第一部分
day1,容器基础知识介绍
安装
apt-get install docker-engine
[root@cce-7day-fudonghai-24106 01CNL]# docker -v
Docker version 18.09.0, build f897bb1
[root@cce-7day-fudonghai-24106 01CNL]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
100.125.17.64:20202/hwofficial/storage-driver-linux-amd64 1.0.13 9b1a762c647a 3 weeks ago 749MB
100.125.17.64:20202/op_svc_apm/icagent 5.11.27 797b45c7e959 5 weeks ago 340MB
canal-agent 1.0.RC8.SPC300.B010 4e31d812d31d 2 months ago 505MB
canal-agent latest 4e31d812d31d 2 months ago 505MB
100.125.17.64:20202/hwofficial/cce-coredns-linux-amd64 1.2.6.1 614e71c360a5 3 months ago 328MB
swr.cn-east-2.myhuaweicloud.com/fudonghai/tank v1.0 77c91a2d6c53 5 months ago 112MB
swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank v1.0 77c91a2d6c53 5 months ago 112MB
redis latest 415381a6cb81 8 months ago 94.9MB
busybox latest 59788edf1f3e 9 months ago 1.15MB
nginx latest 06144b287844 10 months ago 109MB
euleros 2.2.5 b0f6bcd0a2a0 20 months ago 289MB
mirrorgooglecontainers/fluentd-elasticsearch 1.20 c264dff3420b 2 years ago 301MB
k8s.gcr.io/fluentd-elasticsearch 1.20 c264dff3420b 2 years ago 301MB
nginx 1.11.1-alpine 5ad9802b809e 3 years ago 69.3MB
cce-pause 2.0 2b58359142b0 3 years ago 350kB
[root@cce-7day-fudonghai-24106 01CNL]# docker pull tomcat
Using default tag: latest
latest: Pulling from library/tomcat
55cbf04beb70: Pull complete
1607093a898c: Pull complete
9a8ea045c926: Pull complete
1290813abd9d: Pull complete
8a6b982ad6d7: Pull complete
abb029e68402: Pull complete
d068d0a738e5: Pull complete
42ee47bb0c52: Pull complete
ae9c861aed25: Pull complete
60bba9d0dc8d: Pull complete
15222e409530: Pull complete
2dcc81b69024: Pull complete
Digest: sha256:c0f20412acb98efb1af63911d38edca97df76fbf3c0f34de10cc2c56a9f57471
Status: Downloaded newer image for tomcat:latest
[root@cce-7day-fudonghai-24106 01CNL]# docker run -it -d -p 8888:8080 tomcat:latest
ee355280967236ab6eace5f98e5aa53edcb4026dece869f5366a829523beb464
[root@cce-7day-fudonghai-24106 01CNL]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ee3552809672 tomcat:latest "catalina.sh run" 6 seconds ago Up 5 seconds 0.0.0.0:8888->8080/tcp vibrant_burnell
在浏览器里面输入:
http://122.112.252.69:8888/
发现不能访问,到ecs控制台(cce控制台没找到相应设置),-->访问控制菜单,-->安全组菜单,发现有三个安全组,应该都是cce引擎自建的。
cce-7day-fudonghai-cce-node-e77y
Sys-default
cce-7day-fudonghai-cce-control-e77y
点击进入cce-7day-fudonghai-cce-node-e77y条目,添加访问控制规则
TCP : 8000-9000 IPv4 0.0.0.0/0 --
UDP : 8000-9000 IPv4 0.0.0.0/0 --
再刷新浏览器就会出现tomcat页面。最后停掉容器
[root@cce-7day-fudonghai-24106 01CNL]# docker stop ee3552809672
ee3552809672
[root@cce-7day-fudonghai-24106 01CNL]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
实验部分
1,创建,配置,购买CCE集群见作业文档
2,通过容器镜像服务,上传指定公共镜像到自己的私有镜像仓库
0)把之前用过的镜像强制删除
[root@cce-7day-fudonghai-24106 01CNL]# docker rmi -f 77c91a2d6c53
Untagged: swr.cn-east-2.myhuaweicloud.com/fudonghai/tank:v1.0
Untagged: swr.cn-east-2.myhuaweicloud.com/fudonghai/tank@sha256:c4ecb266f091fdf5ed37e78837f358d650be5d2d160aff00941569a0ac148aad
Untagged: swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank:v1.0
Untagged: swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank@sha256:c4ecb266f091fdf5ed37e78837f358d650be5d2d160aff00941569a0ac148aad
Deleted: sha256:77c91a2d6c53a8134c6838e5e25973eefaacf62548139043dada9ebe5bce4ef0
Deleted: sha256:17ce620a1c4218b5f6bd02e8b399a2501a9822e99c2efc9b1c54ca849a15f5d5
1)拉取镜像
[root@cce-7day-fudonghai-24106 01CNL]# docker pull swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank:v1.0
v1.0: Pulling from hwstaff_m00402518/tank
802b00ed6f79: Already exists
e9d0e0ea682b: Already exists
d8b7092b9221: Already exists
d9bf1d47fd56: Pull complete
Digest: sha256:c4ecb266f091fdf5ed37e78837f358d650be5d2d160aff00941569a0ac148aad
Status: Downloaded newer image for swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank:v1.0
发现再次拉取回来的IMAGE ID和之前一样
2)打成自己仓库的标签
docker tag swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank:v1.0 swr.cn-east-2.myhuaweicloud.com/fudonghai/tank:v1.0
实际是一份数据,两个tag
swr.cn-east-2.myhuaweicloud.com/fudonghai/tank v1.0 77c91a2d6c53 5 months ago 112MB
swr.cn-north-1.myhuaweicloud.com/hwstaff_m00402518/tank v1.0 77c91a2d6c53 5 months ago 112MB
