Kubernetes 基础篇
Kubernetes
|

1035 字
|
25 分钟
本文最后更新于 1119 天前,其中的信息可能已经有所发展或是发生改变。

Pod

常用命令

查看pod:kubectl get pod

实时查看:kubectl get pod -w

更多内容:kubectl get pod -o wide

查看详情:kubectl describe pod pod-net-nginx

查看日志:kubectl logs pod-net-nginx

导出文件:kubectl get pods pod-net -o yaml > pod.yaml

进入默认容器:kubectl exec -it pod-net -- sh

进入指定容器:kubectl exec -it pod-net -c pod-net-busybox -- sh

资源共享

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-net-label
  name: pod-net
  namespace: default
spec:
  containers:
  - image: busybox
    name: pod-net-busybox
    command: ["/bin/sh", "-c", "sleep 3600"]
    volumeMounts:
    - name: log
      mountPath: /data
  - image: nginx
    name: pod-net-nginx
    volumeMounts:
    - name: log
      mountPath: /data
  volumes:
  - name: log
    emptyDir: {}

验证:

kubectl exec -it pod-net -c pod-net-busybox -- sh
# wget localhost -O /data/index.html

环境变量

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-env-label
  name: pod-env
spec:
  containers:
  - image: busybox
    name: pod-env-busybox
    command: ["/bin/sh", "-c", "sleep 3600"]
    env:
    - name: HELLO
      value: "World"
    - name: MY_NODE_NAME
      valueFrom:
        fieldRef:
          fieldPath: spec.nodeName
    - name: MY_POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: MY_POD_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP

验证:

kubectl exec -it pod-env -- sh
# echo $HELLO

重启策略与健康检查

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-healthy-label
  name: pod-healthy
spec:
  restartPolicy: Never # 重启策略
  containers:
  - image: nginx
    name: pod-healthy-nginx
    # 健康检查
    startupProbe: # 启动探针
      tcpSocket: # 发起TCP Socket建立成功
        port: 80
      initialDelaySeconds: 10 # Pod 启动后首次检查的等待时间
      periodSeconds: 5 # 检查间隔时间,默认10s
      timeoutSeconds: 1 # 检查请求,等待响应的超时时间
      failureThreshold: 3 # 检查失败的次数
      successThreshold: 2 # 检查成功的次数
    readinessProbe: # 就绪探针
      httpGet: # 发送HTTP请求,返回200-400状态码即为成功
        path: /index.html
        port: 80
        httpHeaders:
        - name: Custom-Header
           value: Awesome
    livenessProbe: # 存活探针
      exec: # 执行Shell命令,返回状态码0即为成功
        command:
        - cat
        - /tmp/healthy

重启策略

restartPolicy说明
Always总是重启
OnFailure容器启动失败时重启,正常退出状态码为0
Never绝不重启

健康检查

containers说明
startupProbe启动探针,如果配置了startuprobe,其他探针先被禁用,直到它成功为止,成功后退出。
readinessProbe就绪探针,一般用于检查程序是否正常启动,一旦检查失败,Service会删除Pod对应的Endpoint。
livenessProbe存活探针,一般用于检查程序是否正常运行,一旦检查失败,kubelet会根据重启策略进行处理。

容器初始化

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-init-label
  name: pod-init
spec:
  initContainers: # 容器初始化
  - image: busybox
    name: pod-init-busybox
    volumeMounts:
    - name: log
      mountPath: /data
    command:
    - touch
    - /data/index.html
  containers:
  - image: nginx
    name: pod-init-nginx
    volumeMounts:
    - name: log
      mountPath: /usr/share/nginx/html
  volumes:
  - name: log
    emptyDir: {}

资源配额

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-resource-label
  name: pod-resource
spec:
  containers:
  - name: pod-resource-nginx
    image: nginx
    resources: # 资源配额
      requests: # 在schedule阶段,保证容器启动的最小资源
        memory: "32Mi" # 内存
        cpu: "128m" # CPU
      limits: # 容器运行的最大资源
        memory: "64Mi"
        cpu: "256m"

