl set image deploy oldboyedu-linux nginx=harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.18
4.Job控制器【新增内容】
4.1 Job概述
x1一次性任务,Pod完成作业后并不重启容器。其重启策略为"restartPolicy: Never"
4.2 计算Pi案例
x1cat > job.yaml <<'EOF'2apiVersion: batch/v13kind: Job4metadata:5name: oldboyedu-linux81-pi6spec:7template:8spec:9containers:10- name: pi11image: perl:5.3412# 它计算π到2000个位置并打印出来。大约需要 10 秒才能完成。13command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]14restartPolicy: Never15# 指定标记此作业失败之前的重试次数。默认值为616backoffLimit: 417EOF18192021参考链接:22https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/job/
5.CronJob【新增内容】
5.1 CronJob概述
x1周期性任务,CronJob底层逻辑是周期性创建Job控制器来实现周期性任务的。
5.2 CronJob案例-每分钟打印出当前时间和问候消息
x1cat > cronjob.yaml <<'EOF'2apiVersion: batch/v1beta13kind: CronJob4metadata:5name: oldboyedu-hello6spec:7# 定义调度格式,参考链接:https://en.wikipedia.org/wiki/Cron8# ┌───────────── 分钟 (0 - 59)9# │ ┌───────────── 小时 (0 - 23)10# │ │ ┌───────────── 月的某天 (1 - 31)11# │ │ │ ┌───────────── 月份 (1 - 12)12# │ │ │ │ ┌───────────── 周的某天 (0 - 6)(周日到周一;在某些系统上,7 也是星期日)13# │ │ │ │ │ 或者是 sun,mon,tue,web,thu,fri,sat14# │ │ │ │ │15# │ │ │ │ │16# * * * * *17schedule: "* * * * *"18jobTemplate:19spec:20template:21spec:22containers:23- name: hello24image: busybox:1.2825imagePullPolicy: IfNotPresent26command:27- /bin/sh28- -c29- date; echo Hello from the oldboyedu linux81 Kubernetes cluster30restartPolicy: OnFailure31EOF323334参考链接:35https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/cron-jobs/
6.DaemonSet控制器【新增内容】
6.1 DaemonSet概述
x1DaemonSet确保全部worker节点上运行一个Pod的副本。23DaemonSet的一些典型用法:4(1)在每个节点上运行集群守护进程(flannel等)5(2)在每个节点上运行日志收集守护进程(flume,filebeat,fluentd等)6(3)在每个节点上运行监控守护进程(zabbix agent,node_exportor等)789温馨提示:10(1)当有新节点加入集群时,也会为新节点新增一个Pod;11(2)当有节点从集群移除时,这些Pod也会被回收;12(3)删除DaemonSet将会删除它创建的所有Pod;13(4)如果节点被打了污点的话,且DaemonSet中未定义污点容忍,则Pod并不会被调度到该节点上;("flannel案例")
6.2 Daemonset案例-日志收集案例
x1cat > daemonset.yaml >> 'EOF'2apiVersion: apps/v13kind: DaemonSet4metadata:5name: oldboyedu-linux80-fluentd-elasticsearch6labels:7k8s-app: fluentd-logging8spec:9selector:10matchLabels:11name: fluentd-elasticsearch12template:13metadata:14labels:15name: fluentd-elasticsearch16spec:17containers:18- name: fluentd-elasticsearch19# image: quay.io/fluentd_elasticsearch/fluentd:v2.5.220image: k8s201.oldboyedu.com:5000/fluentd_elasticsearch/fluentd:v2.5.221resources:22limits:23memory: 200Mi24requests:25cpu: 100m26memory: 200Mi27volumeMounts:28- name: varlog29mountPath: /var/log30- name: varlibdockercontainers31mountPath: /var/lib/docker/containers32readOnly: true33terminationGracePeriodSeconds: 3034volumes:35- name: varlog36hostPath:37path: /var/log38- name: varlibdockercontainers39hostPath:40path: /var/lib/docker/containers41EOF42434445参考链接:46https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/daemonset/
7.StatefulSets控制器【新增内容,需要先讲解pv,pvc,sc】
7.1 StatefulSets概述
x1以Nginx的为例,当任意一个Nginx挂掉,其处理的逻辑是相同的,即仅需重新创建一个Pod副本即可,这类服务我们称之为无状态服务。23以MySQL主从同步为例,master,slave两个库任意一个库挂掉,其处理逻辑是不相同的,这类服务我们称之为有状态服务。45有状态服务面临的难题:6(1)启动/停止顺序;7(2)pod实例的数据是独立存储;8(3)需要固定的IP地址或者主机名;9StatefulSet一般用于有状态服务,StatefulSets对于需要满足以下一个或多个需求的应用程序很有价值。12(1)稳定唯一的网络标识符。13(2)稳定独立持久的存储。14(4)有序优雅的部署和缩放。15(5)有序自动的滚动更新。16稳定的网络标识:19其本质对应的是一个service资源,只不过这个service没有定义VIP,我们称之为headless service,即"无头服务"。20通过"headless service"来维护Pod的网络身份,会为每个Pod分配一个数字编号并且按照编号顺序部署。21综上所述,无头服务("headless service")要求满足以下两点:22(1)将svc资源的clusterIP字段设置None,即"clusterIP: None";23(2)将sts资源的serviceName字段声明为无头服务的名称;24独享存储:27Statefulset的存储卷使用VolumeClaimTemplate创建,称为"存储卷申请模板"。28当sts资源使用VolumeClaimTemplate创建一个PVC时,同样也会为每个Pod分配并创建唯一的pvc编号,每个pvc绑定对应pv,从而保证每个Pod都有独立的存储。
7.2 StatefulSets控制器-网络唯一标识之headless
x1StatefulSets控制器-网络唯一标识之headless:2(1)编写资源清单3cat > 01-statefulset-headless-network.yaml <<'EOF'4apiVersion: v15kind: Service6metadata:7name: linux84-headless8spec:9ports:10- port: 8011name: web12# 将clusterIP字段设置为None表示为一个无头服务,即svc将不会分配VIP。13clusterIP: None14selector:15app: nginx161718---1920apiVersion: apps/v121kind: StatefulSet22metadata:23name: linux84-web24spec:25selector:26matchLabels:27app: nginx28# 声明无头服务29serviceName: linux84-headless30replicas: 331template:32metadata:33labels:34app: nginx35spec:36containers:37- name: nginx38image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.14.2-alpine39EOF404142(2)使用响应式API创建测试Pod43# kubectl run -it dns-test --rm --image==harbor.oldboyedu.com/oldboyedu-linux84-k8s/busybox:1.28 -- sh44#45# for i in `seq 0 2`;do ping linux84-web-${i}.linux84-headless.default.svc.oldboyedu.com -c 3;done
7.3 StatefulSets控制器-独享存储
x1StatefulSets控制器-独享存储:2(1)编写资源清单3cat > 02-statefulset-headless-volumeClaimTemplates.yaml <<'EOF'4apiVersion: v15kind: Service6metadata:7name: linux84-headless8spec:9ports:10- port: 8011name: web12clusterIP: None13selector:14app: nginx15---16apiVersion: apps/v117kind: StatefulSet18metadata:19name: linux84-web20spec:21selector:22matchLabels:23app: nginx24serviceName: linux84-headless25replicas: 326# 卷申请模板,会为每个Pod去创建唯一的pvc并与之关联哟!27volumeClaimTemplates:28- metadata:29name: data30spec:31accessModes: [ "ReadWriteOnce" ]32# 声明咱们自定义的动态存储类,即sc资源。33storageClassName: "managed-nfs-storage"34resources:35requests:36storage: 2Gi37template:38metadata:39labels:40app: nginx41spec:42containers:43- name: nginx44image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.16.0-alpine45volumeMounts:46- name: data47mountPath: /usr/share/nginx/html48---49apiVersion: v150kind: Service51metadata:52name: oldboyedu-linux84-sts-svc53spec:54selector:55app: nginx56ports:57- port: 8058targetPort: 8059EOF6061(2)连接到Pod逐个修改nginx首页文件63# kubectl exec -it linux84-web-0 -- bash64echo AAAAAAAAAAAA > /usr/share/nginx/html/index.html6566# kubectl exec -it linux84-web-1 -- bash67echo BBBBBBBBBBBB > /usr/share/nginx/html/index.html6869# kubectl exec -it linux84-web-2 -- bash70echo CCCCCCCCCCCC > /usr/share/nginx/html/index.html71(3)测试SVC访问74# vim /etc/resolv.conf # 不修改宿主机的配置文件的话,可以直接启动pod进行测试即可。75nameserver 10.254.0.1076# curl oldboyedu-linux84-sts-svc.default.svc.oldboyedu.com77
8.玩转Pod调度
8.1 污点
8.1.1 污点的概述
x1污点通常情况下是作用在worker节点上,其可以影响Pod的调度。23污点的语法格式如下:4key[=value]:effect5相关字段说明:7key:8字母或数字开头,可以包含字母、数字、连字符(-)、点(.)和下划线(_),最多253个字符。9也可以以DNS子域前缀和单个"/"开头10value:12该值是可选的。如果给定,它必须以字母或数字开头,可以包含字母、数字、连字符、点和下划线,最多63个字符。13effect:[ɪˈfekt]15effect必须是NoSchedule、PreferNoSchedule或NoExecute。16NoSchedule: [noʊ,ˈskedʒuːl]17该节点不再接收新的Pod调度,但不会驱赶已经调度到该节点的Pod。18PreferNoSchedule: [prɪˈfɜːr,noʊ,ˈskedʒuː]19该节点可以接受调度,但会尽可能将Pod调度到其他节点,换句话说,让该节点的调度优先级降低啦。20NoExecute:[ˈnoʊ,eksɪkjuːt]21该节点不再接收新的Pod调度,与此同时,会立刻驱逐已经调度到该节点的Pod。
8.1.2 污点的管理命令
xxxxxxxxxx321污点的管理命令:2查:3[root@k8s151.oldboyedu.com taints]# kubectl describe nodes | grep -i taint4Taints: node-role.kubernetes.io/master:NoSchedule5Taints: <none>6Taints: <none>7[root@k8s151.oldboyedu.com taints]#8[root@k8s151.oldboyedu.com taints]# kubectl describe nodes | grep -i taint -A 3 # 如果污点较多,可以多看几行哈~910增:11[root@k8s151.oldboyedu.com taints]# kubectl taint node k8s152.oldboyedu.com school=oldboyedu:PreferNoSchedule12node/k8s152.oldboyedu.com tainted13[root@k8s151.oldboyedu.com taints]#14[root@k8s151.oldboyedu.com taints]# kubectl taint node k8s152.oldboyedu.com school=oldboyedu:NoSchedule # 注意,和上面不同的时,这对应的时2个不同的污点。1516改:18[root@k8s151.oldboyedu.com taints]# kubectl taint node k8s152.oldboyedu.com school=oldboyedu2023:PreferNoSchedule --overwrite # 如果存在相同的key和effect,则会直接覆盖19node/k8s152.oldboyedu.com modified20[root@k8s151.oldboyedu.com taints]#2122删:24[root@k8s151.oldboyedu.com taints]# kubectl taint node k8s152.oldboyedu.com school:PreferNoSchedule- # 移除指定影响度的污点,无视value值属性。25node/k8s152.oldboyedu.com untainted26[root@k8s151.oldboyedu.com taints]#27[root@k8s151.oldboyedu.com taints]# kubectl taint node k8s152.oldboyedu.com school=oldboyedu:NoSchedule- # 移除指定school=oldboyedu其影响度为NoSchedule污点28node/k8s152.oldboyedu.com untainted29[root@k8s151.oldboyedu.com taints]#30[root@k8s151.oldboyedu.com taints]# kubectl taint node k8s152.oldboyedu.com school- # 移除key为school的所有污点,无视value和effect31node/k8s152.oldboyedu.com untainted32[root@k8s151.oldboyedu.com taints]#
8.1.3 NoSchedule影响度测试
x1(1)创建污点2kubectl taint node k8s152.oldboyedu.com school=oldboyedu:NoSchedule345(2)查看污点6kubectl describe nodes k8s152.oldboyedu.com | grep Taints789(3)测试污点10[root@k8s151.oldboyedu.com taints]# cat 01-deploy-nginx.yaml11apiVersion: extensions/v1beta112kind: Deployment13metadata:14name: oldboyedu-linux84-taint15spec:16replicas: 1017template:18metadata:19name: oldboyedu-linux84-pod20labels:21apps: nginx22spec:23containers:24- name: web25image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1826[root@k8s151.oldboyedu.com taints]#272829(4)统计Pod所在的节点个数30kubectl get pods -o wide | awk 'NR>=2{print $7}' | sort | uniq -c313233(5)清除污点34kubectl taint node --all school-
8.1.4 PreferNoSchedule影响度测试
x1(1)创建污点2kubectl taint node k8s152.oldboyedu.com school=oldboyedu:PreferNoSchedule345(2)查看污点6kubectl describe nodes k8s152.oldboyedu.com | grep Taints789(3)测试污点10[root@k8s151.oldboyedu.com taints]# cat 01-deploy-nginx.yaml11apiVersion: extensions/v1beta112kind: Deployment13metadata:14name: oldboyedu-linux84-taint15spec:16replicas: 1517template:18metadata:19name: oldboyedu-linux84-pod20labels:21apps: nginx22spec:23containers:24- name: web25image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1826[root@k8s151.oldboyedu.com taints]#272829(4)统计Pod所在的节点个数30kubectl get pods -o wide | awk 'NR>=2{print $7}' | sort | uniq -c3132(5)清除污点33kubectl taint node k8s152.oldboyedu.com school-
8.1.5 NoExecute影响度测试
x1(1)先创建Pod测试2[root@k8s151.oldboyedu.com taints]# cat 01-deploy-nginx.yaml3apiVersion: extensions/v1beta14kind: Deployment5metadata:6name: oldboyedu-linux84-taint7spec:8replicas: 59template:10metadata:11name: oldboyedu-linux84-pod12labels:13apps: nginx14spec:15containers:16- name: web17image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1818[root@k8s151.oldboyedu.com taints]#19[root@k8s151.oldboyedu.com taints]# kubectl get pods -o wide | awk 'NR>=2{print $7}' | sort | uniq -c202122(2)创建污点23kubectl taint node k8s152.oldboyedu.com school=oldboyedu:NoExecute242526(3)查看污点27kubectl describe nodes k8s152.oldboyedu.com | grep Taints282930(4)测试污点31[root@k8s151.oldboyedu.com taints]# cat 01-deploy-nginx.yaml32apiVersion: extensions/v1beta133kind: Deployment34metadata:35name: oldboyedu-linux84-taint36spec:37replicas: 1538template:39metadata:40name: oldboyedu-linux84-pod41labels:42apps: nginx43spec:44containers:45- name: web46image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1847[root@k8s151.oldboyedu.com taints]#484950(5)统计Pod所在的节点个数51kubectl get pods -o wide | awk 'NR>=2{print $7}' | sort | uniq -c525354(6)清除污点55kubectl taint node k8s152.oldboyedu.com school-
8.2 污点容忍tolerations[ˌtɑːləˈreɪʃn]
x1(1)所有节点创建污点2kubectl taint node k8s151.oldboyedu.com school=oldboyedu:NoSchedule3kubectl taint node k8s152.oldboyedu.com school=oldboyedu:PreferNoSchedule4kubectl taint node k8s153.oldboyedu.com school=oldboyedu:NoExecute567(2)容忍污点8cat > 07-deploy-nginx-tolerations.yaml << 'EOF'9apiVersion: extensions/v1beta110kind: Deployment11metadata:12name: oldboyedu-linux80-tolerations13spec:14replicas: 1015selector:16matchLabels:17apps: oldboyedu-web18template:19metadata:20name: linux80-pod21labels:22apps: oldboyedu-web23spec:24nodeName: k8s203.oldboyedu.com25# school=oldboyedu:NoSchedule26tolerations:27# 容忍污点的key28- key: school2930# 容忍污点的value,指定key对应的具体值,当operator: Exists时,value必须为空,默认值就为空。31value: oldboyedu3233# operator表示key和value的关系,有效值为Exists和Equal,默认值为Equal。34# Equal:35# 表示key=value。36# Exists:37# 表示存在key,匹配所有的值。此时value的值必须为空。38# operator: Exists39# effect表示容忍污点的类型,若不定义,则匹配所有的污点类型。41# 若指定,则允许的值为: NoSchedule, PreferNoSchedule,NoExecute。42# 在k8s 1.15.12版本测试中发现,NoExecute这种影响度并不生效,尽管我们配置了这种影响度也不会容忍这类污点。43effect: NoSchedule44# effect: NoExecute4546# tolerationSeconds仅对"effect: NoExecute"测试生效,可以设置驱逐Pod的超时时间,默认是永不驱逐。47# 在k8s 1.15.12版本测试中发现,当我们搭配nodeName调度到"effect: NoExecute"节点时,尽管Pod可以调度到该节点,但状态依旧处于"Pending"状态。48# tolerationSeconds: 1549containers:50- name: linux80-web51image: k8s201.oldboyedu.com:5000/nginx:1.20.152EOF
8.3 亲和性(affinity)
8.3.1 亲和性(affinity)概述
x1节点亲和性(nodeAffinity):2用于控制Pod调度到哪些worker节点上,以及不能部署在哪些机器上。34Pod亲和性(podAffinity):5Pod可以和哪些Pod部署在同一个拓扑域。67Pod反亲和性(podAntiAffinity):8Pod可以和哪些Pod部署在不同一个拓扑域。
8.3.2 节点亲和性(nodeAffinity)案例
x1(1)worker节点打标签2kubectl label nodes k8s151.oldboyedu.com school=oldboyedu class=linux843kubectl label nodes k8s152.oldboyedu.com school=yitiantian class=jiaoshi05456(2)创建资源清单7[root@k8s151.oldboyedu.com nodeAffinity]# cat 01-nodeAffinity-demo.yaml8apiVersion: extensions/v1beta19kind: Deployment10metadata:11name: oldboyedu-linux-nodeaffinity12spec:13replicas: 1014template:15metadata:16labels:17apps: web18spec:19# 容忍污点20tolerations:21- key: node-role.kubernetes.io/master22effect: NoSchedule23operator: Exists24# 亲和性25affinity:26# 节点亲和性27nodeAffinity:28# 硬限制,必须满足的条件29requiredDuringSchedulingIgnoredDuringExecution:30# 定义节点选择器列表31nodeSelectorTerms:32# 基于节点的标签进行关联33- matchExpressions:34- key: class35values:36- linux8437- jiaoshi0538# operator: NotIn39operator: In40# 软限制,不一定要满足,但会优先满足,相当于提高了调度的优先级41preferredDuringSchedulingIgnoredDuringExecution:42# 配置权重43- weight: 1044# 偏向性45preference:46# 基于节点的标签进行关联47matchExpressions:48# 表示节点的标签名称49- key: school50# 关联关系,表示key和values的关系51# In52# 包含,要求values字段不能为空。53# NotIn54# 不包含,要求values字段不能为空。55# Exists56# 存在,要求values字段必须为空。57# DoesNotExist58# 不存在,要求values字段必须为空。59# Gt60# 大于,要求values字段必须是一个单一的元素,且值将被解释为整数。61# Lt62# 小于,要求values字段必须是一个单一的元素,且值将被解释为整数。63operator: In64# 定义标签的值65values:66- "oldboyedu"67- "yitiantian"68- "laonanhai"69containers:70- name: c171image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1872[root@k8s151.oldboyedu.com nodeAffinity]#73