3)登陆自己的docker仓库。步骤是在cce管理页面,点击镜像仓库,弹出容器镜像服务,点击总览,里面的登录指令,复制出来运行,提示 Login Succeeded表示成功。
docker login -u cn-east-2@AsFCPS2h0jL1JQQ17AHk -p bfd23e9955d00ba3f9953c81d45d4c089b9f88f43f732f36966c7ecd939e0ecf swr.cn-east-2.myhuaweicloud.com
对应下面的格式
docker login -u 账号(在swr获取) -p 密码(在swr获取) swr.cn-east-2.myhuaweicloud.com
(这里面的账号和密码都是华为云自动产生的)
4)推送到自己的镜像,然后就可以在我的镜像页面查看,多了一个镜像名为tank的镜像。
[root@cce-7day-fudonghai-24106 01CNL]# docker push swr.cn-east-2.myhuaweicloud.com/fudonghai/tank
第二部分
day2,Kubernetes基础知识介绍
第1课:CKA考纲与K8S基础概念解读
两者PPT和内容几乎一样
课上实验部分
[root@cce-7day-fudonghai-24106 01CNL]# docker pull swr.cn-south-1.myhuaweicloud.com/kevin-wangzefeng/cce-kubectl:v1
v1: Pulling from kevin-wangzefeng/cce-kubectl
6c3eb4525275: Pull complete
5f70bf18a086: Pull complete
07195e1407cb: Pull complete
91f80218be79: Pull complete
c16157d8ae47: Pull complete
9192f9d33ba2: Pull complete
8cb6c9ac22d1: Pull complete
aa78cd0bc75c: Pull complete
8f7c2c7f8d57: Pull complete
5358690ca7c4: Pull complete
bc72688d8ec4: Pull complete
e5ba68ed6b9e: Pull complete
9a0122677c09: Pull complete
b2faa4a30ed2: Pull complete
2e107f3c2172: Pull complete
ccd7ca8624d3: Pull complete
Digest: sha256:934fe455e44ef10e850979b9f150867db391b2c9a95a9f1ea4a23c3af1922ba7
Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/kevin-wangzefeng/cce-kubectl:v1
在cce页面配置一个无状态Deployment工作负载,建立服务的时候把节点+端口3000暴露出来,进入工作负载里面的无状态查看,并点击访问
通过命令行kubectl建立一个无状态Deployment工作负载
[root@cce-7day-fudonghai-24106 01CNL]# kubectl run nginx --image nginx --port 80
deployment.apps/nginx created
查看
[root@cce-7day-fudonghai-24106 01CNL]# kubectl get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
cka-kubectl 1/1 1 1 15m
nginx 1/1 1 1 6m8s
也可以
[root@cce-7day-fudonghai-24106 01CNL]# kubectl get deploy/nginx
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 1/1 1 1 6m54s
加-owide查看更多的补充信息
[root@cce-7day-fudonghai-24106 01CNL]# kubectl get deploy/nginx -owide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
nginx 1/1 1 1 7m59s nginx nginx run=nginx
[root@cce-7day-fudonghai-24106 01CNL]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cka-kubectl-6b4cc7f476-bmt64 1/1 Running 0 18m 172.16.0.24 192.168.0.184 <none> <none> nginx-57867cc648-4qv6k 1/1 Running 0 8m45s 172.16.0.25 192.168.0.184 <none> <none>
[root@cce-7day-fudonghai-24106 01CNL]# kubectl describe deployment nginx Name: nginx Namespace: default CreationTimestamp: Wed, 24 Jul 2019 16:31:15 +0800 Labels: run=nginx Annotations: deployment.kubernetes.io/revision=1 Selector: run=nginx Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable StrategyType: RollingUpdate MinReadySeconds: 0 RollingUpdateStrategy: 25% max unavailable, 25% max surge Pod Template: Labels: run=nginx Containers: nginx: Image: nginx Port: 80/TCP Host Port: 0/TCP Environment: <none> Mounts: <none> Volumes: <none> Conditions: Type Status Reason ---- ------ ------ Available True MinimumReplicasAvailable Progressing True NewReplicaSetAvailable OldReplicaSets: <none> NewReplicaSet: nginx-57867cc648 (1/1 replicas created) Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ScalingReplicaSet 10m deployment-controller Scaled up replica set nginx-57867cc648 to 1
扩容到2个POD
[root@cce-7day-fudonghai-24106 01CNL]# kubectl scale deployment nginx --replicas=2
deployment.extensions/nginx scaled
扩容成功
[root@cce-7day-fudonghai-24106 01CNL]# kubectl get deploy/nginx -owide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
nginx 2/2 2 2 14m nginx nginx run=nginx
小技巧
使用run命令建立yaml文件,而不是真正建立对象
[root@cce-7day-fudonghai-24106 ~]# kubectl run --image=nginx my-deploy -o yaml --dry-run > my-deploy.yaml
可以使用下列命令启动自动补全功能
source <(kubectl completion bash) echo "source <(kubectl completion bash)" >> ~/.bashrc
如果报错,升级一下bash-completion软件
yum install bash-completion
查看资源定义
[root@cce-7day-fudonghai-24106 027day]# kubectl explain pod.spec.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution
课下实验部分
day2的课下实验:使用工具(putty,xshell)登录node节点,配置kubectl,需要使用的命令
wget https://cce-storage.obs.cn-north-1.myhwclouds.com/kubectl.zip
unzip kubectl.zip
chmod 750 kubectl/kubectl
mv kubectl/kubectl /usr/local/bin/
mkdir -p $HOME/.kube
mv -f kubeconfig.json $HOME/.kube/config
kubectl config use-context internal
需要注意的问题是kubeconfig.json不同的账户和新建的集群节点会不一样,如果用错则kubectl不能正常工作