节点选择器与节点亲和性

设置节点标签

设置标签:kubectl label node node-0 disktype=ssd

查看标签:kubectl get node --show-labels

删除标签:kubectl label node node-0 disktype=ssd-

节点亲和性

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-selector-label
  name: pod-selector
spec:
  # nodeSelector: # 节点选择器
  #   disktype: "ssd"
  affinity: # 节点亲和性
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution: # 硬需求
        nodeSelectorTerms:
        - matchExpressions:
          - key: disktype
            operator: In # In NotIn Exists DoesNotExist Gt Lt
            values:
            - ssd
      preferredDuringSchedulingIgnoredDuringExecution: # 软需求
      - weight: 1 #权重,越大越优先
        preference:
          matchExpressions:
          - key: gpu
            operator: In
            values:
            - nvidia-tesla
  containers:
  - name: pod-selector-nginx
    image: nginx
    imagePullPolicy: IfNotPresent

污点与污点容忍

设置节点污点

设置污点:kubectl taint node node-0 disktype=ssd:NoSchedule

查看污点:kubectl describe node node-0

删除污点:kubectl taint node node-0 disktype=ssd:NoSchedule-

污点类型说明
NoSchedule一定不能调度
PreferNoSchedule尽量别被调度
NoExecute驱逐node上已有pod

污点容忍

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-taint-label
  name: pod-taint
spec:
  tolerations: # 污点容忍
  - key: gpu
    operator: Equal
    value: nvidia-tesla
    # effect: NoSchedule
  containers:
  - name: pod-taint-nginx
    image: nginx

不受污点控制

apiVersion: v1
kind: Pod
metadata:
  name: pod-taint
spec:
  nodeName: node-0 # 不受污点控制
  containers:
  - name: pod-taint-nginx
    image: nginx

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deploy-test
  labels:
    app: deploy-test-label
spec:
  replicas: 2 # 副本数量
  selector:
    matchLabels: # 选择pod标签
      app: deploy-test-nginx-label
  template: # pod配置
    metadata:
      labels: # pod标签
        app: deploy-test-nginx-label
    spec:
      containers:
      - name: deploy-test-nginx
        image: nginx
        ports:
        - containerPort: 80

常用命令

查看deploy:kubectl get deployment,简写kubectl get deploy

启动deploy:kubectl apply -f deploy-test.yaml

删除deploy:kubectl delete -f deploy-test.yaml,或者kubectl delete deploy deploy-test

滚动升级

编辑yaml文件:vi deploy-test.yaml

编辑内部文件:kubectl edit deployment/deploy-test

命令升级:kubectl set image deployment/deploy-test nginx=nginx:1.15

回滚

查看历史版本:kubectl rollout history deployment deploy-test

回滚到上一版本:kubectl rollout undo deployment/deploy-test

回滚到指定版本:kubectl rollout undo deployment/deploy-test --to-revision=2

水平扩容

编辑yaml文件:vi deploy-test.yaml

命令升级:kubectl scale deployment deploy-test --replicas=5

DaemonSet 所有节点

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: daemonset-test
spec:
  selector:
    matchLabels:
      app: daemonset-test-filebeat-label
  template:
    metadata:
      labels:
        app: daemonset-test-filebeat-label
    spec:
      tolerations: # 污点容忍master
      - effect: NoSchedule
        operator: Exists
      containers:
      - name: daemonset-test-filebeat
        image: elastic/filebeat

查看DaemonSet:kubectl get daemonset

Job 执行一次

apiVersion: batch/v1
kind: Job
metadata:
  name: job-test
spec:
  template:
    spec:
      containers:
      - name: job-test-perl
        image: perl # 计算pi小数点后2000位
        command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
  backoffLimit: 4 # 重试次数

查看Job:kubectl get job

CronJob 定时任务

apiVersion: batch/v1
kind: CronJob
metadata:
  name: cronjob-test
spec:
  schedule: "*/1 * * * *" # 定时任务
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: cronjob-test-busybox
            image: busybox
            args:
            - /bin/sh
            - -c
            - date; echo Hello World
          restartPolicy: OnFailure

查看CronJob:kubectl get cronjob

Service

apiVersion: v1
kind: Service
metadata:
  name: service-test
spec:
  selector:
    app: deploy-test-nginx-label # 选择pod label
  ports:
  - port: 80 # service暴露的端口
    protocol: TCP
    targetPort: 80 # pod暴露的端口
    # nodePort: 30283 # 指定node暴露的端口
  type: NodePort # 暴露方式