8.3.3 Pod亲和性(podAffinity)
x531(1)打标签2kubectl label nodes k8s151.oldboyedu.com school=oldboyedu3kubectl label nodes k8s153.oldboyedu.com school=oldboyedu456(2)创建资源清单7[root@k8s151.oldboyedu.com podAffinity]# cat 01-pods-podAffinity.yaml8apiVersion: extensions/v1beta19kind: Deployment10metadata:11name: oldboyedu-linux-podaffinity12spec:13replicas: 1014selector:15matchLabels:16apps: oldboyedu-web17template:18metadata:19labels:20apps: oldboyedu-web21spec:22tolerations:23- key: node-role.kubernetes.io/master24effect: NoSchedule25operator: Exists26affinity:27# 定义Pod的亲和性28podAffinity:29# 定义硬限制30requiredDuringSchedulingIgnoredDuringExecution:31# 指定的拓扑域为"kubernetes.io/hostname"时:32# 就会发现所有的Pod被调度到同一个节点的现象,这是因为所有的node节点key其values值不同导致的。33# 指定的拓扑域为"beta.kubernetes.io/os"时:34# 就会发现所有的Pod被调度到不同的节点,这是因为所有的node节点的key其values值相同。35# - topologyKey: kubernetes.io/hostname36# - topologyKey: beta.kubernetes.io/os37- topologyKey: school38# 注意,上面的topologyKey拓扑域并不能立刻确定Pod应该调度到哪个节点,40# 因为可能选择较多(即节点的key相同value不相同的情况),所以需要借助pod的标签选择器进行再次确认!41labelSelector:42matchExpressions:43# 此处的KEY并非是node的标签,而是pods的标签哟~44- key: apps45# 注意,如果Pod出现了key值相同,但value不相同的标签,这个时候不建议使用Exists46# 而是建设设置白名单,即采用"operator: In"的方式进行匹配,当然此时values不能为空。47operator: Exists48containers:49- name: c150image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1851[root@k8s151.oldboyedu.com podAffinity]#5253
8.3.4 Pod反亲和性(podAntiAffinity)
x1cat > 26-podAntiAffinity <<'EOF'2apiVersion: extensions/v1beta13kind: Deployment4metadata:5name: oldboyedu-linux81-affinity-podantiaffinity6spec:7replicas: 108selector:9matchLabels:10apps: oldboyedu-web11template:12metadata:13name: linux81-pod14labels:15apps: oldboyedu-web16spec:17tolerations:18- key: node-role.kubernetes.io/master19effect: NoSchedule20operator: Exists21affinity:22# 定义Pod的反亲和性23podAntiAffinity:24requiredDuringSchedulingIgnoredDuringExecution:25- topologyKey: kubernetes.io/hostname26labelSelector:27matchExpressions:28- key: apps29values:30- oldboyedu-web31operator: In32containers:33- name: linux81-web34image: nginx:1.20.135EOF
8.4 节点选择器
x1(1)节点打标签2kubectl label nodes --all school=oldboyedu3kubectl label nodes k8s152.oldboyedu.com school-456(2)创建资源清单7cat > pods-nodeSelector.yaml <<'EOF'8apiVersion: extensions/v1beta19kind: DaemonSet10metadata:11name: oldboyedu-linux81-nodeselector12labels:13school: oldboyedue14class: linux8115spec:16template:17metadata:18name: linux81-ds19labels:20apps: ds-web21spec:22# 容忍污点23tolerations:24- key: node-role.kubernetes.io/master25effect: NoSchedule26operator: Exists27# 将Pod调度到包含特定标签的节点28nodeSelector:29school: oldboyedu30containers:31- name: ds-web-linux8132image: nginx:1.20.133EOF343536(3)测试37kubectl apply -f pods-nodeSelector.yaml
六.网络服务访问篇
1.service
1.1 service概述
x191service主要解决Pod的动态变化,提供统一的访问入口。23service有以下两个作用:4(1)通过标签去关联一组Pod,以实现服务发现的功能;5(2)基于iptables或者ipvs实现负载均衡的功能;6service类型:9- ClusterIP10用于内部服务基于service名称的访问,这需要依赖于coreDns组件是正常工作的。11- NodePort12用于Kubernetes集群以外的服务主动访问运行在Kubernetes集群内部的服务。13- LoadBalance:14用于公有云环境的服务暴露。15- ExternalName:16用于将K8S集群外部的服务映射至K8S集群内部访问,让集群内部的Pod能够通过固定的service名称访问集群外部的服务。17有时候也用于将不同namespace之间的pod通过ExternalName进行访问。18
1.2 ClusterIP类型案例
xxxxxxxxxx241apiVersion: v12kind: Service3metadata:4name: oldboyedu-linux80-nginx-svc5spec:6# 声明Service的类型,主要有:ClusterIP, NodePort, LoadBalancer.7# ClusterIP:8# k8s集群内部使用的类型,仅供K8S集群内部访问,外部无法访问。默认值。9# NodePort:10# 在ClusterIP基础之上,监听了所有的Node节点的端口号,可供K8s集群外部访问。11# LoadBalancer:12# 适合在公有云上对k8s集群外部暴露应用。13type: ClusterIP14# 声明标签选择器,即该svc资源关联哪些Pod,并将其加入到ep列表。15selector:16apps: oldboyedu-web17# 声明Pod的端口的关系映射18ports:19# 指定svc的监听端口20- port: 888821# 指定协议,仅支持 "TCP", "UDP","SCTP",默认为"TCP"22protocol: TCP23# 指定监听的端口号24targetPort: 80
1.3 NodePort类型案例
xxxxxxxxxx261apiVersionv12kindService3metadata4 nameoldboyedu-linux80-nginx-svc-nodeport5spec6 # 声明Service的类型,主要有:ClusterIP, NodePort, LoadBalancer.7 # ClusterIP:8 # k8s集群内部使用的类型,仅供K8S集群内部访问,外部无法访问。默认值。9 # NodePort:10 # 在ClusterIP基础之上,监听了所有的Node节点的端口号,可供K8s集群外部访问。11 # LoadBalancer:12 # 适合在公有云上对k8s集群外部暴露应用。13 typeNodePort14 # 声明标签选择器,即该svc资源关联哪些Pod,并将其加入到ep列表。15 selector16 appsoldboyedu-web17 # 声明Pod的端口的关系映射18 ports19 # 指定svc的监听端口20port888821 # 指定协议,仅支持 "TCP", "UDP","SCTP",默认为"TCP"22 protocolTCP23 # 指定监听的端口号24 targetPort8025 # 监听node节点的端口号26 nodePort30080
1.4 LoadBalance案例
x1- LoadBalance案例:2(1)前提条件3K8S集群在任意云平台环境,比如腾讯云,阿里云,京东云等。456(2)创建svc7[root@k8s151.oldboyedu.com svc]# cat 03-services-LoadBalance.yaml8kind: Service9apiVersion: v110metadata:11name: svc-loadbalancer12spec:13# 指定service类型为LoadBalancer,注意,一般用于云环境14type: LoadBalancer15selector:16app: web17ports:18- protocol: TCP19port: 8020targetPort: 8021nodePort: 3008022[root@k8s151.oldboyedu.com svc]#232425(3)配置云环境的应用负载均衡器28添加监听器规则,比如访问负载均衡器的80端口,反向代理到30080端口。29简而言之,就是访问云环境的应用服务器的哪个端口,把他反向代理到K8S集群的node端口为30080即可。303132(4)用户访问应用负载均衡器的端口33用户直接访问云环境应用服务器的80端口即可,请求会自动转发到云环境nodePort的30080端口哟。3435
1.5 ExternalName
xxxxxxxxxx1181[root@k8s151.oldboyedu.com ~]# cat svc-ExternalName.yaml2apiVersion: v13kind: Service4metadata:5name: svc-externalname6spec:7# svc类型8type: ExternalName9# 指定外部域名10externalName: www.baidu.com11[root@k8s151.oldboyedu.com ~]#121314温馨提示:15启动容器后访问名为"svc-externalname"的svc,请求会被cname到"www.baidu.com"的A记录。16这种方式使用并不多,因为对于域名解析直接配置DSNS的解析较多,因此此处了解即可。1718
2.使用ep资源映射k8s集群外部服务
2.1 K8S映射外部MySQL服务
x1(1)外部节点创建MySQL8.0服务2# docker run --name oldboyedu-mysql -de MYSQL_ROOT_PASSWORD=yinzhengjie --network host k8s151.oldboyedu.com:5000/mysql:8.0 --default-authentication-plugin=mysql_native_password --character-set-server=utf8 --collation-server=utf8_bin34# docker run --name=oldboyedu-mysql -p 13306:3306 -d \5-e MYSQL_ALLOW_EMPTY_PASSWORD=yes \6-e MYSQL_DATABASE=wordpress \7-e MYSQL_USER=linux84 \8-e MYSQL_PASSWORD=oldboyedu \9mysql:8.0.32-oracle101112(2)创建用户和测试数据13# docker exec -it oldboyedu-mysql bash14mysql -pyinzhengjie15CREATE DATABASE oldboyedu;16CREATE USER linux81 IDENTIFIED WITH mysql_native_password BY 'oldboyedu';17GRANT ALL ON oldboyedu.* TO linux81;18SHOW GRANTS FOR linux81;19USE oldboyedu20CREATE TABLE student (id INT PRIMARY KEY AUTO_INCREMENT, name VARCHAR(255) NOT NULL, hobby VARCHAR(255) DEFAULT 'linux');21INSERT INTO student (name,hobby) VALUES ('ZhangNingNing','OuMei'),('TongYinHao','RiHan');222324(3)创建ep资源25# cat > 01-mysql-endpoints.yaml <<'EOF'26apiVersion: v127kind: Endpoints28metadata:29name: oldboyedu-mysql8030subsets:31- addresses:32- ip: 10.0.0.15433ports:34- port: 330635EOF363738(4)创建svc资源39# cat > 02-mysql-service.yaml <<'EOF'40apiVersion: v141kind: Service42metadata:43name: oldboyedu-mysql8044spec:45clusterIP: 10.254.100.10046ports:47- port: 330648EOF495051(5)创建测试的Pod52# cat > 03-deploy-mysql80.yaml <<'EOF'53apiVersion: extensions/v1beta154kind: Deployment55metadata:56name: oldboyedu-linux81-deploy-db57labels:58school: oldboyedu59class: linux8160spec:61replicas: 162selector:63matchLabels:64apps: db65template:66metadata:67name: linux80-pod68labels:69apps: db70spec:71containers:72- name: linux81-db73image: k8s151.oldboyedu.com:5000/mysql:8.074env:75- name: MYSQL_ROOT_PASSWORD76value: "123"77EOF787980(6)连接测试81# kubectl exec oldboyedu-linux81-deploy-db-6746964874-vqvn4 -it -- bash82mysql -h 10.254.100.100 -u linux81 -poldboyedu83mysql -h oldboyedu-mysql80 -u linux81 -poldboyedu84SELECT * FROM oldboyedu.student;
2.2 wordpress实战案例
xxxxxxxxxx801(1)在k8s集群外部部署一个mysql服务,此处我就是用docker来快速部署2docker run --name oldboyedu-mysql -e MYSQL_ROOT_PASSWORD=yinzhengjie -dp 3306:3306 mysql:8.0 --default-authentication-plugin=mysql_native_password --character-set-server=utf8 --collation-server=utf8_bin345(2)创建用户,可以暂时先不给权限,观察能否访问。(可以先跳过本步骤)6CREATE DATABASE wordpress;7CREATE USER wordpress IDENTIFIED [WITH mysql_native_password] BY 'wordpress';8910(3)创建ep资源11cat > 01-mysql-endpoints.yaml <<'EOF'12apiVersion: v113kind: Endpoints14metadata:15name: oldboyedu-mysql5716subsets:17- addresses:18- ip: 10.0.0.20119ports:20- port: 330621EOF222324(4)创建svc资源25cat > 02-mysql-service.yaml <<'EOF'26apiVersion: v127kind: Service28metadata:29name: oldboyedu-mysql5730spec:31ports:32- port: 330633EOF343536(5)创建wordpress37cat > 03-deploy-wordpress.yaml <<'EOF'38apiVersion: extensions/v1beta139kind: Deployment40metadata:41name: oldboyedu-wordpress42spec:43replicas: 344selector:45matchLabels:46apps: oldboyedu-wordpress47template:48metadata:49labels:50apps: oldboyedu-wordpress51spec:52containers:53- name: oldboyedu-wordpress54image: k8s201.oldboyedu.com:5000/wordpress:latest55ports:56- containerPort: 8057env:58- name: WORDPRESS_DB_HOST59value: oldboyedu-mysql5760- name: WORDPRESS_DB_USER61value: root62- name: WORDPRESS_DB_PASSWORD63value: yinzhengjie6465---6667apiVersion: v168kind: Service69metadata:70name: oldboyedu-wordpress71spec:72type: NodePort73selector:74apps: oldboyedu-wordpress75ports:76- port: 8077targetPort: 8078nodePort: 3008879EOF80
3.kube-proxy的工作模式
1.kube-proxy的工作模式
x161对于kube-proxy组件的作用就是为k8s集群外部用户提供访问服务的路由。23kube-proxy监听K8S APIServer,一旦service资源发生变化,kube-proxy就会生成对应的负载调度的调整,这样就保证service的最新状态。45kube-proxy有三种调度模型:6- userspace:7k8s 1.1之前。8- iptables:9k8s 1.2 ~ k8s 1.11之前。10- ipvs:11K8S 1.11之后,如果没有开启ipvs,则自动降级为iptables。
2.查看kube-proxy的工作
x1(1)查看kube-proxy的配置文件,如上图所示,主要观察volumes和volumeMounts字段(注意Pod名称根据您的环境变化!)2kubectl -n kube-system get pods kube-proxy-ttrms -o yaml34(2)查看kube-proxy的资源配置,mode为空,并未指明工作模式。如下图所示。5kubectl -n kube-system describe cm kube-proxy678(3)如下图所示,查看任意的kube-proxy的Pod日志,由于未设置mode,则默认使用iptables代理!9kubectl -n kube-system logs -f kube-proxy-ttrms
3. 使用iptables查看Service的负载均衡案例(了解即可)
x1[root@k8s151.oldboyedu.com ~]# kubectl get svc oldboyedu-linux84-wordpress2NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE3oldboyedu-linux84-wordpress NodePort 10.254.88.44 <none> 80:30080/TCP 17m4[root@k8s151.oldboyedu.com ~]#5[root@k8s151.oldboyedu.com ~]# kubectl describe ep oldboyedu-linux84-wordpress6Name: oldboyedu-linux84-wordpress7Namespace: default8Labels: <none>9Annotations: endpoints.kubernetes.io/last-change-trigger-time: 2023-03-08T08:49:20Z10Subsets:11Addresses: 10.244.1.135,10.244.1.136,10.244.2.17512NotReadyAddresses: <none>13Ports:14Name Port Protocol15---- ---- --------16<unset> 80 TCP1718Events: <none>19[root@k8s151.oldboyedu.com ~]#20[root@k8s151.oldboyedu.com ~]# iptables-save | grep 10.254.88.4421-A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.254.88.44/32 -p tcp -m comment --comment "default/oldboyedu-linux84-wordpress: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ22-A KUBE-SERVICES -d 10.254.88.44/32 -p tcp -m comment --comment "default/oldboyedu-linux84-wordpress: cluster IP" -m tcp --dport 80 -j KUBE-SVC-2UKVNFWLMQN7APRS23[root@k8s151.oldboyedu.com ~]#24[root@k8s151.oldboyedu.com ~]#25[root@k8s151.oldboyedu.com ~]# iptables-save | grep KUBE-SVC-2UKVNFWLMQN7APRS26:KUBE-SVC-2UKVNFWLMQN7APRS - [0:0]27-A KUBE-NODEPORTS -p tcp -m comment --comment "default/oldboyedu-linux84-wordpress:" -m tcp --dport 30080 -j KUBE-SVC-2UKVNFWLMQN7APRS28-A KUBE-SERVICES -d 10.254.88.44/32 -p tcp -m comment --comment "default/oldboyedu-linux84-wordpress: cluster IP" -m tcp --dport 80 -j KUBE-SVC-2UKVNFWLMQN7APRS29-A KUBE-SVC-2UKVNFWLMQN7APRS -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-LDPMHC2MPS3SGMRZ30-A KUBE-SVC-2UKVNFWLMQN7APRS -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5QZ3F4TQUOIK2LHQ31-A KUBE-SVC-2UKVNFWLMQN7APRS -j KUBE-SEP-2ES4GIVW2RE4KHN332[root@k8s151.oldboyedu.com ~]#33[root@k8s151.oldboyedu.com ~]#34[root@k8s151.oldboyedu.com ~]# iptables-save | grep KUBE-SEP-LDPMHC2MPS3SGMRZ35:KUBE-SEP-LDPMHC2MPS3SGMRZ - [0:0]36-A KUBE-SEP-LDPMHC2MPS3SGMRZ -s 10.244.1.135/32 -j KUBE-MARK-MASQ37-A KUBE-SEP-LDPMHC2MPS3SGMRZ -p tcp -m tcp -j DNAT --to-destination 10.244.1.135:8038-A KUBE-SVC-2UKVNFWLMQN7APRS -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-LDPMHC2MPS3SGMRZ39[root@k8s151.oldboyedu.com ~]#40[root@k8s151.oldboyedu.com ~]# iptables-save | grep KUBE-SEP-5QZ3F4TQUOIK2LHQ41:KUBE-SEP-5QZ3F4TQUOIK2LHQ - [0:0]42-A KUBE-SEP-5QZ3F4TQUOIK2LHQ -s 10.244.1.136/32 -j KUBE-MARK-MASQ43-A KUBE-SEP-5QZ3F4TQUOIK2LHQ -p tcp -m tcp -j DNAT --to-destination 10.244.1.136:8044-A KUBE-SVC-2UKVNFWLMQN7APRS -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5QZ3F4TQUOIK2LHQ45[root@k8s151.oldboyedu.com ~]#46[root@k8s151.oldboyedu.com ~]# iptables-save | grep KUBE-SEP-2ES4GIVW2RE4KHN347:KUBE-SEP-2ES4GIVW2RE4KHN3 - [0:0]48-A KUBE-SEP-2ES4GIVW2RE4KHN3 -s 10.244.2.175/32 -j KUBE-MARK-MASQ49-A KUBE-SEP-2ES4GIVW2RE4KHN3 -p tcp -m tcp -j DNAT --to-destination 10.244.2.175:8050-A KUBE-SVC-2UKVNFWLMQN7APRS -j KUBE-SEP-2ES4GIVW2RE4KHN351[root@k8s151.oldboyedu.com ~]#52
4.所有worker节点加载ipvs的内核
x1(1)所有worker节点安装ipvs相关组件2yum -y install conntrack-tools ipvsadm.x86_64345(2)编写加载ipvs的配置文件6cat > /etc/sysconfig/modules/ipvs.modules <<EOF7#!/bin/bash89modprobe -- ip_vs10modprobe -- ip_vs_rr11modprobe -- ip_vs_wrr12modprobe -- ip_vs_sh13modprobe -- nf_conntrack_ipv414EOF1516(3)如上图所示,加载ipvs相关模块并查看17chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
5.修改kube-proxy的工作模式为ipvs
x1(1)如上图所示,仅需修改工作模式为ipvs即可。切记,一定要保存退出!2kubectl -n kube-system edit cm kube-proxy34(2)验证是否修改成功5kubectl -n kube-system describe cm kube-proxy | grep mode
6.删除旧的kube-proxy
x1kubectl get pods -A | grep kube-proxy | awk '{print $2}' | xargs kubectl -n kube-system delete pods234温馨提示:5在实际工作中,如果修改了kube-proxy服务时,若删除Pod,请逐个删除,不要批量删除哟!