使用命令查看集群状态
[root@cce-7day-fudonghai-24106 ~]# kubectl cluster-info Kubernetes master is running at https://192.168.0.252:5443 CoreDNS is running at https://192.168.0.252:5443/api/v1/namespaces/kube-system/services/coredns:dns/proxy To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. You have new mail in /var/spool/mail/root [root@cce-7day-fudonghai-24106 ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION 192.168.0.184 Ready <none> 24d v1.13.7-r0-CCE2.0.24.B001 [root@cce-7day-fudonghai-24106 ~]# kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-646fc859df-29tkg 0/1 Pending 0 24d kube-system coredns-646fc859df-zc6w7 1/1 Running 2 24d kube-system icagent-mlzw2 1/1 Running 46 24d kube-system storage-driver-q9jcz 1/1 Running 2 24d [root@cce-7day-fudonghai-24106 ~]# kubectl get componentstatus NAME STATUS MESSAGE ERROR controller-manager Healthy ok scheduler Healthy ok etcd-4-events Healthy {"health": "true"} etcd-1 Healthy {"health": "true"} etcd-2-events Healthy {"health": "true"} etcd-0 Healthy {"health": "true"} etcd-3-events Healthy {"health": "true"}
第三部分
day3,Kubernetes pod调度原理分析
第2课:调度管理实训
课上实验部分
Node定义,关注allocatable字段,意义是可以分配的系统资源(capacity减去k8s等系统组件占用的资源)
[root@cce-7day-fudonghai-24106 ~]# kubectl get node NAME STATUS ROLES AGE VERSION 192.168.0.184 Ready <none> 24d v1.13.7-r0-CCE2.0.24.B001 [root@cce-7day-fudonghai-24106 ~]# kubectl get node 192.168.0.184 -o yaml apiVersion: v1 kind: Node metadata: annotations: huawei.com/gpu-status: '[]' status: addresses: - address: 192.168.0.184 type: InternalIP - address: 192.168.0.184 type: Hostname allocatable: attachable-volumes-hc-all-mode-disk: "22" attachable-volumes-hc-scsi-mode-disk: "22" attachable-volumes-hc-vbd-mode-disk: "22" cce/eni: "10" cpu: 1930m ephemeral-storage: "9387421271" hugepages-1Gi: "0" hugepages-2Mi: "0" memory: 2151520Ki pods: "110" capacity: attachable-volumes-hc-all-mode-disk: "22" attachable-volumes-hc-scsi-mode-disk: "22" attachable-volumes-hc-vbd-mode-disk: "22" cce/eni: "10" cpu: "2" ephemeral-storage: 10186004Ki hugepages-1Gi: "0" hugepages-2Mi: "0" memory: 3880032Ki pods: "110"
pod定义
apiVersion: v1
kind: Pod
metadata:
name: day3-pod-fudonghai
labels:
app: day3-pod-app
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: my-container
ports:
- containerPort: 80
protocol: TCP
resources:
requests:
memory: "100Mi"
cpu: "100m"
limits:
memory: "200Mi"
cpu: "200m"
#nodeName: 192.168.0.184 #调度结果,系统调度后填入
schedulerName: default-scheduler #执行调度的调度器
restartPolicy: Always
nodeSelector: #匹配node的label,从系统的node复制出来,结果全部匹配,pod正常运行
#disktype: ssd #不符合条件,导致pending
#node-flavor: s3.large.2 #不符合条件,导致pending
beta.kubernetes.io/arch: amd64
beta.kubernetes.io/os: linux
failure-domain.beta.kubernetes.io/is-baremetal: "false"
failure-domain.beta.kubernetes.io/region: cn-east-2
failure-domain.beta.kubernetes.io/zone: cn-east-2a
kubernetes.io/availablezone: cn-east-2a
kubernetes.io/hostname: 192.168.0.184
os.architecture: amd64
os.name: CentOS_Linux_7_Core
os.version: 3.10.0-957.5.1.el7.x86_64
affinity:
nodeAffinity: #引入运算符,可以排除不具备指定label的node
requiredDuringSchedulingIgnoredDuringExecution: #硬性过滤
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In #运算符
values:
- 192.168.0.184
preferredDuringSchedulingIgnoredDuringExecution: #软性评分,不具备指定label打低分,降低node被选中的几率
- weight: 1
preference:
matchExpressions:
- key: node-flavor
operator: In
values:
- s3.large.2
#podAffinity: #根据集群中的pod来选择节点Node
#podAntiAffinity: #避免某些pod分布在同一组Node上,为podAffinity取反
tolerations: #高级调度策略
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
node-affinity
apiVersion: v1
kind: Pod
metadata:
name: node-affinity
labels:
run: node-affinity
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: has-eip
operator: In
values:
- "yes"
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: container-0
使用命令查看node标签,并没有"has-eip"标签
[root@cce-7day-fudonghai-24106 027day]# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS 192.168.0.184 Ready <none> 25d v1.13.7-r0-CCE2.0.24.B001 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,failure-domain.beta.kubernetes.io/is-baremetal=false,failure-domain.beta.kubernetes.io/region=cn-east-2,failure-domain.beta.kubernetes.io/zone=cn-east-2a,has-eip=yes,kubernetes.io/availablezone=cn-east-2a,kubernetes.io/hostname=192.168.0.184,os.architecture=amd64,os.name=CentOS_Linux_7_Core,os.version=3.10.0-957.5.1.el7.x86_64