常用命令

查看service:kubectl get service,简写kubectl get svc

查看endpoints:kubectl get endpoints,简写kubectl get ep

暴露方式

type说明
ClusterIP集群内部
NodePort对外暴露,访问方式 (http://\<nodeIP>.\<nodePort>)
LoadBalancer公有云

Ingress

http

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
      kubernetes.io/ingress.class: nginx # 选择ingress-nginx
  name: ingress-http
spec:
  rules:
  - host: my-nginx.tenbeggar.com # 域名
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service-test # service名称
            port:
              number: 80

https

自签 CA

  1. 下载cfssl
   yum -y install wget
   wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
   wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
   wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
   chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
   mv cfssl_linux-amd64 /usr/local/bin/cfssl
   mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
   mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
  1. 构建CA根证书
   cat > ca-csr.json << EOF
   {
     "CN": "kubernetes", # 颁发机构
     "key": {
       "algo": "rsa",
       "size": 2048
     },
     "names": [
       {
         "C": "CN",
         "L": "Beijing",
         "ST": "Beijing",
         "O": "k8s",
         "OU": "system"
       }
     ]
   }
   EOF
   cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  1. 设置CA配置选项
   cat > ca-config.json << EOF
   {
     "signing": {
       "default": {
         "expiry": "87600h" # 默认的证书有效时间
       },
       "profiles": {
         "server": { # 服务器证书
           "expiry": "87600h", # 证书有效时间
           "usages": [
             "signing", # 表示该证书可用于签名其它证书
             "key encipherment",
             "server auth" # 服务器证书:客户端对服务器进行验证
           ]
         },
         "client": { # 客户端证书
           "expiry": "87600h",
           "usages": [
             "signing",
             "key encipherment",
             "client auth" # 客户端证书:服务器对客户端进行认证
           ]
         },
         "peer": { # 对等证书
           "expiry": "87600h",
           "usages": [
             "signing",
             "key encipherment",
             "server auth",
             "client auth"
           ]
         }
       }
     }
   }
   EOF
  1. 颁发CA证书
   cat > my-nginx-csr.json << EOF
   {
     "CN": "my-nginx.tenbeggar.com", # 域名
     "hosts": [],
     "key": {
       "algo": "rsa",
       "size": 2048
     },
     "names": [
       {
         "C": "CN",
         "ST": "Beijing",
         "L": "Beijing",
         "O": "k8s",
         "OU": "system"
       }
     ]
   }
   EOF
   cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer my-nginx-csr.json | cfssljson -bare my-nginx

存储证书

apiVersion: v1
kind: Secret
metadata:
  name: ingress-https-secret
data:
  tls.crt: MIIC2DCCAcCgAwIBAgIBATANBgkqh ... # 公钥
  tls.key: MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ... # 私钥
type: kubernetes.io/tls # 存储类型

或者:

kubectl create secret tls ingress-https-secret --cert=my-nginx.pem --key=my-nginx-key.pem

配置 TLS

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
      kubernetes.io/ingress.class: nginx
  name: ingress-https
spec:
  tls:
  - hosts: 
    - my-nginx.tenbeggar.com # 域名
    secretName: ingress-https-secret # secret名称
  rules:
  - host: my-nginx.tenbeggar.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service-test
            port:
              number: 80

ConfigMap

保存配置

apiVersion: v1
kind: ConfigMap
metadata:
  name: java-application-config
data:
  application-data: |
    server:
      port: 8080
    spring:
      datasource:
        url: jdbc:mysql://localhost:3306/test?characterEncoding=utf8&serverTimezone=Hongkong
        username: root
        password: 76543
        driver-class-name: com.mysql.cj.jdbc.Driver

挂载到容器

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: pod-java-label
  name: pod-java
spec:
  containers:
  - image: demo
    name: pod-java-demo
    volumeMounts:
    - name: application
      # mountPath: /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/ # 若删除下面两行,只写保留这行,那么classes文件夹下的其他文件会被删除
      mountPath: /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/application.yaml
      subPath: application.yaml # 只挂载application.yaml文件,避免删除容器中的其他文件
  volumes:
  - name: application
    configMap:
      name: java-application-config
      items:
      - key: application-data # 对应ConfigMap文件的data.application-data
        path: application.yaml # 挂在到容器后的文件名
如果觉得本文对您有帮助,记得收藏哦~
kubernetes
上一篇
下一篇