7.验证kube-proxy组件工作模式是否生效
x1(1)查看日志2kubectl -n kube-system logs -f kube-proxy-mldjc34(2)测试服务是否正常访问5略,见视频。67(3)验证ipvs的工作模式,如下图所示。8kubectl -n oldboyedu-homework get svc # 这个是我们留的作业6。9ipvsadm -ln | grep 10.254.183.82 -A 5
4.ingress
4.1 ingress控制器概述
x1使用svc的NodePort类型暴露端口存在以下问题:2(1)随着服务的增多,占用端口会越来越多;3(2)当一个端口被多个服务使用的时候就力不从心了,比如将下面的域名都映射到 80或443端口时就暴露问题了(无法识别7层协议);4game01.oldboyedu.com5game02.oldboyedu.com6game03.oldboyedu.com7ingress:9k8s中的抽象资源,给管理员提供暴露服务的入口定义方法,换句话说,就是编写规则。10Ingress Controller:12根据ingress生成具体路由规则,并借助svc实现Pod的负载均衡。
4.2 部署traefik ingress controller
x1(1)创建角色管理2cat > 01-rabc.yaml <<'EOF'3apiVersion: v14kind: ServiceAccount5metadata:6name: traefik-ingress-controller7namespace: kube-system8---9kind: ClusterRole10apiVersion: rbac.authorization.k8s.io/v1beta111metadata:12name: traefik-ingress-controller13rules:14- apiGroups:15- ""16resources:17- services18- endpoints19- secrets20verbs:21- get22- list23- watch24- apiGroups:25- extensions26resources:27- ingresses28verbs:29- get30- list31- watch32---33kind: ClusterRoleBinding34apiVersion: rbac.authorization.k8s.io/v1beta135metadata:36name: traefik-ingress-controller37roleRef:38apiGroup: rbac.authorization.k8s.io39kind: ClusterRole40name: traefik-ingress-controller41subjects:42- kind: ServiceAccount43name: traefik-ingress-controller44namespace: kube-system45EOF464748(2)部署traefik ingress控制器49cat > 02-traefik.yaml <<'EOF'50kind: DaemonSet51apiVersion: extensions/v1beta152metadata:53name: traefik-ingress-controller54namespace: kube-system55labels:56k8s-app: traefik-ingress-lb57spec:58selector:59matchLabels:60k8s-app: traefik-ingress-lb61template:62metadata:63labels:64k8s-app: traefik-ingress-lb65name: traefik-ingress-lb66spec:67tolerations:68- key: node-role.kubernetes.io/master69effect: NoSchedule70operator: Exists71serviceAccountName: traefik-ingress-controller72hostNetwork: true73containers:74- image: k8s151.oldboyedu.com:5000/traefik:v1.7.275imagePullPolicy: IfNotPresent76name: traefik-ingress-lb77ports:78- name: http79containerPort: 8080hostPort: 8081- name: admin82containerPort: 808083args:84- --api85- --kubernetes86- --logLevel=INFO87EOF888990(3)应用规则91kubectl apply -f .
4.3 编写ingress http规则
x1(1)作业部署2cat > 01-deploy-nginx.yaml <<'EOF'3apiVersion: extensions/v1beta14kind: Deployment5metadata:6name: oldboyedu-homework-kod7labels:8school: oldboyedu9homework: kod10spec:11replicas: 312selector:13matchLabels:14apps: kod15template:16metadata:17name: games-pod18labels:19apps: kod20spec:21containers:22- name: linux81-kod23image: k8s151.oldboyedu.com:5000/hoemwork/kod:v5.02425---2627apiVersion: extensions/v1beta128kind: Deployment29metadata:30name: oldboyedu-homework-pingtai31labels:32school: oldboyedu33homework: pingtai34spec:35replicas: 336selector:37matchLabels:38apps: pingtai39template:40metadata:41name: games-pingtai42labels:43apps: pingtai44spec:45containers:46- name: linux81-pingtaiu47image: k8s151.oldboyedu.com:5000/hoemwork/pingtai:v5.04849---5051apiVersion: v152kind: Service53metadata:54name: games-kod55spec:56type: ClusterIP57selector:58apps: kod59ports:60- port: 8061protocol: TCP62targetPort: 85636465---6667apiVersion: v168kind: Service69metadata:70name: games-pingtai71spec:72type: ClusterIP73selector:74apps: pingtai75ports:76- port: 8077protocol: TCP78targetPort: 8279EOF80818283(2)编写Ingress规则84cat > 02-ingress.yaml <<'EOF'85apiVersion: extensions/v1beta186kind: Ingress87metadata:88name: traefik-myweb89annotations:90kubernetes.io/ingress.class: traefik # 指定Ingress 控制器为"traefik"91spec:92# 定义Ingress规则93rules:94# 访问的主机名95- host: kod.oldboyedu.com96# 定义http的相关规则97http:98paths:99- backend:100serviceName: games-kod101servicePort: 80102- host: pingtai.oldboyedu.com103http:104paths:105- backend:106serviceName: games-pingtai107servicePort: 80108EOF
4.4.企业级ingress常用架构图解
4.5 traefik ingress https配置
x1(1)创建名称空间2cat > 01-oldboyedu-traefik-ns.yaml <<'EOF'3apiVersion: v14kind: Namespace5metadata:6name: oldboyedu-traefik7EOF891011(2)创建CM资源12cat > traefik.toml <<'EOF'13insecureSkipVerify = true14defaultEntryPoints = ["http","https"]15[entryPoints]16[entryPoints.http]17address = ":80"18[entryPoints.http.redirect]19entryPoint = "https"20[entryPoints.https]21address = ":443"22[entryPoints.https.tls]23[[entryPoints.https.tls.certificates]]24# 默认路径,勿修改25certFile = "/ssl/tls.crt"26keyFile = "/ssl/tls.key"27EOF2829cat > create-cm.sh <<'EOF'30#!/bin/bash3132kubectl create configmap traefik-conf --from-file=./traefik.toml -n oldboyedu-traefik33EOF34353637(3)创建secret证书文件38cat > create-secret.sh <<'EOF'39#!/bin/bash4041kubectl create secret generic traefik-cert --from-file=./5920030_aliyun.oldboyedu.com.crt --from-file=./5920030_aliyun.oldboyedu.com.key -n oldboyedu-traefik4243kubectl -n oldboyedu-traefik create secret tls aliyun.oldboyedu.com --key ./5920030_aliyun.oldboyedu.com.key --cert ./5920030_aliyun.oldboyedu.com.crt44EOF45464748(4)创建traefik控制器49cat > 04-Ingress-Controller.yaml <<'EOF'50apiVersion: v151kind: ServiceAccount52metadata:53name: traefik-ingress-controller54namespace: oldboyedu-traefik5556---5758kind: ClusterRole59apiVersion: rbac.authorization.k8s.io/v1beta160metadata:61name: traefik-ingress-controller62rules:63- apiGroups:64- ""65resources:66- services67- endpoints68- secrets69verbs:70- get71- list72- watch73- apiGroups:74- extensions75resources:76- ingresses77verbs:78- get79- list80- watch8182---8384kind: ClusterRoleBinding85apiVersion: rbac.authorization.k8s.io/v1beta186metadata:87name: traefik-ingress-controller88roleRef:89apiGroup: rbac.authorization.k8s.io90kind: ClusterRole91name: traefik-ingress-controller92subjects:93- kind: ServiceAccount94name: traefik-ingress-controller95namespace: oldboyedu-traefik9697---9899kind: DaemonSet100apiVersion: extensions/v1beta1101metadata:102name: traefik-ingress-controller103namespace: oldboyedu-traefik104labels:105k8s-app: traefik-ingress-lb106spec:107selector:108matchLabels:109k8s-app: traefik-ingress-lb110template:111metadata:112labels:113k8s-app: traefik-ingress-lb114name: traefik-ingress-lb115spec:116tolerations:117- key: node-role.kubernetes.io/master118effect: NoSchedule119operator: Exists120serviceAccountName: traefik-ingress-controller121hostNetwork: true122# 挂载 "secret" 与 "configmap" 资源123volumes:124- name: ssl125secret:126secretName: traefik-cert127- name: config128configMap:129name: traefik-conf130containers:131- image: k8s151.oldboyedu.com:5000/traefik:v1.7.2132imagePullPolicy: IfNotPresent133name: traefik-ingress-lb134# 设置挂载点135volumeMounts:136- mountPath: "/ssl"137name: "ssl"138- mountPath: "/config"139name: "config"140ports:141- name: https142containerPort: 443143# hostPort: 443144- name: http145containerPort: 80146# hostPort: 80147- name: admin148containerPort: 8080149args:150# 添加启动参数 "--configfile=/config/traefik.toml",注意路径与文件名与 "configmap" 的对应151- --configfile=/config/traefik.toml152- --api153- --kubernetes154- --logLevel=INFO155EOF156157158159160(5)创建ingress规则支持https协议161cat > 05-ing-ns-aliyun.oldboyedu.com.yaml <<'EOF'162apiVersion: extensions/v1beta1163kind: Ingress164metadata:165name: traefik-myweb166namespace: oldboyedu-traefik167annotations:168kubernetes.io/ingress.class: traefik # 指定Ingress 控制器为"traefik"169spec:170tls:171- hosts:172- aliyun.oldboyedu.com173secretName: aliyun.oldboyedu.com174rules:175- host: aliyun.oldboyedu.com176http:177paths:178- backend:179serviceName: linux81-web180servicePort: 80181182---183184apiVersion: extensions/v1beta1185kind: Deployment186metadata:187name: oldboyedu-homework-kod188namespace: oldboyedu-traefik189labels:190school: oldboyedu191spec:192replicas: 3193selector:194matchLabels:195apps: web196template:197metadata:198name: myweb199labels:200apps: web201spec:202containers:203- name: linux81-web204image: nginx:1.18205206---207208apiVersion: v1209kind: Service210metadata:211name: linux81-web212namespace: oldboyedu-traefik213spec:214type: ClusterIP215selector:216apps: web217ports:218- port: 80219targetPort: 80220EOF
4.6 nginx 控制器
xxxxxxxxxx4441(1)部署nginx控制器2cat > 01-nginx-ingress-controller.yaml <<'EOF'3apiVersion: v14kind: Namespace5metadata:6name: ingress-nginx78---910apiVersion: extensions/v1beta111kind: Deployment12metadata:13name: default-http-backend14labels:15app.kubernetes.io/name: default-http-backend16app.kubernetes.io/part-of: ingress-nginx17namespace: ingress-nginx18spec:19replicas: 120selector:21matchLabels:22app.kubernetes.io/name: default-http-backend23app.kubernetes.io/part-of: ingress-nginx24template:25metadata:26labels:27app.kubernetes.io/name: default-http-backend28app.kubernetes.io/part-of: ingress-nginx29spec:30terminationGracePeriodSeconds: 6031containers:32- name: default-http-backend33# Any image is permissible as long as:34# 1. It serves a 404 page at /35# 2. It serves 200 on a /healthz endpoint36# image: netonline/defaultbackend:1.437image: k8s151.oldboyedu.com:5000/defaultbackend:1.438livenessProbe:39httpGet:40path: /healthz41port: 808042scheme: HTTP43initialDelaySeconds: 3044timeoutSeconds: 545ports:46- containerPort: 808047resources:48limits:49cpu: 10m50memory: 20Mi51requests:52cpu: 10m53memory: 20Mi5455---5657apiVersion: v158kind: Service59metadata:60name: default-http-backend61namespace: ingress-nginx62labels:63app.kubernetes.io/name: default-http-backend64app.kubernetes.io/part-of: ingress-nginx65spec:66ports:67- port: 8068targetPort: 808069selector:70app.kubernetes.io/name: default-http-backend71app.kubernetes.io/part-of: ingress-nginx7273---7475kind: ConfigMap76apiVersion: v177metadata:78name: nginx-configuration79namespace: ingress-nginx80labels:81app.kubernetes.io/name: ingress-nginx82app.kubernetes.io/part-of: ingress-nginx8384---8586kind: ConfigMap87apiVersion: v188metadata:89name: tcp-services90namespace: ingress-nginx91labels:92app.kubernetes.io/name: ingress-nginx93app.kubernetes.io/part-of: ingress-nginx9495---9697kind: ConfigMap98apiVersion: v199metadata:100name: udp-services101namespace: ingress-nginx102labels:103app.kubernetes.io/name: ingress-nginx104app.kubernetes.io/part-of: ingress-nginx105106---107108apiVersion: v1109kind: ServiceAccount110metadata:111name: nginx-ingress-serviceaccount112namespace: ingress-nginx113labels:114app.kubernetes.io/name: ingress-nginx115app.kubernetes.io/part-of: ingress-nginx116117---118apiVersion: rbac.authorization.k8s.io/v1beta1119kind: ClusterRole120metadata:121name: nginx-ingress-clusterrole122labels:123app.kubernetes.io/name: ingress-nginx124app.kubernetes.io/part-of: ingress-nginx125rules:126- apiGroups:127- ""128resources:129- configmaps130- endpoints131- nodes132- pods133- secrets134verbs:135- list136- watch137- apiGroups:138- ""139resources:140- nodes141verbs:142- get143- apiGroups:144- ""145resources:146- services147verbs:148- get149- list150- watch151- apiGroups:152- "extensions"153resources:154- ingresses155verbs:156- get157- list158- watch159- apiGroups:160- ""161resources:162- events163verbs:164- create165- patch166- apiGroups:167- "extensions"168resources:169- ingresses/status170verbs:171- update172173---174175apiVersion: rbac.authorization.k8s.io/v1beta1176kind: Role177metadata:178name: nginx-ingress-role179namespace: ingress-nginx180labels:181app.kubernetes.io/name: ingress-nginx182app.kubernetes.io/part-of: ingress-nginx183rules:184- apiGroups:185- ""186resources:187- configmaps188- pods189- secrets190- namespaces191verbs:192- get193- apiGroups:194- ""195resources:196- configmaps197resourceNames:198# Defaults to "<election-id>-<ingress-class>"199# Here: "<ingress-controller-leader>-<nginx>"200# This has to be adapted if you change either parameter201# when launching the nginx-ingress-controller.202- "ingress-controller-leader-nginx"203verbs:204- get205- update206- apiGroups:207- ""208resources:209- configmaps210verbs:211- create212- apiGroups:213- ""214resources:215- endpoints216verbs:217- get218219---220221apiVersion: rbac.authorization.k8s.io/v1beta1222kind: RoleBinding223metadata:224name: nginx-ingress-role-nisa-binding225namespace: ingress-nginx226labels:227app.kubernetes.io/name: ingress-nginx228app.kubernetes.io/part-of: ingress-nginx229roleRef:230apiGroup: rbac.authorization.k8s.io231kind: Role232name: nginx-ingress-role233subjects:234- kind: ServiceAccount235name: nginx-ingress-serviceaccount236namespace: ingress-nginx237238---239240apiVersion: rbac.authorization.k8s.io/v1beta1241kind: ClusterRoleBinding242metadata:243name: nginx-ingress-clusterrole-nisa-binding244labels:245app.kubernetes.io/name: ingress-nginx246app.kubernetes.io/part-of: ingress-nginx247roleRef:248apiGroup: rbac.authorization.k8s.io249kind: ClusterRole250name: nginx-ingress-clusterrole251subjects:252- kind: ServiceAccount253name: nginx-ingress-serviceaccount254namespace: ingress-nginx255256---257258apiVersion: extensions/v1beta1259kind: DaemonSet260metadata:261name: nginx-ingress-controller262namespace: ingress-nginx263labels:264app.kubernetes.io/name: ingress-nginx265app.kubernetes.io/part-of: ingress-nginx266spec:267selector:268matchLabels:269app.kubernetes.io/name: ingress-nginx270app.kubernetes.io/part-of: ingress-nginx271template:272metadata:273labels:274app.kubernetes.io/name: ingress-nginx275app.kubernetes.io/part-of: ingress-nginx276annotations:277prometheus.io/port: "10254"278prometheus.io/scrape: "true"279spec:280tolerations:281- key: node-role.kubernetes.io/master282effect: NoSchedule283operator: Exists284serviceAccountName: nginx-ingress-serviceaccount285hostNetwork: true286containers:287- name: nginx-ingress-controller288# image: quay.mirrors.ustc.edu.cn/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0289image: k8s151.oldboyedu.com:5000/nginx-ingress-controller:0.20.0290args:291- /nginx-ingress-controller292- --default-backend-service=$(POD_NAMESPACE)/default-http-backend293- --configmap=$(POD_NAMESPACE)/nginx-configuration294- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services295- --udp-services-configmap=$(POD_NAMESPACE)/udp-services296- --publish-service=$(POD_NAMESPACE)/ingress-nginx297- --annotations-prefix=nginx.ingress.kubernetes.io298securityContext:299capabilities:300drop:301- ALL302add:303- NET_BIND_SERVICE304# www-data -> 33305runAsUser: 33306env:307- name: POD_NAME308valueFrom:309fieldRef:310fieldPath: metadata.name311- name: POD_NAMESPACE312valueFrom:313fieldRef:314fieldPath: metadata.namespace315ports:316- name: http317containerPort: 80318- name: https319containerPort: 443320livenessProbe:321failureThreshold: 3322httpGet:323path: /healthz324port: 10254325scheme: HTTP326initialDelaySeconds: 10327periodSeconds: 10328successThreshold: 1329timeoutSeconds: 1330readinessProbe:331failureThreshold: 3332httpGet:333path: /healthz334port: 10254335scheme: HTTP336periodSeconds: 10337successThreshold: 1338timeoutSeconds: 1339EOF340341342343344345(2)测试Ingress资源346cat > 02-deploy-ing.yaml <<'EOF'347apiVersion: extensions/v1beta1348kind: Deployment349metadata:350name: oldboyedu-homework-kod351labels:352school: oldboyedu353homework: kod354spec:355replicas: 3356selector:357matchLabels:358apps: kod359template:360metadata:361name: games-pod362labels:363apps: kod364spec:365containers:366- name: linux81-kod367image: k8s151.oldboyedu.com:5000/hoemwork/kod:v5.0368369---370371apiVersion: extensions/v1beta1372kind: Deployment373metadata:374name: oldboyedu-homework-pingtai375labels:376school: oldboyedu377homework: pingtai378spec:379replicas: 3380selector:381matchLabels:382apps: pingtai383template:384metadata:385name: games-pingtai386labels:387apps: pingtai388spec:389containers:390- name: linux81-pingtaiu391image: k8s151.oldboyedu.com:5000/hoemwork/pingtai:v5.0392393---394395apiVersion: v1396kind: Service397metadata:398name: games-kod399spec:400type: ClusterIP401selector:402apps: kod403ports:404- port: 80405protocol: TCP406targetPort: 85407408409---410411apiVersion: v1412kind: Service413metadata:414name: games-pingtai415spec:416type: ClusterIP417selector:418apps: pingtai419ports:420- port: 80421protocol: TCP422targetPort: 82423424---425426apiVersion: extensions/v1beta1427kind: Ingress428metadata:429name: nginx-myweb430spec:431rules:432- host: kod.oldboyedu.com433http:434paths:435- backend:436serviceName: games-kod437servicePort: 80438- host: pingtai.oldboyedu.com439http:440paths:441- backend:442serviceName: games-pingtai443servicePort: 80444EOF
5.修改api-server支持的NodePort端口映射范围
x1(1)修改API-Server静态Pod的资源清单2vim /etc/kubernetes/manifests/kube-apiserver.yaml3...4spec:5containers:6- command:7- kube-apiserver8- --service-node-port-range=3000-50000 # 进行添加这一行即可9...101213(2)创建SVC的NodePort类型,验证端口是否可以设置为808014apiVersion: v115kind: Service16metadata:17name: oldboyedu-linux80-nginx-svc-nodeport18spec:19type: NodePort20selector:21apps: oldboyedu-web22ports:23- port: 888824protocol: TCP25targetPort: 8026nodePort: 8080
6.网络策略【新增内容】
xxxxxxxxxx11期待更新...