这个时候pod处于Pending状态
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
node-affinity 0/1 Pending 0 5s
在CCE的管理页面,调到“节点管理”,找到唯一一个node,点击“标签管理”,手动添加一个"has-eip"标签,值为yes。再次观察pod状体,为running状态
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
node-affinity 1/1 Running 0 7m55s
pod-affinity,选择和label为run:pod-affinity(前面一个pod),在“node”范围内亲和
apiVersion: v1
kind: Pod
metadata:
name: pod-affinity
labels:
run: pod-affinity
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: run
operator: In
values:
- "node-affinity"
topologyKey: kubernetes.io/hostname
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: container-0
本pod必须在前面的pod建立起来后才能running。适用场景是和一组特定的pod分布在一起,比如前端+后端。这样在同一AZ内流量免费,且网速快。
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
node-affinity 0/1 Pending 0 9s
pod-affinity 0/1 Pending 0 41s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
node-affinity 0/1 ContainerCreating 0 53s
pod-affinity 1/1 Running 0 85s
pod-anti-affinity,和前面pod反亲和,避免某些Pod分布在同一组Node上。与podAffinity的差异,1,匹配过程相同,2,最终处理调度结果时取反
apiVersion: v1
kind: Pod
metadata:
name: pod-anti-affinity
labels:
run: pod-anti-affinity
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: run
operator: In
values:
- "node-affinity"
topologyKey: kubernetes.io/hostname
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: container-0
因为只有一个节点,调度失败
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
node-affinity 1/1 Running 0 18m
pod-affinity 1/1 Running 0 19m
pod-anti-affinity 0/1 Pending 0 7s
查看失败原因
[root@cce-7day-fudonghai-24106 027day]# kubectl describe pod pod-anti-affinity Name: pod-anti-affinity Namespace: default Priority: 0 PriorityClassName: <none> Node: <none> Labels: run=pod-anti-affinity Annotations: <none> Status: Pending IP: Conditions: Type Status PodScheduled False Volumes: Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedScheduling 48s (x18 over 12m) default-scheduler 0/1 nodes are available: 1 node(s) didn't match pod affinity/anti-affinity, 1 node(s) didn't match pod anti-affinity rules.
pod-tolerations,
apiVersion: v1
kind: Pod
metadata:
name: pod-tolerations
labels:
run: pod-tolerations
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: container-0
tolerations:
- key: gpu
operator: Equal
value: "yes"
effect: NoSchedule
先给node打上标签,使调度不成功。taints:避免Pod调度到特定的Node上。带effect的特殊label,对Pod有排斥性
[root@cce-7day-fudonghai-24106 027day]# kubectl taint node 192.168.0.184 gpu=no:NoSchedule
node/192.168.0.184 tainted
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES node-affinity 1/1 Running 0 41m 172.16.0.22 192.168.0.184 <none> <none> pod-affinity 1/1 Running 0 42m 172.16.0.21 192.168.0.184 <none> <none> pod-anti-affinity 0/1 Pending 0 22m <none> <none> <none> <none> pod-tolerations 0/1 Pending 0 5s <none> <none> <none> <none>
如果不打这个标签,直接会调度成功。
课下实验部分
1,通过命令行,使用nginx镜像创建一个pod并手动调度到集群中的一个节点。
apiVersion: v1
kind: Pod
metadata:
name: cce7days-fudonghai
labels:
app: nginx
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- 192.168.0.184 #node节点的私网IP地址
containers:
- image: swr.cn-east-2.myhuaweicloud.com/fudonghai/tank:v1.0 #容器镜像地址
imagePullPolicy: IfNotPresent
name: container-0
resources: {}
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: default-secret
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
开始的时候pod并没有运行起来,查看pod状态发现
[root@cce-7day-fudonghai-24106 027day]# kubectl describe pod cce7days-fudonghai Name: cce7days-fudonghai Namespace: default Priority: 0 PriorityClassName: <none> Node: <none> Labels: app=nginx Annotations: <none> Status: Pending IP: Containers: container-0: Image: swr.cn-east-2.myhuaweicloud.com/fudonghai/tank:v1.0 Port: <none> Host Port: <none> Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-9rk4h (ro) Conditions: Type Status PodScheduled False Volumes: default-token-9rk4h: Type: Secret (a volume populated by a Secret) SecretName: default-token-9rk4h Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedScheduling 52s (x2 over 52s) default-scheduler 0/1 nodes are available: 1 node(s) had taints that the pod didn't tolerate.
