DaemonSet 守护进程集

什么是 DaemonSet

DaemonSet 确保集群中每个（或部分）节点上都运行一个 Pod 副本。当节点加入集群时自动创建 Pod，节点移除时自动删除 Pod。

典型使用场景

• 日志收集：Fluentd、Filebeat（每个节点收集日志）
• 监控采集：Node Exporter、Datadog Agent
• 网络插件：Calico、Cilium、kube-proxy
• 存储插件：Ceph、GlusterFS 客户端
• 安全扫描：Falco、Sysdig

配置示例

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-exporter
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: node-exporter

  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1  # 每次最多更新 1 个节点

  template:
    metadata:
      labels:
        app: node-exporter
    spec:
      # 容忍 Control Plane 节点的污点（在所有节点运行）
      tolerations:
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
      - key: node.kubernetes.io/not-ready
        operator: Exists
        effect: NoExecute

      # 使用主机网络（监控节点网络指标）
      hostNetwork: true
      hostPID: true

      containers:
      - name: node-exporter
        image: prom/node-exporter:v1.7.0
        args:
        - --path.procfs=/host/proc
        - --path.sysfs=/host/sys
        - --path.rootfs=/host/root
        ports:
        - containerPort: 9100
          hostPort: 9100
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "200m"
            memory: "100Mi"
        securityContext:
          runAsNonRoot: true
          runAsUser: 65534
        volumeMounts:
        - name: proc
          mountPath: /host/proc
          readOnly: true
        - name: sys
          mountPath: /host/sys
          readOnly: true
        - name: root
          mountPath: /host/root
          readOnly: true
          mountPropagation: HostToContainer

      volumes:
      - name: proc
        hostPath:
          path: /proc
      - name: sys
        hostPath:
          path: /sys
      - name: root
        hostPath:
          path: /

      # 优先级（系统级 DaemonSet 应使用高优先级）
      priorityClassName: system-node-critical

只在部分节点运行

spec:
  template:
    spec:
      # 方式一：nodeSelector
      nodeSelector:
        node-type: gpu

      # 方式二：nodeAffinity（更灵活）
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-type
                operator: In
                values: [gpu, high-memory]

常用操作

# 查看 DaemonSet 状态
kubectl get daemonset -n monitoring
kubectl rollout status daemonset/node-exporter -n monitoring

# 查看各节点上的 Pod
kubectl get pods -n monitoring -o wide -l app=node-exporter

# 滚动更新
kubectl set image daemonset/node-exporter node-exporter=prom/node-exporter:v1.8.0 -n monitoring

# 回滚
kubectl rollout undo daemonset/node-exporter -n monitoring