七.k8s的附加组件
1.coreDNS
1.1 coreDNS概述
x1coreDNS的作用就是将svc的名称解析为ClusterIP。23早期使用的skyDNS组件,需要单独部署,在k8s 1.9版本中,我们就可以直接使用kubeadm方式安装CoreDNS组件。45从k8s 1.12开始,CoreDNS就成为kubernetes默认的DNS服务器,但是kubeadm支持coreDNS的时间会更早。678推荐阅读:9https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dns/coredns
1.2 coreDNS的IP地址
x1vim /var/lib/kubelet/config.yaml2...3clusterDNS:4- 10.254.0.105clusterDomain: cluster.local
1.3 coreDNS的A记录
x1k8s的A记录格式:2<service name>.<namespace name>.svc.cluster.local34参考案例:5kube-dns.kube-system.svc.cluster.local6oldboyedu-mysql.default.svc.cluster.local789温馨提示:10(1)如果部署时直接写svc的名称,不写名称空间,则默认的名称空间为其引用资源的名称空间;11(2)kubeadm部署时,无需手动配置CoreDNS组件(默认在kube-system已创建),二进制部署时,需要手动安装该组件;
1.4 使用coreDNS组件优化wordpress
xxxxxxxxxx981cat > deploy-wordpress.yaml <<'EOF'2apiVersion: extensions/v1beta13kind: Deployment4metadata:5name: oldboyedu-mysql6spec:7replicas: 18selector:9matchLabels:10app: oldboyedu-mysql11template:12metadata:13labels:14app: oldboyedu-mysql15spec:16volumes:17- name: data18nfs:19server: 10.0.0.20120path: /oldboyedu/data/kubernetes21containers:22- name: oldboyedu-mysql23image: k8s201.oldboyedu.com:5000/mysql:5.724volumeMounts:25- name: data26mountPath: /var/lib/mysql27ports:28- containerPort: 330629env:30- name: MYSQL_ROOT_PASSWORD31value: somewordpress32- name: MYSQL_DATABASE33value: wordpress34- name: MYSQL_USER35value: wordpress36- name: MYSQL_PASSWORD37value: wordpress3839---4041apiVersion: v142kind: Service43metadata:44name: oldboyedu-mysql45spec:46clusterIP: 10.254.131.22247selector:48app: oldboyedu-mysql49ports:50- port: 330651targetPort: 33065253---5455apiVersion: extensions/v1beta156kind: Deployment57metadata:58name: oldboyedu-wordpress59spec:60replicas: 361selector:62matchLabels:63apps: oldboyedu-wordpress64template:65metadata:66labels:67apps: oldboyedu-wordpress68spec:69containers:70- name: oldboyedu-wordpress71image: k8s201.oldboyedu.com:5000/wordpress:latest72ports:73- containerPort: 8074env:75- name: WORDPRESS_DB_HOST76# 注意,这里的主机名我使用的时mysql服务的svc名称,77# 这依赖与coreDNS附加组件进行解析哟,因此,咱们要保重coreDNS组件是正常工作的78value: oldboyedu-mysql79- name: WORDPRESS_DB_USER80value: wordpress81- name: WORDPRESS_DB_PASSWORD82value: wordpress8384---8586apiVersion: v187kind: Service88metadata:89name: oldboyedu-wordpress90spec:91type: NodePort92selector:93apps: oldboyedu-wordpress94ports:95- port: 8096targetPort: 8097nodePort: 3008898EOF
1.5 使用coreDNS组件优化tomcat案例
x1cat > deploy-tomcat.yaml <<'EOF'2apiVersion: v13kind: PersistentVolumeClaim4metadata:5name: oldboyedu-linux81-tomcat6spec:7storageClassName: linux81-sc8accessModes:9- ReadWriteMany10resources:11requests:12storage: 10Gi1314---1516apiVersion: extensions/v1beta117kind: Deployment18metadata:19name: mysql20spec:21replicas: 122template:23metadata:24labels:25app: oldboyedu-mysql26spec:27volumes:28- name: data29persistentVolumeClaim:30claimName: oldboyedu-linux81-tomcat31containers:32- name: mysql33image: k8s151.oldboyedu.com:5000/mysql:5.734ports:35- containerPort: 330636env:37- name: MYSQL_ROOT_PASSWORD38value: '123456'39volumeMounts:40- name: data41mountPath: /var/lib/mysql4243---4445apiVersion: v146kind: Service47metadata:48name: oldboyedu-mysql49spec:50selector:51app: oldboyedu-mysql52ports:53- port: 330654targetPort: 33065556---5758apiVersion: extensions/v1beta159kind: Deployment60metadata:61name: oldboyedu-tomcat-app62spec:63replicas: 164template:65metadata:66labels:67app: oldboyedu-tomcat-app68spec:69containers:70- name: myweb71# image: jasonyin2020/tomcat-app:v172image: k8s151.oldboyedu.com:5000/tomcat-app:v173ports:74- containerPort: 808075env:76- name: MYSQL_SERVICE_HOST77value: oldboyedu-mysql78- name: MYSQL_SERVICE_PORT79value: '3306'8081---8283apiVersion: v184kind: Service85metadata:86name: oldboyedu-tomcat-app87spec:88selector:89app: oldboyedu-tomcat-app90ports:91- port: 808092targetPort: 80809394---9596apiVersion: extensions/v1beta197kind: Ingress98metadata:99name: linux81-tomcat100spec:101rules:102- host: tomcat.oldboyedu.com103http:104paths:105- backend:106serviceName: oldboyedu-tomcat-app107servicePort: 8080108EOF
1.6 测试coreDNS组件
x1方式一:2直接使用alpine取ping您想测试的SVC名称即可,观察能否解析成对应的VIP即可。3方式二:6yum -y install bind-utils7dig @10.254.0.10 oldboyedu-tomcat-app.default.svc.cluster.local +short
2.Dashboard
2.1 Dashboard概述
x1Dashboard是K8S集群管理的一个GUI的WebUI实现,它是一个k8s附加组件,所以需要单独部署。234我们可以以图形化的方式创建k8s资源。567GitHub地址:8https://github.com/kubernetes/dashboard#kubernetes-dashboard
2.2 部署dashboard组件
x1(1)查看k8s 1.15版本依赖的dashboard(这种查看方式仅适用于k8s 1.17-)2https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.15.md#unchanged3(2)下载k8s 1.15版本依赖的dashboard5wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml67(3)修改kubernetes-dashboard.yaml配置文件的镜像8vim kubernetes-dashboard.yaml9...10spec:11...12template:13...14spec:15containers:16- name: kubernetes-dashboard17# 修改咱们自己的镜像即可18image: k8s201.oldboyedu.com:5000/kubernetes-dashboard-amd64:v1.10.119(4)修改kubernetes-dashboard.yaml配置文件的svc22kind: Service23...24spec:25# 类型改为NodePort26type: NodePort27ports:28- port: 44329targetPort: 844330# 指定NodePort的端口。31nodePort: 844332selector:33k8s-app: kubernetes-dashboard34(5)部署dashboard组件37kubectl apply -f kubernetes-dashboard.yaml383940(6)访问Dashboar的WebUI(如下图所示)41https://10.0.0.203:8443/4243444546温馨提示:47如果页面打不开可以单机鼠标在空白处,然后依次输入: "thisisunsafe"
2.3 使用默认的token登录dashboard权限不足【学员可跳过此步骤,了解即可,讲师上课演示即可】
xxxxxxxxxx81(1)获取token名称2kubectl describe sa -n kube-system | grep kubernetes-dashboard | grep Tokens34(2)查看token值5kubectl describe secrets kubernetes-dashboard-token-ls4zt -n kube-system67(3)使用上一步查询的token登录dashboard发现权限不足8如下图所示。
2.4 权限不足解决方案-自定义登录用户
x1(1)编写K8S的yaml资源清单文件2cat > oldboyedu-dashboard-rbac.yaml <<'EOF'3apiVersion: v14kind: ServiceAccount5metadata:6labels:7k8s-app: kubernetes-dashboard8# 创建一个名为"oldboyedu"的账户9name: oldboyedu10namespace: kube-system1112---1314apiVersion: rbac.authorization.k8s.io/v115kind: ClusterRoleBinding16metadata:17labels:18k8s-app: kubernetes-dashboard19name: kubernetes-dashboard20namespace: kube-system21roleRef:22apiGroup: rbac.authorization.k8s.io23# 既然绑定的是集群角色,那么类型也应该为"ClusterRole",而不是"Role"哟~24kind: ClusterRole25# 关于集群角色可以使用"kubectl get clusterrole | grep admin"进行过滤哟~26name: cluster-admin27subjects:28- kind: ServiceAccount29# 此处要注意哈,绑定的要和我们上面的服务账户一致哟~30name: oldboyedu31namespace: kube-system32EOF33(2)创建资源清单35kubectl apply -f oldboyedu-dashboard-rbac.yaml363738(3)查看sa资源的Tokens名称39kubectl describe serviceaccounts -n kube-system oldboyedu | grep Tokens4041(4)根据上一步的token名称的查看token值42kubectl -n kube-system describe secrets oldboyedu-token-gns4h43(5)登录dashboard的WebUI,使用上一步的Token值登录即可(注意,复制时不要有换行哟)45如上图所示。464748温馨提示:49如下图所示,由于咱们创建的ServiceAccount绑定的角色为"cluster-admin"这个角色,因此oldboyedu用户的token是可以访问集群的所有资源的哟~
2.5 使用kubeconfig登录
x2381(1)编写生成kubeconf的配置文件的脚本2cat > oldboyedu-generate-context-conf.sh <<'EOF'3#!/bin/bash4# auther: Jason Yin567# 获取secret的名称8SECRET_NAME=`kubectl get secrets -n kube-system | grep oldboyedu | awk {'print $1'}`910# 指定API SERVER的地址11API_SERVER=k8s151.oldboyedu.com:64431213# 指定kubeconfig配置文件的路径名称14KUBECONFIG_NAME=/root/oldboyedu-k8s-dashboard-admin.conf1516# 获取oldboyedu用户的tocken17OLDBOYEDU_TOCKEN=`kubectl get secrets -n kube-system $SECRET_NAME -o jsonpath={.data.token} | base64 -d`1819# 在kubeconfig配置文件中设置群集项20kubectl config set-cluster oldboyedu-k8s-dashboard-cluster --server=$API_SERVER --kubeconfig=$KUBECONFIG_NAME2122# 在kubeconfig中设置用户项23kubectl config set-credentials oldboyedu-k8s-dashboard-user --token=$OLDBOYEDU_TOCKEN --kubeconfig=$KUBECONFIG_NAME2425# 配置上下文,即绑定用户和集群的上下文关系,可以将多个集群和用户进行绑定哟~26kubectl config set-context oldboyedu-admin --cluster=oldboyedu-k8s-dashboard-cluster --user=oldboyedu-k8s-dashboard-user --kubeconfig=$KUBECONFIG_NAME2728# 配置当前使用的上下文29kubectl config use-context oldboyedu-admin --kubeconfig=$KUBECONFIG_NAME30EOF313233(2)运行上述脚本并下载上一步生成的配置文件到桌面,如上图所示,选择并选择该文件进行登录34sz oldboyedu-k8s-dashboard-admin.conf353637(3)进入到dashboard的WebUI38如下图所示,我们可以访问任意的Pod,当然也可以直接进入到有终端的容器哟
2.6 dashboard的基本使用
xxxxxxxxxx11见视频。
3.metric-server
3.1 metric-server概述
x1Metrics Server从kubelets收集资源指标,并通过Metrics API将它们暴露在Kubernetes apiserver中,以供HPA(Horizontal Pod Autoscaler)和VPA(Vertical Pod Autoscaler)使用。23Metrics API也可以通过kubectl top访问,从而更容易调试自动缩放管道。456参考链接:7https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/metrics-server8https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/9https://github.com/kubernetes-sigs/metrics-server
3.2 部署metric-server
x1cat > deoloyment-metric-server.yaml <<'EOF'2apiVersion: rbac.authorization.k8s.io/v13kind: ClusterRoleBinding4metadata:5name: metrics-server:system:auth-delegator6labels:7kubernetes.io/cluster-service: "true"8addonmanager.kubernetes.io/mode: Reconcile9roleRef:10apiGroup: rbac.authorization.k8s.io11kind: ClusterRole12name: system:auth-delegator13subjects:14- kind: ServiceAccount15name: metrics-server16namespace: kube-system17---18apiVersion: rbac.authorization.k8s.io/v119kind: RoleBinding20metadata:21name: metrics-server-auth-reader22namespace: kube-system23labels:24kubernetes.io/cluster-service: "true"25addonmanager.kubernetes.io/mode: Reconcile26roleRef:27apiGroup: rbac.authorization.k8s.io28kind: Role29name: extension-apiserver-authentication-reader30subjects:31- kind: ServiceAccount32name: metrics-server33namespace: kube-system34---35apiVersion: apiregistration.k8s.io/v1beta136kind: APIService37metadata:38name: v1beta1.metrics.k8s.io39labels:40kubernetes.io/cluster-service: "true"41addonmanager.kubernetes.io/mode: Reconcile42spec:43service:44name: metrics-server45namespace: kube-system46group: metrics.k8s.io47version: v1beta148insecureSkipTLSVerify: true49groupPriorityMinimum: 10050versionPriority: 10051---52apiVersion: v153kind: ServiceAccount54metadata:55name: metrics-server56namespace: kube-system57labels:58kubernetes.io/cluster-service: "true"59addonmanager.kubernetes.io/mode: Reconcile60---61apiVersion: v162kind: ConfigMap63metadata:64name: metrics-server-config65namespace: kube-system66labels:67kubernetes.io/cluster-service: "true"68addonmanager.kubernetes.io/mode: EnsureExists69data:70NannyConfiguration: |-71apiVersion: nannyconfig/v1alpha172kind: NannyConfiguration73---74apiVersion: apps/v175kind: Deployment76metadata:77name: metrics-server-v0.3.378namespace: kube-system79labels:80k8s-app: metrics-server81kubernetes.io/cluster-service: "true"82addonmanager.kubernetes.io/mode: Reconcile83version: v0.3.384spec:85selector:86matchLabels:87k8s-app: metrics-server88version: v0.3.389template:90metadata:91name: metrics-server92labels:93k8s-app: metrics-server94version: v0.3.395annotations:96scheduler.alpha.kubernetes.io/critical-pod: ''97seccomp.security.alpha.kubernetes.io/pod: 'docker/default'98spec:99priorityClassName: system-cluster-critical100serviceAccountName: metrics-server101tolerations:102- operator: Exists103containers:104- name: metrics-server105# image: registry.aliyuncs.com/google_containers/metrics-server-amd64:v0.3.3106image: k8s151.oldboyedu.com:5000/metrics-server-amd64:v0.3.3107command:108- /metrics-server109- --metric-resolution=30s110# These are needed for GKE, which doesn't support secure communication yet.111# Remove these lines for non-GKE clusters, and when GKE supports token-based auth.112#- --kubelet-port=10255113#- --deprecated-kubelet-completely-insecure=true114- --kubelet-insecure-tls115- --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP116ports:117- containerPort: 443118name: https119protocol: TCP120- name: metrics-server-nanny121# image: registry.aliyuncs.com/google_containers/addon-resizer:1.8.5122image: k8s151.oldboyedu.com:5000/addon-resizer:1.8.5123resources:124limits:125cpu: 100m126memory: 300Mi127requests:128cpu: 5m129memory: 50Mi130env:131- name: MY_POD_NAME132valueFrom:133fieldRef:134fieldPath: metadata.name135- name: MY_POD_NAMESPACE136valueFrom:137fieldRef:138fieldPath: metadata.namespace139volumeMounts:140- name: metrics-server-config-volume141mountPath: /etc/config142command:143- /pod_nanny144- --config-dir=/etc/config145#- --cpu=80m146- --extra-cpu=0.5m147#- --memory=80Mi148#- --extra-memory=8Mi149- --threshold=5150- --deployment=metrics-server-v0.3.3151- --container=metrics-server152- --poll-period=300000153- --estimator=exponential154- --minClusterSize=2155# Specifies the smallest cluster (defined in number of nodes)156# resources will be scaled to.157#- --minClusterSize={{ metrics_server_min_cluster_size }}158volumes:159- name: metrics-server-config-volume160configMap:161name: metrics-server-config162---163apiVersion: v1164kind: Service165metadata:166name: metrics-server167namespace: kube-system168labels:169addonmanager.kubernetes.io/mode: Reconcile170kubernetes.io/cluster-service: "true"171kubernetes.io/name: "Metrics-server"172spec:173selector:174k8s-app: metrics-server175ports:176- port: 443177protocol: TCP178targetPort: https179---180apiVersion: rbac.authorization.k8s.io/v1181kind: ClusterRole182metadata:183name: system:metrics-server184labels:185kubernetes.io/cluster-service: "true"186addonmanager.kubernetes.io/mode: Reconcile187rules:188- apiGroups:189- ""190resources:191- pods192- nodes193- nodes/stats194- namespaces195verbs:196- get197- list198- watch199- apiGroups:200- "extensions"201resources:202- deployments203verbs:204- get205- list206- update207- watch208---209apiVersion: rbac.authorization.k8s.io/v1210kind: ClusterRoleBinding211metadata:212name: system:metrics-server213labels:214kubernetes.io/cluster-service: "true"215addonmanager.kubernetes.io/mode: Reconcile216roleRef:217apiGroup: rbac.authorization.k8s.io218kind: ClusterRole219name: system:metrics-server220subjects:221- kind: ServiceAccount222name: metrics-server223namespace: kube-system224EOF
xxxxxxxxxx51(1)部署metrics-server,如上图所示。2cd /root/manifests/add-on/metrics-server/deploy && kubectl apply -f .34(2)验证Pod是否正常运行,如下图所示。5kubectl get pods -n kube-system -o wide | grep metrics
3.3 取消master节点的污点以部署flannel组件
xxxxxxxxxx11kubectl taint node k8s201.oldboyedu.com node-role.kubernetes.io/master-
3.4 验证metric-server是否部署成功
xxxxxxxxxx31kubectl top nodes23kubectl top pods -A
3.5 Pod水平自动伸缩HPA案例
3.5.1 部署tomcat应用
x1cat > deploy-tomcat.yaml <<'EOF'2apiVersion: extensions/v1beta13kind: Deployment4metadata:5name: mysql6spec:7replicas: 18template:9metadata:10labels:11app: oldboyedu-mysql12spec:13volumes:14- name: data15nfs:16server: 10.0.0.20117path: /oldboyedu/data/kubernetes/mysql/tomcat18containers:19- name: mysql20image: k8s201.oldboyedu.com:5000/mysql:5.721ports:22- containerPort: 330623env:24- name: MYSQL_ROOT_PASSWORD25value: '123456'26volumeMounts:27- name: data28mountPath: /var/lib/mysql2930---3132apiVersion: v133kind: Service34metadata:35name: oldboyedu-mysql36spec:37selector:38app: oldboyedu-mysql39ports:40- port: 330641targetPort: 33064243---4445apiVersion: extensions/v1beta146kind: Deployment47metadata:48name: oldboyedu-tomcat-app49spec:50replicas: 151template:52metadata:53labels:54app: oldboyedu-tomcat-app55spec:56containers:57- name: myweb58# image: jasonyin2020/tomcat-app:v159image: k8s201.oldboyedu.com:5000/tomcat-app:v160resources:61limits:62cpu: "100m"63requests:64cpu: "100m"65ports:66- containerPort: 808067env:68- name: MYSQL_SERVICE_HOST69value: oldboyedu-mysql70- name: MYSQL_SERVICE_PORT71value: '3306'7273---7475apiVersion: v176kind: Service77metadata:78name: oldboyedu-tomcat-app79spec:80type: NodePort81selector:82app: oldboyedu-tomcat-app83ports:84- port: 808085targetPort: 808086nodePort: 3088887EOF
3.5.2 创建HPA规则
x1kubectl autoscale deployment oldboyedu-tomcat-app --max=10 --min=2 --cpu-percent=75234相关参数说明:5--max:6指定最大的Pod数量,如果指定的数量越大,则弹性伸缩的资源创建的就越多,对服务器资源会进行消耗。78--minx:9指定最小的Pod数量。10--cpu-percent:12指定CPU的百分比。13温馨提示:16(1)测试时建议修改为CPU使用百分比为5%,生产环节建议设置成75%.17(2)测试时最大Pod数量建议为5个即可,生产环境根据需求而定,通常情况下,10是一个不错的建议;
3.5.3 压力测试tomcat,观察Pod的水平伸缩
x1(1)安装测试工具2yum -y install httpd-tools3(2)使用ab工具进行测试5ab -c 1000 -n 2000000 http://10.0.0.203:30888/678相关参数说明:9-n:10指定总共压测的次数。11-c:12每次压测发起的并发请求数。
3.5.4 stress压力测试案例
xxxxxxxxxx1491[root@k8s151.oldboyedu.com hpa]# cat stress/01-deploy-stress.yaml2apiVersion: extensions/v1beta13kind: Deployment4metadata:5name: oldboyedu-linux84-stress6spec:7replicas: 18template:9metadata:10labels:11apps: stress12spec:13containers:14- name: web15image: jasonyin2020/oldboyedu-linux-tools:v0.116command:17- tail18- -f19- /etc/hosts20resources:21requests:22cpu: "50m"23limits:24cpu: "150m"252627---2829apiVersion: autoscaling/v130kind: HorizontalPodAutoscaler31metadata:32name: oldboyedu-linux-tools-stress33spec:34# 指定最大的Pod数量35maxReplicas: 1036# 指定最小的Pod数量37minReplicas: 238# 弹性伸缩引用目标39scaleTargetRef:40# 目标的API版本41apiVersion: extensions/v1beta142# 目标的类型43kind: Deployment44# 目标的名称45name: oldboyedu-linux84-stress46# 使用CPU的阈值47targetCPUUtilizationPercentage: 9548[root@k8s151.oldboyedu.com hpa]#49
3.6 防坑指南
xxxxxxxxxx41如果想要使用"kubectl top"指令,请一定要让master节点部署CNI插件哟。23解决问题方案:4kubectl taint node k8s201.oldboyedu.com node-role.kubernetes.io/master-
3.7 VPA
xxxxxxxxxx11期待更新...