手动删除node的taint,就可以运行起来
[root@cce-7day-fudonghai-24106 027day]# kubectl taint node 192.168.0.184 gpu:NoSchedule- node/192.168.0.184 untainted [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cce7days-fudonghai 1/1 Running 0 62m 172.16.0.24 192.168.0.184 <none> <none>
2,通过命令行,创建一个deployment,拥有2个pod,其自身的pod之间在节点级别反亲和
实验开始前需要再购买一个节点,选最低的按需计费0.42/小时,购买后有几分钟创建时间。两个节点并不在一个可用区里面,但在一个集群里面
[root@cce-7day-fudonghai-24106 027day]# kubectl get node -owide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME 192.168.0.184 Ready <none> 26d v1.13.7-r0-CCE2.0.24.B001 192.168.0.184 <none> CentOS Linux 7 (Core) 3.10.0-957.5.1.el7.x86_64 docker://18.9.0 192.168.0.187 Ready <none> 93s v1.13.4-r0-CCE2.0.23.B001 192.168.0.187 <none> CentOS Linux 7 (Core) 3.10.0-957.5.1.el7.x86_64 docker://18.9.0
deploy的yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cce7days-app1-fudonghai
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: cce7days-app1-fudonghai
template:
metadata:
labels:
app: cce7days-app1-fudonghai
spec:
containers:
- image: nginx
name: container-0
imagePullPolicy: IfNotPresent
restartPolicy: Always
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: default-secret
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- cce7days-app1-fudonghai
topologyKey: kubernetes.io/hostname
schedulerName: default-scheduler
创建并查看
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f anti-affinity-deployment.yaml deployment.apps/cce7days-app1-fudonghai created [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cce7days-app1-fudonghai-54d59459b9-8lwzb 1/1 Running 0 10s 172.16.0.26 192.168.0.184 <none> <none> cce7days-app1-fudonghai-54d59459b9-9485l 1/1 Running 0 10s 172.16.0.36 192.168.0.187 <none> <none>
3,通过命令行,创建一个deployment,拥有2个pod,并配置该deployment的pod与第1个deployment的pod在节点级别亲和
deploy的yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cce7days-app2-fudonghai
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: cce7days-app2-fudonghai
template:
metadata:
labels:
app: cce7days-app2-fudonghai
spec:
containers:
- image: nginx
name: container-0
imagePullSecrets:
- name: default-secret
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- cce7days-app1-fudonghai
topologyKey: kubernetes.io/hostname
创建并查看
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f affinity-deployment.yaml deployment.apps/cce7days-app2-fudonghai created [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cce7days-app1-fudonghai-54d59459b9-8lwzb 1/1 Running 0 4m44s 172.16.0.26 192.168.0.184 <none> <none> cce7days-app1-fudonghai-54d59459b9-9485l 1/1 Running 0 4m44s 172.16.0.36 192.168.0.187 <none> <none> cce7days-app2-fudonghai-8fbd78c48-5gr7m 1/1 Running 0 4s 172.16.0.37 192.168.0.187 <none> <none> cce7days-app2-fudonghai-8fbd78c48-645z4 1/1 Running 0 4s 172.16.0.27 192.168.0.184 <none> <none>
第四部分
Day4 Kubernetes应用生命周期原理分析
第3课:K8S日志、监控与应用管理实训
课上实验部分
[root@cce-7day-fudonghai-24106 027day]# kubectl cluster-info
Kubernetes master is running at https://192.168.0.252:5443
CoreDNS is running at https://192.168.0.252:5443/api/v1/namespaces/kube-system/services/coredns:dns/proxy
[root@cce-7day-fudonghai-24106 027day]# kubectl cluster-info dump > a.txt
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-646fc859df-6m5cf 0/1 Pending 0 20h
coredns-646fc859df-zc6w7 1/1 Running 2 27d
icagent-mlzw2 1/1 Running 52 27d
storage-driver-q9jcz 1/1 Running 2 27d
[root@cce-7day-fudonghai-24106 027day]# kubectl describe pod coredns-646fc859df-6m5cf -n kube-system Name: coredns-646fc859df-6m5cf Namespace: kube-system Priority: 0 PriorityClassName: <none> Node: <none> Labels: app=coredns k8s-app=coredns kubernetes.io/evictcritical= pod-template-hash=646fc859df release=cceaddon-coredns Annotations: checksum/config=3095a9b4028195e7e0b8b22c550bf183d0b7a8a7eba20808b36081d0b39f8b81 scheduler.alpha.kubernetes.io/critical-pod= scheduler.alpha.kubernetes.io/tolerations=[{"key":"CriticalAddonsOnly", "operator":"Exists"}] Status: Pending IP: Controlled By: ReplicaSet/coredns-646fc859df Containers: coredns: Image: 100.125.17.64:20202/hwofficial/cce-coredns-linux-amd64:1.2.6.1 Port: 5353/UDP Host Port: 0/UDP Args: -conf /etc/coredns/Corefile -rmem udp#8388608 -wmem udp#1048576 Limits: cpu: 500m memory: 512Mi Requests: cpu: 500m memory: 512Mi Liveness: http-get http://:8080/health delay=60s timeout=5s period=10s #success=1 #failure=5 Readiness: http-get http://:8080/health delay=3s timeout=3s period=5s #success=1 #failure=3 Environment: <none> Mounts: /etc/coredns from config-volume (rw) /var/run/secrets/kubernetes.io/serviceaccount from coredns-token-vrbw4 (ro) Conditions: Type Status PodScheduled False Volumes: config-volume: Type: ConfigMap (a volume populated by a ConfigMap) Name: coredns Optional: false coredns-token-vrbw4: Type: Secret (a volume populated by a Secret) SecretName: coredns-token-vrbw4 Optional: false QoS Class: Guaranteed Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 60s node.kubernetes.io/unreachable:NoExecute for 60s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedScheduling 4m (x1567 over 20h) default-scheduler 0/1 nodes are available: 1 node(s) didn't match pod affinity/anti-affinity, 1 node(s) didn't satisfy existing pods anti-affinity rules.
[root@cce-7day-fudonghai-24106 027day]# kubectl run redis --image=redis
deployment.apps/redis created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
redis-785f9d6bfb-sp5n8 1/1 Running 0 11s
看redis容器日志
[root@cce-7day-fudonghai-24106 027day]# kubectl logs -f redis-785f9d6bfb-sp5n8 -c redis
1:C 28 Jul 2019 03:21:39.454 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:C 28 Jul 2019 03:21:39.454 # Redis version=5.0.1, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 28 Jul 2019 03:21:39.454 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf
1:M 28 Jul 2019 03:21:39.463 * Running mode=standalone, port=6379.
1:M 28 Jul 2019 03:21:39.463 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
1:M 28 Jul 2019 03:21:39.463 # Server initialized
1:M 28 Jul 2019 03:21:39.463 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
1:M 28 Jul 2019 03:21:39.463 * Ready to accept connections
运行2个副本的deploymnet
[root@cce-7day-fudonghai-24106 027day]# kubectl run nginx --image=nginx --replicas=2
deployment.apps/nginx created
[root@cce-7day-fudonghai-24106 027day]# kubectl get deploy
\NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/2 2 2 10s
[root@cce-7day-fudonghai-24106 027day]# \kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-7cdbd8cdc9-6jpwd 1/1 Running 0 21s
nginx-7cdbd8cdc9-q5x6z 1/1 Running 0 21s
进入pod容器
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it nginx-7cdbd8cdc9-q5x6z /bin/sh
# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
# exit
升级容器镜像
[root@cce-7day-fudonghai-24106 027day]# kubectl set image deploy nginx nginx=nginx:1.9.1
deployment.extensions/nginx image updated
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-7cdbd8cdc9-6jpwd 1/1 Running 0 8h
nginx-7cdbd8cdc9-q5x6z 1/1 Running 0 8h
nginx-8676fdbb6d-ljwsz 0/1 ContainerCreating 0 19s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-7cdbd8cdc9-6jpwd 1/1 Running 0 8h
nginx-7cdbd8cdc9-q5x6z 1/1 Running 0 8h
nginx-8676fdbb6d-ljwsz 0/1 ContainerCreating 0 28s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-7cdbd8cdc9-q5x6z 0/1 Terminating 0 8h
nginx-8676fdbb6d-ljwsz 1/1 Running 0 42s
nginx-8676fdbb6d-zbbx8 1/1 Running 0 10s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-8676fdbb6d-ljwsz 1/1 Running 0 2m51s
nginx-8676fdbb6d-zbbx8 1/1 Running 0 2m19s
[root@cce-7day-fudonghai-24106 027day]# kubectl rollout status deploy nginx
deployment "nginx" successfully rolled out
查看历史
[root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deploy nginx deployments "nginx" REVISION CHANGE-CAUSE 1 <none> 2 <none> [root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deploy nginx --revision=2 deployments "nginx" with revision #2 Pod Template: Labels: pod-template-hash=8676fdbb6d run=nginx Containers: nginx: Image: nginx:1.9.1 Port: <none> Host Port: <none> Environment: <none> Mounts: <none> Volumes: <none> [root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deploy nginx --revision=1 deployments "nginx" with revision #1 Pod Template: Labels: pod-template-hash=7cdbd8cdc9 run=nginx Containers: nginx: Image: nginx Port: <none> Host Port: <none> Environment: <none> Mounts: <none> Volumes: <none>
把maxSurge和maxUnavailable 都改成2
[root@cce-7day-fudonghai-24106 027day]# kubectl edit deploy nginx
deployment.extensions/nginx edited
strategy:
rollingUpdate:
maxSurge: 2
maxUnavailable: 2
type: RollingUpdate
改变资源升级
[root@cce-7day-fudonghai-24106 027day]# kubectl set resources deploy nginx -c=nginx --limits=cpu=200m,memory=256Mi deployment.extensions/nginx resource requirements updated [root@cce-7day-fudonghai-24106 027day]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-6bc5c66cdd-dqwdm 1/1 Running 0 14s nginx-6bc5c66cdd-xz85d 1/1 Running 0 14s [root@cce-7day-fudonghai-24106 027day]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-6bc5c66cdd-dqwdm 1/1 Running 0 19s nginx-6bc5c66cdd-xz85d 1/1 Running 0 19s [root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deploy nginx --revision=3 deployments "nginx" with revision #3 Pod Template: Labels: pod-template-hash=6bc5c66cdd run=nginx Containers: nginx: Image: nginx:1.9.1 Port: <none> Host Port: <none> Limits: cpu: 200m memory: 256Mi Environment: <none> Mounts: <none> Volumes: <none>
回滚到版本2
[root@cce-7day-fudonghai-24106 027day]# kubectl rollout undo deploy nginx --to-revision=2
deployment.extensions/nginx
水平扩容