八.持久卷与动态存储
1.为什么需要动态存储
1.1 传统基于存储卷的方式挂载的缺点
1.2 引入PV和PVC实现后端存储解耦
1.3 引入动态存储类实现自动创建PV
2.持久卷Persistent Volume(简称"PV")
| Volume Plugin | ReadWriteOnce | ReadOnlyMany | ReadWriteMany | ReadWriteOncePod |
|---|---|---|---|---|
| AWSElasticBlockStore | ✓ | - | - | - |
| AzureFile | ✓ | ✓ | ✓ | - |
| AzureDisk | ✓ | - | - | - |
| CephFS | ✓ | ✓ | ✓ | - |
| Cinder | ✓ | - | - | - |
| CSI | depends on the driver | depends on the driver | depends on the driver | depends on the driver |
| FC | ✓ | ✓ | - | - |
| FlexVolume | ✓ | ✓ | depends on the driver | - |
| Flocker | ✓ | - | - | - |
| GCEPersistentDisk | ✓ | ✓ | - | - |
| Glusterfs | ✓ | ✓ | ✓ | - |
| HostPath | ✓ | - | - | - |
| iSCSI | ✓ | ✓ | - | - |
| Quobyte | ✓ | ✓ | ✓ | - |
| NFS | ✓ | ✓ | ✓ | - |
| RBD | ✓ | ✓ | - | - |
| VsphereVolume | ✓ | - | - (works when Pods are collocated) | - |
| PortworxVolume | ✓ | - | ✓ | - |
| StorageOS | ✓ | - | - | - |
x1(1)编写PV资源清单2cat > manual-pv.yaml <<'EOF'3apiVersion: v14kind: PersistentVolume5metadata:6name: oldboyedu-linux84-pv017labels:8school: oldboyedu9spec:10# 声明PV的访问模式,常用的有"ReadWriteOnce","ReadOnlyMany"和"ReadWriteMany":11# ReadWriteOnce:(简称:"RWO")12# 只允许单个worker节点读写存储卷,但是该节点的多个Pod是可以同时访问该存储卷的。13# ReadOnlyMany:(简称:"ROX")14# 允许多个worker节点进行只读存储卷。15# ReadWriteMany:(简称:"RWX")16# 允许多个worker节点进行读写存储卷。17# ReadWriteOncePod:(简称:"RWOP")18# 该卷可以通过单个Pod以读写方式装入。19# 如果您想确保整个集群中只有一个pod可以读取或写入PVC,请使用ReadWriteOncePod访问模式。20# 这仅适用于CSI卷和Kubernetes版本1.22+。21accessModes:22- ReadWriteMany23# 声明存储卷的类型为nfs24nfs:25path: /oldboyedu/data/kubernetes/pv/linux84/pv00126server: 10.0.0.15127# 指定存储卷的回收策略,常用的有"Retain"和"Delete"28# Retain:29# "保留回收"策略允许手动回收资源。30# 删除PersistentVolumeClaim时,PersistentVolume仍然存在,并且该卷被视为"已释放"。31# 在管理员手动回收资源之前,使用该策略其他Pod将无法直接使用。32# Delete:33# 对于支持删除回收策略的卷插件,k8s将删除pv及其对应的数据卷数据。34# Recycle:35# 对于"回收利用"策略官方已弃用。相反,推荐的方法是使用动态资源调配。36# 如果基础卷插件支持,回收回收策略将对卷执行基本清理(rm -rf /thevolume/*),并使其再次可用于新的声明。37persistentVolumeReclaimPolicy: Retain38# 声明存储的容量39capacity:40storage: 2Gi4142---4344apiVersion: v145kind: PersistentVolume46metadata:47name: oldboyedu-linux84-pv0248labels:49school: oldboyedu50spec:51accessModes:52- ReadWriteMany53nfs:54path: /oldboyedu/data/kubernetes/pv/linux84/pv00255server: 10.0.0.15156persistentVolumeReclaimPolicy: Retain57capacity:58storage: 5Gi5960---6162apiVersion: v163kind: PersistentVolume64metadata:65name: oldboyedu-linux84-pv0366labels:67school: oldboyedu68spec:69accessModes:70- ReadWriteMany71nfs:72path: /oldboyedu/data/kubernetes/pv/linux84/pv00373server: 10.0.0.15174persistentVolumeReclaimPolicy: Retain75capacity:76storage: 10Gi77EOF787980(2)创建pv81kubectl apply -f manual-pv.yaml828384(3)查看pv资源85kubectl get pv86NAME :87pv的名称88CAPACITY :89pv的容量90ACCESS MODES:91pv的访问模式92RECLAIM POLICY:93pv的回收策略。94STATUS :95pv的状态。96CLAIM:97pv被哪个pvc使用。98STORAGECLASS99sc的名称。100REASON101pv出错时的原因。102AGE103创建的时间。104105(4)创建PVC对应的nfs挂载路径(如下图所示)106mkdir -pv /oldboyedu/data/kubernetes/pv/linux84/pv00{1..3}107ll -R /oldboyedu/data/kubernetes/pv/linux84108109110参考链接:111https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes112https://kubernetes.io/docs/concepts/storage/persistent-volumes/#reclaiming
3.持久卷声明Persistent Volume Claim(简称"PVC")
x1(1)编写pvc的资源清单2cat > manual-pvc.yaml <<'EOF'3apiVersion: v14kind: PersistentVolumeClaim5metadata:6name: oldboyedu-linux84-pvc7spec:8# 声明资源的访问模式9accessModes:10- ReadWriteMany11# 声明资源的使用量12resources:13limits:14storage: 4Gi15requests:16storage: 3Gi17EOF181920(2)创建资源21kubectl apply -f manual-pvc.yaml2223(3)查看pvc资源24kubectl get pvc
4.Pod引用PVC
x1[root@k8s151.oldboyedu.com pvc]# cat deploy-nginx-pvc.yaml2apiVersion: extensions/v1beta13kind: Deployment4metadata:5name: oldboyedu-linux84-deploy-nginx-pvc6spec:7replicas: 28template:9metadata:10name: oldboyedu-linux84-pod11labels:12apps: nginx13spec:14volumes:15- name: data16# 声明是一个PVC类型17persistentVolumeClaim:18# 引用哪个PVC19claimName: oldboyedu-linux84-pvc20containers:21- name: web22image: harbor.oldboyedu.com/oldboyedu-linux84-k8s/nginx:1.1823volumeMounts:24- name: data25mountPath: /usr/share/nginx/html2627---2829apiVersion: v130kind: Service31metadata:32name: oldboyedu-linux84-nginx33spec:34type: NodePort35selector:36apps: nginx37ports:38- port: 8039targetPort: 8040nodePort: 3008041[root@k8s151.oldboyedu.com pvc]#42
5.删除pvc验证pv的回收策略
x1Retain:2"保留回收"策略允许手动回收资源,删除pvc时,pv仍然存在,并且该卷被视为"已释放(Released)"。3在管理员手动回收资源之前,使用该策略其他Pod将无法直接使用。4温馨提示:5(1)在k8s1.15.12版本测试时,删除pvc发现nfs存储卷的数据并不会被删除,pv也不会被删除;6Delete:8对于支持删除回收策略的卷插件,k8s将删除pv及其对应的数据卷数据。建议使用动态存储类(sc)实现,才能看到效果哟!9对于AWS EBS, GCE PD, Azure Disk, or OpenStack Cinder等存储卷会被删除。10温馨提示:11(1)在k8s1.15.12版本测试时,在不使用sc时,则删除pvc发现nfs存储卷的数据并不会被删除;12(2)在k8s1.15.12版本测试时,在使用sc后,可以看到删除效果哟;1314Recycle:15对于"回收利用"策略官方已弃用。相反,推荐的方法是使用动态资源调配。而动态存储类已经不支持该类型啦!16如果基础卷插件支持,回收回收策略将对卷执行基本清理(rm -rf /thevolume/*),并使其再次可用于新的声明。17温馨提示,在k8s1.15.12版本测试时,删除pvc发现nfs存储卷的数据被删除。
6.临时更改pv的回收策略
x1kubectl patch pv oldboyedu-linux84-pv03 -p '{"spec":{"persistentVolumeReclaimPolicy":"Recycle"}}'234参考链接:5https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/6温馨提示:9基于命令行的方式修改配置,基本上都是临时修改,当资源被删除后,重新创建时依旧会根据资源清单的配置创建哟。
7.部署nfs动态存储类【新增内容】
| Volume Plugin | Internal Provisioner | Config Example |
|---|---|---|
| AWSElasticBlockStore | ✓ | AWS EBS |
| AzureFile | ✓ | Azure File |
| AzureDisk | ✓ | Azure Disk |
| CephFS | - | - |
| Cinder | ✓ | OpenStack Cinder |
| FC | - | - |
| FlexVolume | - | - |
| Flocker | ✓ | - |
| GCEPersistentDisk | ✓ | GCE PD |
| Glusterfs | ✓ | Glusterfs |
| iSCSI | - | - |
| Quobyte | ✓ | Quobyte |
| NFS | - | NFS |
| RBD | ✓ | Ceph RBD |
| VsphereVolume | ✓ | vSphere |
| PortworxVolume | ✓ | Portworx Volume |
| ScaleIO | ✓ | ScaleIO |
| StorageOS | ✓ | StorageOS |
| Local | - | Local |
x1(1)如上表所示,k8s组件原生并不支持NFS动态存储2https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner34(2)NFS不提供内部配置器实现动态存储,但可以使用外部配置器。5git clone https://gitee.com/yinzhengjie/k8s-external-storage.git67(3)修改配置文件8cd k8s-external-storage/nfs-client/deploy9vim deployment.yaml10...11spec:12...13template:14...15spec:16...17containers:18- name: nfs-client-provisioner19...20env:21- name: PROVISIONER_NAME22value: fuseim.pri/ifs23# 指定NFS服务器地址24- name: NFS_SERVER25value: 10.0.0.20126# 指定NFS的共享路径27- name: NFS_PATH28value: /oldboyedu/data/kubernetes/sc29volumes:30- name: nfs-client-root31# 配置NFS共享32nfs:33server: 10.0.0.20134path: /oldboyedu/data/kubernetes/sc353637(4)nfs服务器端创建sc需要共享路径38mkdir -pv /oldboyedu/data/kubernetes/sc3940(5)创建动态存储类41kubectl apply -f class.yaml && kubectl get sc4243(6)创建授权角色44kubectl apply -f rbac.yaml4546(7)部署nfs动态存储配置器47kubectl apply -f deployment.yaml4849(8)查看是否部署成功(如下图所示)50kubectl get sc,po51525354温馨提示:55生产环境建议设置回收策略为保留(Retain)。56cat > class.yaml <<'EOF'57apiVersion: storage.k8s.io/v158kind: StorageClass59metadata:60name: managed-nfs-storage61# provisioner: fuseim.pri/ifs # or choose another name, must match deployment's env PROVISIONER_NAME'62provisioner: oldboyedu/linux63parameters:64# 注意哈,仅对"reclaimPolicy: Delete"时生效,如果回收策略是"reclaimPolicy: Retain",则无视此参数!65# 如果设置为false,删除数据后,不会在存储卷路径创建"archived-*"前缀的目录哟!66# archiveOnDelete: "false"67# 如果设置为true,删除数据后,会在存储卷路径创建"archived-*"前缀的目录哟68archiveOnDelete: "true"69# 声明PV回收策略,默认值为Delete70reclaimPolicy: Retain71EOF
8.测试nfs动态存储
xxxxxxxxxx321kind: PersistentVolumeClaim2apiVersion: v13metadata:4name: test-claim5annotations:6# 声明使用的动态存储类名称,根据您的k8s环境自行修改即可,sc名称必须存在哈!7volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"8spec:9accessModes:10- ReadWriteMany11resources:12requests:13storage: 1Mi1415---1617kind: Pod18apiVersion: v119metadata:20name: test-pod21spec:22containers:23- name: test-pod24image: k8s201.oldboyedu.com:5000/nginx:1.20.125volumeMounts:26- name: nfs-pvc27mountPath: "/mnt"28restartPolicy: "Never"29volumes:30- name: nfs-pvc31persistentVolumeClaim:32claimName: test-claim
九.k8s安全框架【新增内容】
1.k8s安全架构流程图
2.RBAC
x1K8S内置集群角色:2cluster-admin:3超级管理员,有集群所有权限。4admin:5主要用于授权命名空间所有读写权限。6edit:7允许对大多数对象读写操作,不允许查看或者修改角色,角色绑定。8view:9允许对命名空间大多数对象只读权限,不允许查看角色,角色绑定和secret。101112K8S预定好了四个集群角色供用户使用,使用"kubectl get clusterrole"查看,其中"systemd:"开头的为系统内部使用。1314clusterrole查看,其中"system:"开头的为系统内部使用。
3.基于用户授权案例
3.1 使用k8s ca签发客户端证书
x1(1)解压证书管理工具包2tar xf oldboyedu-cfssl.tar.gz -C /usr/bin/ && chmod +x /usr/bin/cfssl*34(2)编写证书请求5cat > ca-config.json <<EOF6{7"signing": {8"default": {9"expiry": "87600h"10},11"profiles": {12"kubernetes": {13"usages": [14"signing",15"key encipherment",16"server auth",17"client auth"18],19"expiry": "87600h"20}21}22}23}24EOF252627cat > oldboyedu-csr.json <<EOF28{29"CN": "oldboyedu",30"hosts": [],31"key": {32"algo": "rsa",33"size": 204834},35"names": [36{37"C": "CN",38"ST": "BeiJing",39"L": "BeiJing",40"O": "k8s",41"OU": "System"42}43]44}45EOF464748(3)生成证书49cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes oldboyedu-csr.json | cfssljson -bare oldboyedu505152温馨提示:53查看证书"cfssl-certinfo --cert oldboyedu.pem"。
3.2 生成kubeconfig授权文件
x1(1)编写生成kubeconfig文件的脚本2cat > kubeconfig.sh <<'EOF'3# 配置集群4# --certificate-authority5# 指定K8s的ca根证书文件路径6# --embed-certs7# 如果设置为true,表示将根证书文件的内容写入到配置文件中,8# 如果设置为false,则只是引用配置文件,将kubeconfig9# --server10# 指定APIServer的地址。11# --kubeconfig12# 指定kubeconfig的配置文件名称13kubectl config set-cluster oldboyedu-linux81 \14--certificate-authority=/etc/kubernetes/pki/ca.crt \15--embed-certs=true \16--server=https://10.0.0.151:6443 \17--kubeconfig=oldboyedu-linux81.kubeconfig18# 设置客户端认证20kubectl config set-credentials oldboyedu \21--client-key=oldboyedu-key.pem \22--client-certificate=oldboyedu.pem \23--embed-certs=true \24--kubeconfig=oldboyedu-linux81.kubeconfig2526# 设置默认上下文27kubectl config set-context linux81 \28--cluster=oldboyedu-linux81 \29--user=oldboyedu \30--kubeconfig=oldboyedu-linux81.kubeconfig3132# 设置当前使用的上下文33kubectl config use-context linux81 --kubeconfig=oldboyedu-linux81.kubeconfig34EOF35363738(2)生成kubeconfig文件39bash kubeconfig.sh
3.3 创建RBAC授权策略
x1(1)创建rbac等配置文件2vi rbac.yaml3ikind: Role4apiVersion: rbac.authorization.k8s.io/v15metadata:6namespace: default7name: linux81-role8rules:9# API组,""表示核心组,该组包括但不限于"configmaps","nodes","pods","services"等资源.10# "extensions"组对于低于k8s 1.15版本而言,deployment资源在该组内,但高于k8s1.15版本,则为apps组。11#12# 想要知道哪个资源使用在哪个组,我们只需要根据"kubectl api-resources"命令等输出结果就可以轻松判断哟~13# API组,""表示核心组。14- apiGroups: ["","extensions"]15# 资源类型,不支持写简称,必须写全称哟!!16resources: ["pods","nodes","services","deployments","ingresses","configmaps","secrets"]17# 对资源的操作方法.18verbs: ["get", "watch", "list", "delete"]1920---2122kind: RoleBinding23apiVersion: rbac.authorization.k8s.io/v124metadata:25name: oldboyedu-linux81-resources-reader26namespace: default27subjects:28# 主体类型29- kind: User30# 用户名31name: oldboyedu32apiGroup: rbac.authorization.k8s.io33roleRef:34# 角色类型35kind: Role36# 绑定角色名称37name: linux81-role38apiGroup: rbac.authorization.k8s.io39404142(2)应用rbac授权43kubectl apply -f rbac.yaml444546(3)访问测试47kubectl get po,svc,deploy,ing --kubeconfig=/root/oldboyedu.kubeconfig4849505152535455补充案例:56[root@k8s151.oldboyedu.com rbac]# cat 02-rbac-pods-get.yaml57kind: Role58apiVersion: rbac.authorization.k8s.io/v159metadata:60namespace: default61name: linux82-role-00262rules:63# API组,""表示核心组,该组包括但不限于"configmaps","nodes","pods","services"等资源.64# "extensions"组对于低于k8s 1.15版本而言,deployment资源在该组内,但高于k8s1.15版本,则为apps组。65#66# 想要知道哪个资源使用在哪个组,我们只需要根据"kubectl api-resources"命令等输出结果就可以轻松判断哟~67# API组,""表示核心组。68- apiGroups: [""]69# 资源类型,不支持写简称,必须写全称哟!!70resources: ["pods","configmaps"]71# 对资源的操作方法.72verbs: ["list","delete"]73- apiGroups: ["extensions"]74resources: ["deployments"]75verbs: ["list"]76- apiGroups: ["apps"]77resources: ["deployments"]78verbs: ["create"]7980---8182kind: RoleBinding83apiVersion: rbac.authorization.k8s.io/v184metadata:85name: oldboyedu-linux82-resources-reader-00286namespace: default87subjects:88# 主体类型89- kind: User90# 用户名91name: oldboyedu92apiGroup: rbac.authorization.k8s.io93roleRef:94# 角色类型95kind: Role96# 绑定角色名称97name: linux82-role-00298apiGroup: rbac.authorization.k8s.io99[root@k8s151.oldboyedu.com rbac]#
4.基于用户组授权案例
4.1 RBAC基于组的方式认证
x1- 对用户组授权访问案例(Group)2用户组的好处是无需单独为某个用户创建权限,统一为这个组名进行授权,所有的用户都以组的身份访问资源。34需求说明: 为oldboyedu用户组统一授权:5- 将certs.sh文件中的"yinzhengjie-crs.json"下的O字段改成dev,并重新生成证书和kubeconfig文件;6- 将dev用户组绑定Role(pod-reader);7- 测试,只要O字段都是dev,对于'CN'字段可以是任意用户哟,这些用户持有的kubeconfig文件都拥有相同的权限;8举个例子:11apiVersion: rbac.authorization.k8s.io/v112kind: RoleBinding13metadata:14name: read-pods15namespace: default16subjects:17- kind: Group18name: oldboyedu19apiGroup: rbac.authorization.k8s.io20roleRef:21kind: Role22name: pod-reader23apiGroup: rbac.authorization.k8s.io24温馨提示:28(1)APIserver会优先校验用户名(CN字段),若用户名没有对应的权限,则再去校验用户组(O)的权限。29CN:30CN标识的是用户名称,比如"yinzhengjie"。。31O:32O标识的是用户组,比如"dev"组。33(2)用户,用户组都是提取证书中的一个字段,不是在集群中创建的。353640RBAC基于组的方式认证:41CN: 代表用户,42O: 组。43- 1.使用k8s ca签发客户端证书451.1 编写证书请求46cat > ca-config.json <<EOF47{48"signing": {49"default": {50"expiry": "87600h"51},52"profiles": {53"kubernetes": {54"usages": [55"signing",56"key encipherment",57"server auth",58"client auth"59],60"expiry": "87600h"61}62}63}64}65EOF66cat > oldboyedu-csr.json <<EOF67{68"CN": "linux84",69"hosts": [],70"key": {71"algo": "rsa",72"size": 204873},74"names": [75{76"C": "CN",77"ST": "BeiJing",78"L": "BeiJing",79"O": "oldboyedu",80"OU": "System"81}82]83}84EOF858687(3)生成证书88cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes oldboyedu-csr.json | cfssljson -bare oldboyedu-groups8990919293- 2.生成kubeconfig授权文件942.1 编写生成kubeconfig文件的脚本95cat > kubeconfig.sh <<'EOF'96kubectl config set-cluster oldboyedu-linux84-groups \97--certificate-authority=/etc/kubernetes/pki/ca.crt \98--embed-certs=true \99--server=https://10.0.0.151:6443 \100--kubeconfig=oldboyedu-linux84.kubeconfig101# 设置客户端认证103kubectl config set-credentials oldboyedu \104--client-key=oldboyedu-groups-key.pem \105--client-certificate=oldboyedu-groups.pem \106--embed-certs=true \107--kubeconfig=oldboyedu-linux84.kubeconfig108109# 设置默认上下文110kubectl config set-context linux84-groups \111--cluster=oldboyedu-linux84-groups \112--user=oldboyedu \113--kubeconfig=oldboyedu-linux84.kubeconfig114115# 设置当前使用的上下文116kubectl config use-context linux84-groups --kubeconfig=oldboyedu-linux84.kubeconfig117EOF1181191202.2 生成kubeconfig文件121bash kubeconfig.sh122123124125- 3. 创建RBAC授权策略126[root@k8s151.oldboyedu.com rbac-group]# cat rbac.yaml127kind: Role128apiVersion: rbac.authorization.k8s.io/v1129metadata:130namespace: default131name: linux84-role-reader132rules:133# API组,""表示核心组,该组包括但不限于"configmaps","nodes","pods","services"等资源.134# "extensions"组对于低于k8s 1.15版本而言,deployment资源在该组内,但高于k8s1.15版本,则为apps组。135#136# 想要知道哪个资源使用在哪个组,我们只需要根据"kubectl api-resources"命令等输出结果就可以轻松判断哟~137# API组,""表示核心组。138- apiGroups: ["","extensions"]139# 资源类型,不支持写简称,必须写全称哟!!140resources: ["pods","nodes","services","deployments"]141# 对资源的操作方法.142verbs: ["get", "watch", "list"]143144---145146kind: RoleBinding147apiVersion: rbac.authorization.k8s.io/v1148metadata:149name: oldboyedu-to-linux84-role-reader150namespace: default151subjects:152# 主体类型153- kind: Group154# 用户名155name: oldboyedu156apiGroup: rbac.authorization.k8s.io157roleRef:158# 角色类型159kind: Role160# 绑定角色名称161name: linux84-role-reader162apiGroup: rbac.authorization.k8s.io163[root@k8s151.oldboyedu.com rbac-group]#164165166167- 4.验证权限168[root@k8s151.oldboyedu.com rbac-group-2]# kubectl --kubeconfig=oldboyedu-linux84.kubeconfig get pods169NAME READY STATUS RESTARTS AGE170oldboyedu-mysql-6759c89c75-jcsvv 1/1 Running 0 16h171oldboyedu-wordpress-76fb9db769-nsdsj 1/1 Running 0 16h172oldboyedu-wordpress-76fb9db769-w4cjz 1/1 Running 0 16h173oldboyedu-wordpress-76fb9db769-zftn9 1/1 Running 0 16h174[root@k8s151.oldboyedu.com rbac-group-2]#175[root@k8s151.oldboyedu.com rbac-group-2]#176[root@k8s151.oldboyedu.com rbac-group-2]# kubectl --kubeconfig=oldboyedu-linux84.kubeconfig delete pods --all177Error from server (Forbidden): pods "oldboyedu-mysql-6759c89c75-jcsvv" is forbidden: User "linux84" cannot delete resource "pods" in API group "" in the namespace "default"178Error from server (Forbidden): pods "oldboyedu-wordpress-76fb9db769-nsdsj" is forbidden: User "linux84" cannot delete resource "pods" in API group "" in the namespace "default"179Error from server (Forbidden): pods "oldboyedu-wordpress-76fb9db769-w4cjz" is forbidden: User "linux84" cannot delete resource "pods" in API group "" in the namespace "default"180Error from server (Forbidden): pods "oldboyedu-wordpress-76fb9db769-zftn9" is forbidden: User "linux84" cannot delete resource "pods" in API group "" in the namespace "default"181[root@k8s151.oldboyedu.com rbac-group-2]#
4.2 将"jasonyin2020"用户添加到oldboyedu组。
x1- 1.使用k8s ca签发客户端证书21.1 编写证书请求3cat > ca-config.json <<EOF4{5"signing": {6"default": {7"expiry": "87600h"8},9"profiles": {10"kubernetes": {11"usages": [12"signing",13"key encipherment",14"server auth",15"client auth"16],17"expiry": "87600h"18}19}20}21}22EOF23cat > oldboyedu-csr.json <<EOF24{25"CN": "jasonyin2020",26"hosts": [],27"key": {28"algo": "rsa",29"size": 204830},31"names": [32{33"C": "CN",34"ST": "BeiJing",35"L": "BeiJing",36"O": "oldboyedu",37"OU": "System"38}39]40}41EOF42431.2.生成证书44cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes oldboyedu-csr.json | cfssljson -bare jasonyin2020454648- 2.生成kubeconfig授权文件492.1 编写生成kubeconfig文件的脚本50cat > kubeconfig.sh <<'EOF'51kubectl config set-cluster jasonyin2020-cluster \52--certificate-authority=/etc/kubernetes/pki/ca.crt \53--embed-certs=true \54--server=https://10.0.0.151:6443 \55--kubeconfig=jasonyin2020.kubeconfig56# 设置客户端认证58kubectl config set-credentials jasonyin2020 \59--client-key=jasonyin2020-key.pem \60--client-certificate=jasonyin2020.pem \61--embed-certs=true \62--kubeconfig=jasonyin2020.kubeconfig6364# 设置默认上下文65kubectl config set-context jasonyin2020-oldboyedu \66--cluster=jasonyin2020-cluster \67--user=jasonyin2020 \68--kubeconfig=jasonyin2020.kubeconfig6970# 设置当前使用的上下文71kubectl config use-context jasonyin2020-oldboyedu --kubeconfig=jasonyin2020.kubeconfig72EOF7374752.2 生成kubeconfig文件76bash kubeconfig.sh777879- 3.jasonyin2020用户测试访问80[root@k8s151.oldboyedu.com test]# kubectl --kubeconfig=jasonyin2020.kubeconfig get pods81NAME READY STATUS RESTARTS AGE82oldboyedu-mysql-6759c89c75-jcsvv 1/1 Running 0 16h83oldboyedu-wordpress-76fb9db769-nsdsj 1/1 Running 0 16h84oldboyedu-wordpress-76fb9db769-w4cjz 1/1 Running 0 16h85oldboyedu-wordpress-76fb9db769-zftn9 1/1 Running 0 16h86[root@k8s151.oldboyedu.com test]#87[root@k8s151.oldboyedu.com test]#88[root@k8s151.oldboyedu.com test]# kubectl --kubeconfig=jasonyin2020.kubeconfig delete pods --all89Error from server (Forbidden): pods "oldboyedu-mysql-6759c89c75-jcsvv" is forbidden: User "jasonyin2020" cannot delete resource "pods" in API group "" in the namespace "default"90Error from server (Forbidden): pods "oldboyedu-wordpress-76fb9db769-nsdsj" is forbidden: User "jasonyin2020" cannot delete resource "pods" in API group "" in the namespace "default"91Error from server (Forbidden): pods "oldboyedu-wordpress-76fb9db769-w4cjz" is forbidden: User "jasonyin2020" cannot delete resource "pods" in API group "" in the namespace "default"92Error from server (Forbidden): pods "oldboyedu-wordpress-76fb9db769-zftn9" is forbidden: User "jasonyin2020" cannot delete resource "pods" in API group "" in the namespace "default"93[root@k8s151.oldboyedu.com test]#94
4.3 修改RBAC权限,验证jasonyin2020用户和linux84用户是否会生效。
x1(1)修改权限前2[root@k8s151.oldboyedu.com rbac-group-2]# kubectl --kubeconfig=oldboyedu-linux84.kubeconfig get secret3Error from server (Forbidden): secrets is forbidden: User "linux84" cannot list resource "secrets" in API group "" in the namespace "default"4[root@k8s151.oldboyedu.com rbac-group-2]#567[root@k8s151.oldboyedu.com test]# kubectl --kubeconfig=jasonyin2020.kubeconfig get secret8Error from server (Forbidden): secrets is forbidden: User "jasonyin2020" cannot list resource "secrets" in API group "" in the namespace "default"9[root@k8s151.oldboyedu.com test]#1011(2)修改权限12[root@k8s151.oldboyedu.com rbac-group-2]# cat rbac.yaml13kind: Role14apiVersion: rbac.authorization.k8s.io/v115metadata:16namespace: default17name: linux84-role-reader18rules:19# API组,""表示核心组,该组包括但不限于"configmaps","nodes","pods","services"等资源.20# "extensions"组对于低于k8s 1.15版本而言,deployment资源在该组内,但高于k8s1.15版本,则为apps组。21#22# 想要知道哪个资源使用在哪个组,我们只需要根据"kubectl api-resources"命令等输出结果就可以轻松判断哟~23# API组,""表示核心组。24- apiGroups: ["","extensions"]25# 资源类型,不支持写简称,必须写全称哟!!26resources: ["pods","nodes","services","deployments","configmaps","secrets"]27# 对资源的操作方法.28verbs: ["get", "watch", "list"]2930---3132kind: RoleBinding33apiVersion: rbac.authorization.k8s.io/v134metadata:35name: oldboyedu-to-linux84-role-reader36namespace: default37subjects:38# 主体类型39- kind: Group40# 用户名41name: oldboyedu42apiGroup: rbac.authorization.k8s.io43roleRef:44# 角色类型45kind: Role46# 绑定角色名称47name: linux84-role-reader48apiGroup: rbac.authorization.k8s.io49[root@k8s151.oldboyedu.com rbac-group-2]#50(3)修改后验证53[root@k8s151.oldboyedu.com rbac-group-2]# kubectl --kubeconfig=oldboyedu-linux84.kubeconfig get secret54NAME TYPE DATA AGE55default-token-snlh2 kubernetes.io/service-account-token 3 8d56harbor-linux84 kubernetes.io/dockerconfigjson 1 5d17h57linux84 kubernetes.io/dockerconfigjson 1 6d15h58oldboyedu-passwd Opaque 4 6d16h59[root@k8s151.oldboyedu.com rbac-group-2]#606162[root@k8s151.oldboyedu.com test]# kubectl --kubeconfig=jasonyin2020.kubeconfig get secret63NAME TYPE DATA AGE64default-token-snlh2 kubernetes.io/service-account-token 3 8d65harbor-linux84 kubernetes.io/dockerconfigjson 1 5d17h66linux84 kubernetes.io/dockerconfigjson 1 6d15h67oldboyedu-passwd Opaque 4 6d16h68[root@k8s151.oldboyedu.com test]#69
5.基于服务账号授权案例
5.1
xxxxxxxxxx11见课堂笔记。
5.2
xxxxxxxxxx11
5.3
xxxxxxxxxx11
十.资源清单管理【新增内容】
1.helm概述
1.1 什么是helm
x1helm是k8s资源清单的管理工具,它就像Linux下的包管理器,比如centos的yum,ubuntu的apt。23helm有以下几个术语:4helm:5命令行工具,主要用于k8s的chart的创建,打包,发布和管理。6chart:7应用描述,一系列用于描述k8s资源相关文件的集合。8release:9基于chart的部署实体,一个chart被helm运行后会生成一个release实体。10这个release实体会在k8s集群中创建对应的资源对象。
1.2 为什么需要helm
x1部署服务面临很多的挑战:2(1)资源清单过多,不容易管理,如何将这些资源清单当成一个整体的服务进行管理?3- deploy,ds,rs,...4- cm,secret5- pv,pvc,sc6- ...7(2)如何实现应用的版本管理,比如发布,回滚到指定版本?8(3)如何实现资源清单文件到高效复用?9...
1.3 helm的版本说明
x1如上图所示,Helm目前有两个版本,即V2和V3。22019年11月Helm团队发布V3版本,相比v2版本最大变化是将Tiller删除,并大部分代码重构。45helm v3相比helm v2还做了很多优化,比如不同命名空间资源同名的情况在v3版本是允许的,我们在生产环境中使用建议大家使用v3版本,不仅仅是因为它版本功能较强,而且相对来说也更加稳定了。678官方地址:9https://helm.sh/docs/intro/install/1011github地址:12https://github.com/helm/helm/releases
2.部署helm
2.1 下载helm软件包
xxxxxxxxxx11wget https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz
2.2 安装helm
x1(1)解压软件包2tar xf helm-v3.9.4-linux-amd64.tar.gz34(2)将软件包拷贝到PATH5mv linux-amd64/helm /usr/local/sbin/67(3)清理软件包8rm -rf linux-amd64/910(4)验证helm是否安装成功,如上图所示。11helm -h1213(5)可用命令(Available Commands)概述14completion:15生成命令补全的功能。使用"source <(helm completion bash)"1617create:18创建一个chart并指定名称。1920dependency:21管理chart依赖关系。2223env:24查看当前客户端的helm环境变量信息。2526get:27下载指定版本的扩展信息。2829help:30查看帮助信息。3132history:33获取发布历史记录。3435install:36安装chart。3738lint:39检查chart中可能出现的问题。4041list:42列出releases信息。4344package:45将chart目录打包到chart存档文件中。4647plugin:48安装、列出或卸载Helm插件。4950pull:51从存储库下载chart并将其解包到本地目录。5253repo:54添加、列出、删除、更新和索引chart存储库。5556rollback:57将版本回滚到以前的版本。5859search:60在chart中搜索关键字。6162show:63显示chart详细信息。6465status:66显示已有的"RELEASE_NAME"状态。6768template:69本地渲染模板。7071test:72运行版本测试。7374uninstall:75卸载版本。7677upgrade:78升级版本。7980verify:81验证给定路径上的chart是否已签名且有效82version:84查看客户端版本。
2.3 配置helm命令的自动补全-新手必备
x1(1)让当前的shell终端生效helm的自动补全功能2source <(helm completion bash)34(2)仅对新打开的会话添加自动补全功能,适用于linux系统5helm completion bash > /etc/bash_completion.d/helm67(3)仅对新打开的会话添加自动补全功能,适用于MacOS系统8helm completion bash > /usr/local/etc/bash_completion.d/helm
3.helm部署服务
3.1 管理Chart生命周期初体验
x1(1)创建chart2helm create oldboyedu-linux8034(2)使用响应式方式创建名称空间5kubectl create ns oldboyedu-helm6(3)安装chart8helm install linux80-web01 oldboyedu-linux80 -n oldboyedu-helm910(4)查看release信息及k8s集群资源,(helm 3.9测试默认安装nginx:1.16)11helm list -n oldboyedu-helm12kubectl get all -n oldboyedu-helm1314(5)修改values的值,自定义镜像,尝试安装。15vim oldboyedu-linux80/values.yaml16...17image:18repository: k8s201.oldboyedu.com:5000/jasonyin2020/oldboyedu-games19...20tag: v0.221(6)安装chart,注意,chart名称不能相同24helm install linux80-web02 oldboyedu-linux80 -n oldboyedu-helm2526(7)卸载chart27helm uninstall linux80-web01 -n oldboyedu-helm28helm uninstall linux80-web02 -n oldboyedu-helm
3.2 自定义Chart-不使用"values.yaml"
xxxxxxxxxx1091(1)情况Chart模板,用于自定义2rm -f oldboyedu-linux80/templates/*3rm -f oldboyedu-linux80/templates/tests/*456(2)清空values文件7> oldboyedu-linux80/values.yaml8910(3)自定义Chart信息11cat > oldboyedu-linux80/Chart.yaml <<'EOF'12apiVersion: v213name: oldboyedu-linux8014description: oldboyedu linux80 k8s tomcat demo deploy15type: application16version: "v0.1"17appVersion: "1.0"18EOF192021(4)创建资源清单22cat > oldboyedu-linux80/templates/deploy-tomcat.yaml <<'EOF'23apiVersion: extensions/v1beta124kind: Deployment25metadata:26name: mysql27spec:28replicas: 129template:30metadata:31labels:32app: oldboyedu-mysql33spec:34volumes:35- name: data36nfs:37server: 10.0.0.20138path: /oldboyedu/data/kubernetes/mysql/tomcat39containers:40- name: mysql41image: k8s201.oldboyedu.com:5000/mysql:5.742ports:43- containerPort: 330644env:45- name: MYSQL_ROOT_PASSWORD46value: '123456'47volumeMounts:48- name: data49mountPath: /var/lib/mysql50---51apiVersion: v152kind: Service53metadata:54name: oldboyedu-mysql55spec:56selector:57app: oldboyedu-mysql58ports:59- port: 330660targetPort: 330661---62apiVersion: extensions/v1beta163kind: Deployment64metadata:65name: oldboyedu-tomcat-app66spec:67replicas: 168template:69metadata:70labels:71app: oldboyedu-tomcat-app72spec:73containers:74- name: myweb75# image: jasonyin2020/tomcat-app:v176image: k8s201.oldboyedu.com:5000/tomcat-app:v177ports:78- containerPort: 808079env:80- name: MYSQL_SERVICE_HOST81value: oldboyedu-mysql82- name: MYSQL_SERVICE_PORT83value: '3306'84---85apiVersion: v186kind: Service87metadata:88name: oldboyedu-tomcat-app89spec:90type: NodePort91selector:92app: oldboyedu-tomcat-app93ports:94- port: 808095targetPort: 808096nodePort: 808097EOF9899100(5)安装自定义Chart101helm install linux80-tomcat oldboyedu-linux80 -n oldboyedu-helm102103(6)如上图所示,自定义安装的提示信息104helm -n oldboyedu-helm uninstall linux80-tomcat # 先将应用卸载105echo "welcome to use oldboyedu tomcat apps ..." > oldboyedu-linux80/templates/NOTES.txt106helm install linux80-tomcat oldboyedu-linux80 -n oldboyedu-helm107108(7)卸载Chart服务109helm -n oldboyedu-helm uninstall linux80-tomcat
3.3 自定义Chart-使用"values.yaml"
xxxxxxxxxx1471(1)编写资源values.yaml文件2cat > oldboyedu-linux80/values.yaml <<'EOF'3image:4repository: k8s201.oldboyedu.com:5000/tomcat-app5tag: v167storage:8pvc: oldboyedu-tomcat-pvc9sc: managed-nfs-storage1011apps:12school: oldboyedu13class: linux801415name: tomcat16version: v0.117EOF181920(2)自定义安装服务的提示信息文件21cat > oldboyedu-linux80/templates/NOTES.txt <<'EOF'22welcome to use oldboyedu tomcat apps ...2324老男孩教育欢迎您,官网地址: https://www.oldboyedu.com/252627本次您部署的服务是[{{ .Values.image.repository }}:{{ .Values.image.tag }}]2829您的所属学校 --->【{{ .Values.apps.school }}】30您的所属班级 --->【{{ .Values.apps.class }}】313233Successful deploy {{ .Values.name }}:{{ .Values.version }} !!!34EOF353637(3)编写资源清单文件,引用values.yaml中预定义的变量38cat > oldboyedu-linux80/templates/oldboyedu-deploy-mysql.yaml <<'EOF'39apiVersion: extensions/v1beta140kind: Deployment41metadata:42name: mysql43spec:44replicas: 145template:46metadata:47labels:48app: oldboyedu-mysql49spec:50volumes:51- name: data52persistentVolumeClaim:53claimName: {{ .Values.storage.pvc }}54containers:55- name: mysql56image: k8s201.oldboyedu.com:5000/mysql:5.757ports:58- containerPort: 330659env:60- name: MYSQL_ROOT_PASSWORD61value: '123456'62volumeMounts:63- name: data64mountPath: /var/lib/mysql65EOF6667cat > oldboyedu-linux80/templates/oldboyedu-deploy-tomcat.yaml <<'EOF'68apiVersion: extensions/v1beta169kind: Deployment70metadata:71name: oldboyedu-tomcat-app72spec:73replicas: 174template:75metadata:76labels:77app: oldboyedu-tomcat-app78spec:79containers:80- name: myweb81# image: jasonyin2020/tomcat-app:v182image: {{ .Values.image.repository }}:{{ .Values.image.tag }}83ports:84- containerPort: 808085env:86- name: MYSQL_SERVICE_HOST87value: oldboyedu-mysql88- name: MYSQL_SERVICE_PORT89value: '3306'90EOF9192cat > oldboyedu-linux80/templates/oldboyedu-mysql-svc.yaml <<'EOF'93apiVersion: v194kind: Service95metadata:96name: oldboyedu-mysql97spec:98selector:99app: oldboyedu-mysql100ports:101- port: 3306102targetPort: 3306103EOF104105cat > oldboyedu-linux80/templates/oldboyedu-sc-pvc.yaml <<'EOF'106kind: PersistentVolumeClaim107apiVersion: v1108metadata:109name: {{ .Values.storage.pvc }}110annotations:111# 声明使用的动态存储类名称,根据您的k8s环境自行修改即可,sc名称必须存在哈!112volume.beta.kubernetes.io/storage-class: {{ .Values.storage.sc }}113spec:114accessModes:115- ReadWriteMany116resources:117requests:118storage: 100Mi119EOF120121cat > oldboyedu-linux80/templates/oldboyedu-tomcat-svc.yaml <<'EOF'122apiVersion: v1123kind: Service124metadata:125name: oldboyedu-tomcat-app126spec:127type: NodePort128selector:129app: oldboyedu-tomcat-app130ports:131- port: 8080132targetPort: 8080133nodePort: 8080134EOF135136(4)安装Chart服务138helm -n oldboyedu-helm install linux80-tomcat oldboyedu-linux80139(5)如下图所示,验证服务是否安装成功,在k8s集群查看资源142kubectl get all -n oldboyedu-helm143kubectl get pv,pvc -n oldboyedu-helm144145146(6)清空资源147helm -n oldboyedu-helm uninstall linux80-tomcat
4.基于helm升级
4.1 部署chart
x1(1)创建chart2helm create oldboyedu-web345(2)修改chart的values.yaml文件,指定安装nginx:1.14版本6vim oldboyedu-web/values.yaml7...8image:9...10tag: 1.14111213(3)安装chart14helm install linux80-web oldboyedu-web151617(4)验证部署的Nginx版本18略。192021(5)查看发行版本,如上图所示22helm list
4.2 基于values.yaml文件的方式进行升级
x1(1)修改文件2vim oldboyedu-web/values.yaml3...4image:5...6tag: 1.167(2)基于文件进行升级10helm upgrade -f oldboyedu-web/values.yaml linux80-web oldboyedu-web1112(3)查看发行版本,如上图所示13helm list14helm history linux80-web # 查看某个RELEASE的发型版本历史。1516(4)再次修改文件17vim oldboyedu-web/values.yaml18...19image:20...21tag: 1.1822(2)基于文件进行升级25helm upgrade -f oldboyedu-web/values.yaml linux80-web oldboyedu-web
4.3 基于命令行的方式进行升级
x1(1)基于命令行的方式升级,注意变量名称来自于"values.yaml"文件哟!2helm upgrade --set image.tag=1.20,replicaCount=3 linux80-web oldboyedu-web345(2)如下图所示,查看oldboyedu-web的RELEASE的发型版本历史。6helm history linux80-web7helm list8910(3)再次测试升级,注意镜像版本可以比当前的版本低11helm upgrade --set image.tag=1.14,replicaCount=5 linux80-web oldboyedu-web12
5.基于helm回滚
5.1 不指定发行版,默认回滚到上一个版本
x1helm rollback linux80-web
5.2 指定发行版,回滚到指定版本
x1helm rollback linux80-web 2
6.helm的公有仓库添加
6.1 主流的Chart仓库概述
x1互联网公开Chart仓库,可以直接使用他们制作好的包:2微软仓库:3http://mirror.azure.cn/kubernetes/charts/45阿里云仓库:6https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
6.2 添加仓库的方式
x1helm repo list2查看现有的仓库信息,默认情况下是没有任何仓库地址的34helm repo add azure http://mirror.azure.cn/kubernetes/charts/5注意哈,此处我们将微软云的仓库添加到咱们的helm客户端仓库啦~67helm repo update8我们也可以更新仓库信息哟~
6.3 搜索我们关心的chart
xxxxxxxxxx11helm search repo mysql
6.4 拉取第三方的chart
x1(1)下载chart2helm pull oldboyedu-aliyun/elasticsearch-exporter34(2)解压chart5tar xf elasticsearch-exporter-0.1.2.tgz67(3)部署chart8helm install oldboyedu-es-exporter elasticsearch-exporter910(4)测试服务是否部署成功11curl `kubectl get svc/oldboyedu-es-exporter-elasticsearch-exporter -o custom-columns=clusterIP:.spec.clusterIP | tail -1`:9108/metrics
7.helm的私有仓库
xxxxxxxxxx61尽情期待,提示:chartmuseum项目还不错哟~234推荐阅读:5https://github.com/helm/chartmuseum6https://hub.docker.com/r/chartmuseum/chartmuseum
十一.项目1-jenkins和k8s集成
1.Jenkins实现k8s持续集成项目流程图解
xxxxxxxxxx121项目背景:2应公司领导要求,将测试环境上线K8S集群,并集成Jenkins实现自动的代码发布和回滚。34项目职责:5(1)参与集群规划,项目部署,文档整理,跨部门沟通,领导交代的其他任务;6(2)负责gitlab的高可用环境部署,备份,恢复,及技术文档编写,日常故障处理等工作;7(3)负责Jenkins环境搭建,高可用环境部署,技术文档编写,日常故障处理;8(4)负责Harbor仓库的高可用部署,及账号管理,docker-registry镜像仓库迁移,Dockerfile,dokcer-compose编写等工作;9(5)负责K8S集群高可用环境部署,集群维护,监控,技术文档编写,以及集成Jenkins实现代码的自动上线,技术文档编写等工作;1011项目收获:12对Jenkins,K8S,Gitlab,Harbor等云原生技术有一定生产环境的经验积累,尤其是对K8S日常运维有了一定的使用心得。
2.快速部署jenkins服务
x1(1)解压软件包2yum -y install unzip3unzip jenkins-k8s.zip456(2)安装JDK环境,如上图所示7cd jenkins-k8s && rpm -ivh jdk-8u102-linux-x64.rpm && java -version89(3)解压tomcat软件包10mkdir -pv /oldboyedu/softwares && tar xf apache-tomcat-8.0.27.tar.gz -C /oldboyedu/softwares1112(4)删除tomcat的初始数据13rm -rf /oldboyedu/softwares/apache-tomcat-8.0.27/webapps/*1415(5)将Jenkins的war包放入到tomcat的应用目录,注意,复制该名称16cp jenkins.war /oldboyedu/softwares/apache-tomcat-8.0.27/webapps/ROOT.war1718(6)解压jenkins数据到"/root"目下,会创建一个隐藏目录(.jenkins)19tar xf jenkins-data.tar.gz -C /root/2021(7)启动tomcat服务22/oldboyedu/softwares/apache-tomcat-8.0.27/bin/startup.sh2324(8)检查端口是否存在25ss -ntl | grep 80802627(9)验证Jenkins的WebUI是否可以正常访问28如下图所示。293031(10)在jenkins服务器上部署git软件32yum -y install git
3.模拟开发人员,将代码推送到远程代码仓库
xxxxxxxxxx201(1)创建远程仓库2略。34(2)安装软件包5yum -y install unzip git67(3)配置git8git config --global user.name "jasonyin2020"9git config --global user.email "y1053419035@qq.com"1011(4)解压测试代码并推送到远程代码仓库(可能需要输入用户名和密码哟,您根据自己的密码输入即可。)12unzip yiliaoqixie.zip && cd yiliaoqixie13git init14git add .15git commit -m 'oldboyedu linux80 first commit'16git remote add origin https://gitee.com/jasonyin2020/linux80-yiliao.git17git push -u origin "master"1819(5)验证代码是否被推送到远程仓库20如上图所示。
4.jenkins拉取代码
xxxxxxxxxx171(1)新建项目,依次点击鼠标如下所示:21)"new item";32)输入项目名称"oldboyedu-yiliao",并选择"Freestyle project",点击"OK";43)点击"Source Code Management" ---> "Git"54)拷贝存储库"https://gitee.com/jasonyin2020/linux80-yiliao"65)点击"Add"添加凭证,用于登录gitee,如上图所示;78(2)构建项目91)点击"Build Triggers" ---> "Build" ---> "Add build step";102)添加shell指令11ls -lh12pwd133)保存,如下图所示。14(3)开始编译171)点击"Build Now";
5.参数化构建docker镜像
xxxxxxxxxx351(1)编写dockerfile2cat > Dockerfile <<'EOF'3FROM k8s201.oldboyedu.com:5000/nginx:1.20.145LABEL school=oldboyedu \6class=linux80 \7address=BeiJing89COPY . /usr/share/nginx/html10EOF111213(2)推送代码到远程仓库14git add .15git config --global user.name "jasonyin2020"16git config --global user.email "y1053419035@qq.com"17git commit -m "add dockerfile"18git push -u origin "master"19(3)参数化构建,依次点击如下211)重新编辑项目,点击"General";222)点击"This project is parameterized";233) 点击"Add Parameter";244) 点击"String Parameter";255) 定义变量名称为"version",如上图所示;26(4)修改jenkins的shell命令28docker build -t k8s201.oldboyedu.com:5000/yiliao:$version .29docker push k8s201.oldboyedu.com:5000/yiliao:$version30(5)保存配置32如下图所示。33(6)开始构建35点击"Build with Parameters",传入版本即可。
6.jenkins一键更新镜像
xxxxxxxxxx441(1)部署服务2cat > deploy-yiliao-project.yaml <<'EOF'3apiVersion: extensions/v1beta14kind: Deployment5metadata:6name: oldboyedu-linux80-deploy-yiliao-project7spec:8replicas: 39selector:10matchLabels:11apps: oldboyedu-web12strategy:13type: RollingUpdate14rollingUpdate:15maxSurge: 216maxUnavailable: 117template:18metadata:19name: linux80-pod20labels:21apps: oldboyedu-web22spec:23containers:24- name: linux80-web25image: k8s201.oldboyedu.com:5000/yiliao:v0.226---27apiVersion: v128kind: Service29metadata:30name: oldboyedu-linux80-yiliao31spec:32type: NodePort33selector:34apps: oldboyedu-web35ports:36- port: 8037protocol: TCP38targetPort: 8039nodePort: 3008040EOF414243(2)自动更新镜像,修改shell指令,如上图所示,添加下面一行即可。44kubectl set image deployments oldboyedu-linux80-deploy-yiliao-project linux80-web=k8s201.oldboyedu.com:5000/yiliao:$version
7.jenkins一键回滚镜像
xxxxxxxxxx81(1)新建一个item,名称为"oldboyedu-yiliao-undo"2略,参考上面的笔记。34(2)修改shell指令,添加下面一行即可。5kubectl set image deployments oldboyedu-linux80-deploy-yiliao-project linux80-web=k8s201.oldboyedu.com:5000/yiliao:$version67(3)测试回滚8略,见视频。
十二.项目2.日志收集【新增内容】
1.项目架构图解
x1项目背景:2应公司领导要求,需要搭建一套日志收集系统,对黑名单日志,鉴权日志,用户上报日志,反作弊日志,SDK,Web日志及k8s相关日志进行分析处理。34项目职责:5(1)负责前期跨部门需求沟通,技术架构选型,硬件选型,及项目跟进;6(2)负责ElasticStack集群搭建,包括但不限于ES集群,logstash,filebeat,kibana,zookeeper,kafka等;7(3)负责收集用户上报日志,鉴权日志,黑名单日志,反作弊日志,每日新增数据了1.5T,高峰期每日新增2.7TB;8(4)负责自动化脚本编写,监控,调优,故障排查,文档编写等;9(5)负责和其他部门人员沟通项目的相关事宜,及完成领导交代的任务等;10项目收获:12对ElasticStack技术栈有了深入的了解,并有一定的生产使用经验。
2.部署es服务
xxxxxxxxxx821apiVersionv12kindNamespace3metadata4 nameoldboyedu-elk56---78apiVersionapps/v19kindDeployment10metadata11 nameelasticsearch12 namespaceoldboyedu-elk13 labels14 k8s-appelasticsearch15spec16 replicas117 selector18 matchLabels19 k8s-appelasticsearch20 template21 metadata22 labels23 k8s-appelasticsearch24 spec25 containers26 # 指定需要安装的ES版本号27imagek8s151.oldboyedu.com5000/elasticsearch7.17.228 nameelasticsearch29 resources30 limits31 cpu232 memory3Gi33 requests34 cpu0.5 35 memory500Mi36 env37 # 配置集群部署模式,此处我由于是实验,配置的是单点38name"discovery.type"39 value"single-node"40nameES_JAVA_OPTS41 value"-Xms512m -Xmx512m" 42 ports43containerPort920044 namedb45 protocolTCP46 volumeMounts47nameelasticsearch-data48 mountPath/usr/share/elasticsearch/data49 volumes50nameelasticsearch-data51 persistentVolumeClaim52 claimNamees-pvc5354---5556apiVersionv157kindPersistentVolumeClaim58metadata59 namees-pvc60 namespaceoldboyedu-elk61spec62 storageClassName"linux81-sc"63 accessModes64ReadWriteMany65 resources66 requests67 storage10Gi6869---7071apiVersionv172kindService73metadata74 nameelasticsearch75 namespaceoldboyedu-elk76spec77 ports78port920079 protocolTCP80 targetPort920081 selector82 k8s-appelasticsearch
3.部署kibana
xxxxxxxxxx501apiVersionapps/v12kindDeployment3metadata4 namekibana5 namespaceoldboyedu-elk6spec7 replicas18 selector9 matchLabels10 k8s-appkibana11 template12 metadata13 labels14 k8s-appkibana15 spec16 containers17namekibana18 imagek8s151.oldboyedu.com5000/kibana7.17.219 resources20 limits21 cpu222 memory2Gi23 requests24 cpu0.5 25 memory500Mi26 env27nameELASTICSEARCH_HOSTS28 valuehttp//elasticsearch.oldboyedu-elk920029nameI18N_LOCALE30 valuezh-CN31 ports32containerPort560133 nameui34 protocolTCP3536---37apiVersionv138kindService39metadata40 namekibana41 namespaceoldboyedu-elk42spec43 typeNodePort44 ports45port560146 protocolTCP47 targetPortui48 nodePort3560149 selector50 k8s-appkibana
4.部署filebeat
xxxxxxxxxx1761apiVersionv12kindConfigMap3metadata4 namefilebeat-config5 namespaceoldboyedu-elk6 labels7 k8s-appfilebeat8data9 filebeat.yml-10 filebeat.config11 inputs12 # Mounted `filebeat-inputs` configmap:13 path$path.config/inputs.d/*.yml14 # Reload inputs configs as they change:15 reload.enabledfalse16 modules17 path$path.config/modules.d/*.yml18 # Reload module configs as they change:19 reload.enabledfalse2021 output.elasticsearch22 hosts'elasticsearch.oldboyedu-elk:9200'23 # 不建议修改索引,因为索引名称该成功后,pod的数据也将收集不到啦!24 # 除非你明确知道自己不收集Pod日志且需要自定义索引名称的情况下,可以打开下面的注释哟~25 # index: 'oldboyedu-linux-elk-%{+yyyy.MM.dd}'26 27 # 配置索引模板28 # setup.ilm.enabled: false29 # setup.template.name: "oldboyedu-linux-elk"30 # setup.template.pattern: "oldboyedu-linux-elk*"31 # setup.template.overwrite: true32 # setup.template.settings:33 # index.number_of_shards: 334 # index.number_of_replicas: 03536---3738# 注意,官方在filebeat 7.2就已经废弃docker类型,建议后期更换为container.39apiVersionv140kindConfigMap41metadata42 namefilebeat-inputs43 namespaceoldboyedu-elk44 labels45 k8s-appfilebeat46data47 kubernetes.yml-48typedocker49 containers.ids50"*"51 processors52add_kubernetes_metadata53 in_clustertrue5455---5657apiVersionapps/v1 58kindDaemonSet59metadata60 namefilebeat61 namespaceoldboyedu-elk62 labels63 k8s-appfilebeat64spec65 selector66 matchLabels67 k8s-appfilebeat68 template69 metadata70 labels71 k8s-appfilebeat72 spec73 tolerations74keynode-role.kubernetes.io/master75 effectNoSchedule76 operatorExists77 serviceAccountNamefilebeat78 terminationGracePeriodSeconds3079 containers80namefilebeat81 # 注意官方的filebeat版本推荐使用"elastic/filebeat:7.10.2",82 # 如果高于该版本("elastic/filebeat:7.10.2")可能收集不到K8s集群的Pod相关日志指标哟~83 # 经过我测试,直到2022-04-01开源的7.12.2版本依旧没有解决该问题! 84 # filebeat和ES版本可以不一致哈,因为我测试ES的版本是7.17.285 #86 # 待完成: 后续可以尝试更新最新的镜像,并将输入的类型更换为container,因为docker输入类型官方在filebeat 7.2已废弃!87 imagek8s151.oldboyedu.com5000/filebeat7.10.288 args89 "-c" "/etc/filebeat.yml"90 "-e"91 92 # 出问题后可以用作临时调试,注意需要将args注释哟93 # command: ["sleep","3600"]94 securityContext95 runAsUser096 # If using Red Hat OpenShift uncomment this:97 #privileged: true98 resources99 limits100 memory200Mi101 requests102 cpu100m103 memory100Mi104 volumeMounts105nameconfig106 mountPath/etc/filebeat.yml107 readOnlytrue108 subPathfilebeat.yml109nameinputs110 mountPath/usr/share/filebeat/inputs.d111 readOnlytrue112namedata113 mountPath/usr/share/filebeat/data114namevarlibdockercontainers115 mountPath/var/lib/docker/containers116 readOnlytrue117 volumes118nameconfig119 configMap120 defaultMode0600121 namefilebeat-config122namevarlibdockercontainers123 hostPath124 path/var/lib/docker/containers125nameinputs126 configMap127 defaultMode0600128 namefilebeat-inputs129 # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart130namedata131 hostPath132 path/var/lib/filebeat-data133 typeDirectoryOrCreate134135---136137apiVersionrbac.authorization.k8s.io/v1138kindClusterRoleBinding139metadata140 namefilebeat141subjects142kindServiceAccount143 namefilebeat144 namespaceoldboyedu-elk145roleRef146 kindClusterRole147 namefilebeat148 apiGrouprbac.authorization.k8s.io149150---151152apiVersionrbac.authorization.k8s.io/v1153kindClusterRole154metadata155 namefilebeat156 labels157 k8s-appfilebeat158rules159apiGroups"" # "" indicates the core API group160 resources161namespaces162pods163 verbs164get165watch166list167168---169170apiVersionv1171kindServiceAccount172metadata173 namefilebeat174 namespaceoldboyedu-elk175 labels176 k8s-appfilebeat
5.查看kibana的数据
十三.项目3.监控系统【新增内容】
1.项目架构图
xxxxxxxxxx121项目背景:2应公司领导要求,对测试k8s集群进行监控,zabbix对容器的监控并不是特别友好,采用prometheus进行监控。34项目职责:5(1)负责Prometheus监控系统的调研,组件部署及技术文档编写等;6(2)负责prometheus监控系统的部署,包括但不限于prometheus server,pushgateway,alermanager,granfana等;7(3)使用node_exporter监控k8s的master和worker节点;8(4)对k8s集群的namespace,Pod等资源进行监控,并使用granfa出图展示;9(5)对于一些特定的自定义监控指标使用pushgateway进行单独收集;1011项目收获:12对Prometheus技术栈有了深入的了解,并有一定的生产使用经验。
2.实操案例
x1(1)配置动态存储2略,参考之前的笔记部署nfs的sc即可。34(1)根据集群情况自行修改ep资源的配置,如上图所示5cd serviceMonitor/ && ls | xargs grep ip67(2)创建自定义资源8cd /root/project/prometheus && kubectl apply -f setup910(3)创建alertmanager服务11kubectl apply -f alertmanager1213(4)创建node-exporter服务14kubectl apply -f node-exporter1516(5)创建granfa服务17kubectl apply -f grafana1819(6)创建promethus服务20kubectl apply -f prometheus2122(7)创建serviceMonitor服务23kubectl apply -f serviceMonitor2425(8)访问grafna查看数据监控情况26kubectl get svc -A | grep grafana2728(9)导入仪表盘,展示数据29略,如下图所示。303132温馨提示:33我已经将dashboard多个模板给到大家啦,下图导入的是"node-exporter_rev17.json"文件哟~
十四-项目4-其他开源k8s二次开发产品实战【新增内容】
xxxxxxxxxx11敬请期待...
十五.项目5-kubeadm部署高可用集群【新增内容】
xxxxxxxxxx11敬请期待...
十六.项目6-二进制部署k8s集群【新增内容】
xxxxxxxxxx11敬请期待...
十七.项目7-K8S集群的扩缩容
1.kubeadm的token维护
xxxxxxxxxx111kubeadm token create oldboy.1234567890abcdef --ttl 0 --print-join-command2创建token,“--ttl”表示设置token的生命周期,"--print-join-command"会打印加入集群的命令。3kubeadm token delete oldboy.1234567890abcdef5删除token6kubeadm token list8查看token9kubeadm token generate11生成token并打印终端,但不创建。
2.集群扩容
xxxxxxxxxx11kubeadm join 10.0.0.151:6443 --token oldboy.1234567890abcdef --discovery-token-ca-cert-hash sha256:43aaeeea521e9132e98355fd591577135773f609efd80e463db8d94696b23388
3.集群缩容
xxxxxxxxxx171(1)给需要下线的节点打污点,驱逐已调度到该节点的所有Pod2kubectl taint node k8s154.oldboyedu.com school=oldboyedu:NoExecute345(2)删除节点6kubectl delete nodes k8s154.oldboyedu.com789(3)节点下线成功10重新安装操作系统即可。1112131415温馨提示:16(1)当我们直接下线一个节点时,该节点的Pod将不会被立刻检测出来故障,大概5分钟左右才能将已损坏的Pod在其他节点中重新创建,但在此之前,会优先发现该节点的状态为"NotReady"哟;17(2)综上所述,我们生产环境中应该监控nodes的状态,当然,pods重启次数也需要关注下;
终章篇-今日作业
xxxxxxxxxx261(1)完成课堂的所有练习。23(2)将"jasonyin2020/oldboyedu-games:v0.2"等root密码修改为"oldboyedu-linux80",要求使用环境变量。45(3)将"jasonyin2020/oldboyedu-games:v0.1"游戏镜像部署K8S集群,并在浏览器中可以访问。67(4)使用dockerfile重新构建jasonyin2020/oldboyedu-games:v0.2镜像,要求如下:81)要求监听端口范围[81-85];92)要求使用configMap资源;103)使用NFS共享存储源代码;114)使用oldboyedu-homework名称空间;12(5)将wordpress部署在k8s集群;1415(6)使用ingress控制器的http协议部署映射"作业4"镜像5个不同的服务;1617(7)将"jasonyin2020/oldboyedu-games:v0.2"镜像的5个游戏镜像拆分成5个单独的镜像,要求如下:181)要求监听端口范围[81-85];192)要求使用configMap资源;203)使用NFS共享存储源代码;214)使用oldboyedu-homework名称空间;225)使用ingress的http协议暴露;232425扩展:26将zabbix-5.4基于docker-compose启动改为基于k8s集群批量启动。
作业2-参考案例1
xxxxxxxxxx151kindPod2apiVersionv13metadata4 nameoldboyedu-linux80-game-env5 labels6 appsgames7spec8 nodeNamek8s202.oldboyedu.com9 containers10namelinux80-game11 imagek8s201.oldboyedu.com5000/jasonyin2020/oldboyedu-gamesv0.212 imagePullPolicyAlways13 env14nameOLDBOYEDU_ADMIN15 valueoldboyedu-linux80
作业3-参考案例1
xxxxxxxxxx171kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-game5labels:6apps: games7spec:8nodeName: k8s202.oldboyedu.com9# 设置Pod的所有容器共享宿主机的网络空间.10hostNetwork: true11containers:12- name: linux80-game13image: k8s201.oldboyedu.com:5000/jasonyin2020/oldboyedu-games:v0.114imagePullPolicy: Always15env:16- name: OLDBOYEDU_ADMIN17value: oldboyedu-linux80
作业3-参考案例2(了解即可)
xxxxxxxxxx321kind: Pod2apiVersion: v13metadata:4name: oldboyedu-linux80-game-ports5labels:6apps: games7spec:8nodeName: k8s202.oldboyedu.com9containers:10- name: linux80-game11image: k8s201.oldboyedu.com:5000/jasonyin2020/oldboyedu-games:v0.112imagePullPolicy: Always13env:14- name: OLDBOYEDU_ADMIN15value: oldboyedu-linux8016# 配置容器的端口映射17ports:18# 指定容器的端口19- containerPort: 8020# 绑定主机的IP地址21hostIP: "0.0.0.0"22# 绑定主机的端口23hostPort: 888824# 指定端口的协议25protocol: "TCP"26# 指定端口的名称,用于区别27name: "mygame"28温馨提示:32k8s 1.15.12版本中测试,发现hostPort并不会监听宿主机端口号,可以暂时先忽略,了解即可。
作业4-参考案例
xxxxxxxxxx941apiVersion: v12kind: Namespace3metadata:4name: oldboyedu-homework5labels:6class: linux807school: oldboyedu89---1011kind: Pod12apiVersion: v113metadata:14name: oldboyedu-linux80-game15namespace: oldboyedu-homework16labels:17school: oldboyedu18class: linux8019spec:20volumes:21- name: game22configMap:23name: oldboyedu-nginx-game24items:25- key: game.conf26path: nginx.conf27- name: data28nfs:29server: 10.0.0.20130path: /oldboyedu/data/kubernetes/html31containers:32- name: linux80-game33image: k8s201.oldboyedu.com:5000/jasonyin2020/oldboyedu-games:v0.234volumeMounts:35- name: game36# 挂载CM资源时,挂载点建议写绝对路径,若直接写目录,可能该目录下的所有资源都会被覆盖.37# mountPath: /etc/nginx38mountPath: /etc/nginx/nginx.conf39# 挂载"nginx.conf"时不覆盖"/etc/nginx"目录下的所有内容.40# subPath: nginx.conf41subPath: nginx.conf42- name: data43mountPath: /usr/local/nginx/html4445---4647apiVersion: v148kind: ConfigMap49metadata:50name: oldboyedu-nginx-game51namespace: oldboyedu-homework52data:53game.conf: |54worker_processes 1;55events {56worker_connections 1024;57}58http {59include mime.types;60default_type application/octet-stream;61sendfile on;62keepalive_timeout 65;63# include /usr/local/nginx/conf/conf.d/*.conf;64server {65listen 81;66root /usr/local/nginx/html/bird/;67server_name game01.oldboyedu.com;68}69server {71listen 82;72root /usr/local/nginx/html/pinshu/;73server_name game02.oldboyedu.com;74}75server {77listen 83;78root /usr/local/nginx/html/tanke/;79server_name game03.oldboyedu.com;80}81server {83listen 84;84root /usr/local/nginx/html/pingtai/;85server_name game04.oldboyedu.com;86}87server {89listen 85;90root /usr/local/nginx/html/chengbao/;91server_name game05.oldboyedu.com;92}93}94
作业5-参考案例
xxxxxxxxxx11见coreDNS的第四个案例。
作业6-参考案例(了解即可)
xxxxxxxxxx2091apiVersion: v12kind: Namespace3metadata:4name: oldboyedu-homework5labels:6class: linux807school: oldboyedu89---1011apiVersion: v112kind: ConfigMap13metadata:14name: oldboyedu-nginx-game15namespace: oldboyedu-homework16data:17game.conf: |18worker_processes 1;19events {20worker_connections 1024;21}22http {23include mime.types;24default_type application/octet-stream;25sendfile on;26keepalive_timeout 65;27# include /usr/local/nginx/conf/conf.d/*.conf;28server {29listen 81;30root /usr/local/nginx/html/bird/;31server_name game01.oldboyedu.com;32}33server {35listen 82;36root /usr/local/nginx/html/pinshu/;37server_name game02.oldboyedu.com;38}39server {41listen 83;42root /usr/local/nginx/html/tanke/;43server_name game03.oldboyedu.com;44}45server {47listen 84;48root /usr/local/nginx/html/pingtai/;49server_name game04.oldboyedu.com;50}51server {53listen 85;54root /usr/local/nginx/html/chengbao/;55server_name game05.oldboyedu.com;56}57}585960---6162apiVersion: extensions/v1beta163kind: Deployment64metadata:65name: oldboyedu-linux80-game66namespace: oldboyedu-homework67spec:68replicas: 569selector:70matchLabels:71school: oldboyedu72class: linux8073strategy:74type: RollingUpdate75rollingUpdate:76maxSurge: 277maxUnavailable: 178template:79metadata:80name: linux80-pod81labels:82school: oldboyedu83class: linux8084spec:85volumes:86- name: game87configMap:88name: oldboyedu-nginx-game89items:90- key: game.conf91path: nginx.conf92- name: data93nfs:94server: 10.0.0.20195path: /oldboyedu/data/kubernetes/html96restartPolicy: Always97containers:98- name: linux80-game99image: k8s201.oldboyedu.com:5000/jasonyin2020/oldboyedu-games:v0.2100imagePullPolicy: Always101env:102- name: OLDBOYEDU_ADMIN103value: oldboyedu-linux80104resources:105limits:106memory: "500Mi"107cpu: "1000m"108requests:109memory: "200Mi"110cpu: "500m"111# command:112# - "tail"113# args:114# - "-f"115# - "/etc/hosts"116livenessProbe:117httpGet:118port: 81119path: /index.html120failureThreshold: 3121initialDelaySeconds: 15122periodSeconds: 1123successThreshold: 1124timeoutSeconds: 1125readinessProbe:126httpGet:127port: 82128path: /index.html129failureThreshold: 3130initialDelaySeconds: 15131periodSeconds: 3132successThreshold: 1133timeoutSeconds: 1134volumeMounts:135- name: game136mountPath: /etc/nginx/nginx.conf137subPath: nginx.conf138- name: data139mountPath: /usr/local/nginx/html140141---142143apiVersion: v1144kind: Service145metadata:146name: oldboyedu-linux80-homework147namespace: oldboyedu-homework148spec:149type: ClusterIP150selector:151school: oldboyedu152class: linux80153ports:154- port: 81155targetPort: 81156name: game01157- port: 82158targetPort: 82159name: game02160- port: 83161targetPort: 83162name: game03163- port: 84164targetPort: 84165name: game04166- port: 85167targetPort: 85168name: game05169170---171apiVersion: extensions/v1beta1172kind: Ingress173metadata:174name: traefik-myweb175namespace: oldboyedu-homework176annotations:177kubernetes.io/ingress.class: traefik178spec:179rules:180- host: game01.oldboyedu.com181http:182paths:183- backend:184serviceName: oldboyedu-linux80-homework185servicePort: 81186- host: game02.oldboyedu.com187http:188paths:189- backend:190serviceName: oldboyedu-linux80-homework191servicePort: 82192- host: game03.oldboyedu.com193http:194paths:195- backend:196serviceName: oldboyedu-linux80-homework197servicePort: 83198- host: game04.oldboyedu.com199http:200paths:201- backend:202serviceName: oldboyedu-linux80-homework203servicePort: 84204- host: game05.oldboyedu.com205http:206paths:207- backend:208serviceName: oldboyedu-linux80-homework209servicePort: 85