[root@cce-7day-fudonghai-24106 027day]# kubectl scale deploy nginx --replicas=4 deployment.extensions/nginx scaled [root@cce-7day-fudonghai-24106 027day]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-8676fdbb6d-2g4np 1/1 Running 0 3m39s nginx-8676fdbb6d-c9k78 0/1 ContainerCreating 0 7s nginx-8676fdbb6d-rj4np 1/1 Running 0 3m39s nginx-8676fdbb6d-vjtln 0/1 ContainerCreating 0 7s [root@cce-7day-fudonghai-24106 027day]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-8676fdbb6d-2g4np 1/1 Running 0 3m45s nginx-8676fdbb6d-c9k78 0/1 ContainerCreating 0 13s nginx-8676fdbb6d-rj4np 1/1 Running 0 3m45s nginx-8676fdbb6d-vjtln 1/1 Running 0 13s [root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deploy nginx deployments "nginx" REVISION CHANGE-CAUSE 1 <none> 3 <none> 4 <none>
课下实验部分
1,通过Deployment方式,使用redis镜像创建1个Pod。通过kubectl获得redis启动日志。打卡:将所用命令、创建的Deployment完整yaml截图上传
yaml文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: cce7days-app3-fudonghai
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: cce7days-app3-fudonghai
template:
metadata:
labels:
app: cce7days-app3-fudonghai
spec:
containers:
- image: 'redis:latest'
name: container-0
imagePullSecrets:
- name: default-secret
# 此处亲和性设置是为了将pod调度到有EIP的节点,便于下载外网镜像
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- 192.168.0.184
使用命令
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day4-redis-deployment.yaml deployment.apps/cce7days-app3-fudonghai created [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cce7days-app3-fudonghai-b4f5bf6d6-b5xrv 1/1 Running 0 20s 172.16.0.26 192.168.0.184 <none> <none> [root@cce-7day-fudonghai-24106 027day]# kubectl logs -f cce7days-app3-fudonghai-b4f5bf6d6-b5xrv -c container-0 1:C 29 Jul 2019 00:51:04.808 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 1:C 29 Jul 2019 00:51:04.808 # Redis version=5.0.1, bits=64, commit=00000000, modified=0, pid=1, just started 1:C 29 Jul 2019 00:51:04.808 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf 1:M 29 Jul 2019 00:51:04.811 * Running mode=standalone, port=6379. 1:M 29 Jul 2019 00:51:04.811 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128. 1:M 29 Jul 2019 00:51:04.811 # Server initialized 1:M 29 Jul 2019 00:51:04.811 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled. 1:M 29 Jul 2019 00:51:04.811 * Ready to accept connections ^C
2,通过命令行,创建1个deployment,副本数为3,镜像为nginx:latest。然后滚动升级到nginx:1.9.1。
yaml文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: cce7days-app4-fudonghai
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: cce7days-app4-fudonghai
template:
metadata:
labels:
app: cce7days-app4-fudonghai
spec:
containers:
- image: 'nginx:latest'
name: container-0
imagePullSecrets:
- name: default-secret
# 此处亲和性设置是为了将pod调度到有EIP的节点,便于下载外网镜像
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- 192.168.0.184
使用命令
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day4-nginx-deployment.yaml deployment.apps/cce7days-app4-fudonghai created [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cce7days-app4-fudonghai-6c5fb9794-5wl6r 1/1 Running 0 14s 172.16.0.29 192.168.0.184 <none> <none> cce7days-app4-fudonghai-6c5fb9794-9mqfm 1/1 Running 0 14s 172.16.0.28 192.168.0.184 <none> <none> cce7days-app4-fudonghai-6c5fb9794-zgjsk 1/1 Running 0 14s 172.16.0.27 192.168.0.184 <none> <none>
[root@cce-7day-fudonghai-24106 027day]# kubectl set image deploy cce7days-app4-fudonghai container-0=nginx:1.9.1 deployment.extensions/cce7days-app4-fudonghai image updated [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -o yaml apiVersion: v1 items: - apiVersion: v1 kind: Pod metadata: creationTimestamp: 2019-07-29T01:10:31Z generateName: cce7days-app4-fudonghai-7b4bd886f4- labels: app: cce7days-app4-fudonghai pod-template-hash: 7b4bd886f4 name: cce7days-app4-fudonghai-7b4bd886f4-5j2pn namespace: default ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cce7days-app4-fudonghai-7b4bd886f4 uid: a13fbe25-b19d-11e9-8bbd-fa163eb87d99 resourceVersion: "6554233" selfLink: /api/v1/namespaces/default/pods/cce7days-app4-fudonghai-7b4bd886f4-5j2pn uid: a8cc08d2-b19d-11e9-8bbd-fa163eb87d99 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 192.168.0.184 containers: - image: nginx:1.9.1 imagePullPolicy: Always name: container-0 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-9rk4h readOnly: true dnsConfig: options: - name: single-request-reopen value: "" - name: timeout value: "2" dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: default-secret nodeName: 192.168.0.184 priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: default-token-9rk4h secret: defaultMode: 420 secretName: default-token-9rk4h status: conditions: - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:31Z status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:36Z status: "True" type: Ready - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:36Z status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:31Z status: "True" type: PodScheduled containerStatuses: - containerID: docker://41faea96f702417e1b76fd1b6462c40eb8399564c7da1e15844222946d5877fd image: nginx:1.9.1 imageID: docker-pullable://nginx@sha256:2f68b99bc0d6d25d0c56876b924ec20418544ff28e1fb89a4c27679a40da811b lastState: {} name: container-0 ready: true restartCount: 0 state: running: startedAt: 2019-07-29T01:10:36Z hostIP: 192.168.0.184 phase: Running podIP: 172.16.0.19 qosClass: BestEffort startTime: 2019-07-29T01:10:31Z - apiVersion: v1 kind: Pod metadata: creationTimestamp: 2019-07-29T01:10:18Z generateName: cce7days-app4-fudonghai-7b4bd886f4- labels: app: cce7days-app4-fudonghai pod-template-hash: 7b4bd886f4 name: cce7days-app4-fudonghai-7b4bd886f4-k62fv namespace: default ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cce7days-app4-fudonghai-7b4bd886f4 uid: a13fbe25-b19d-11e9-8bbd-fa163eb87d99 resourceVersion: "6554165" selfLink: /api/v1/namespaces/default/pods/cce7days-app4-fudonghai-7b4bd886f4-k62fv uid: a1411f99-b19d-11e9-8bbd-fa163eb87d99 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 192.168.0.184 containers: - image: nginx:1.9.1 imagePullPolicy: Always name: container-0 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-9rk4h readOnly: true dnsConfig: options: - name: single-request-reopen value: "" - name: timeout value: "2" dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: default-secret nodeName: 192.168.0.184 priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: default-token-9rk4h secret: defaultMode: 420 secretName: default-token-9rk4h status: conditions: - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:18Z status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:24Z status: "True" type: Ready - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:24Z status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:18Z status: "True" type: PodScheduled containerStatuses: - containerID: docker://c7fa6320cfb4ad5bc6e0a31392bfd2ded5b5168647478a09386b63c69ef96b45 image: nginx:1.9.1 imageID: docker-pullable://nginx@sha256:2f68b99bc0d6d25d0c56876b924ec20418544ff28e1fb89a4c27679a40da811b lastState: {} name: container-0 ready: true restartCount: 0 state: running: startedAt: 2019-07-29T01:10:23Z hostIP: 192.168.0.184 phase: Running podIP: 172.16.0.30 qosClass: BestEffort startTime: 2019-07-29T01:10:18Z - apiVersion: v1 kind: Pod metadata: creationTimestamp: 2019-07-29T01:10:24Z generateName: cce7days-app4-fudonghai-7b4bd886f4- labels: app: cce7days-app4-fudonghai pod-template-hash: 7b4bd886f4 name: cce7days-app4-fudonghai-7b4bd886f4-rqfh4 namespace: default ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cce7days-app4-fudonghai-7b4bd886f4 uid: a13fbe25-b19d-11e9-8bbd-fa163eb87d99 resourceVersion: "6554200" selfLink: /api/v1/namespaces/default/pods/cce7days-app4-fudonghai-7b4bd886f4-rqfh4 uid: a509133c-b19d-11e9-8bbd-fa163eb87d99 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 192.168.0.184 containers: - image: nginx:1.9.1 imagePullPolicy: Always name: container-0 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-9rk4h readOnly: true dnsConfig: options: - name: single-request-reopen value: "" - name: timeout value: "2" dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: default-secret nodeName: 192.168.0.184 priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: default-token-9rk4h secret: defaultMode: 420 secretName: default-token-9rk4h status: conditions: - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:24Z status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:31Z status: "True" type: Ready - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:31Z status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: 2019-07-29T01:10:24Z status: "True" type: PodScheduled containerStatuses: - containerID: docker://4bd5450bd4516da0710ddcf4e1be29823c535f88fb3149c266d2240ceb475fc4 image: nginx:1.9.1 imageID: docker-pullable://nginx@sha256:2f68b99bc0d6d25d0c56876b924ec20418544ff28e1fb89a4c27679a40da811b lastState: {} name: container-0 ready: true restartCount: 0 state: running: startedAt: 2019-07-29T01:10:30Z hostIP: 192.168.0.184 phase: Running podIP: 172.16.0.31 qosClass: BestEffort startTime: 2019-07-29T01:10:24Z kind: List metadata: resourceVersion: "" selfLink: "" [root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deploy cce7days-app4-fudonghai deployments "cce7days-app4-fudonghai" REVISION CHANGE-CAUSE 1 <none> 2 <none> [root@cce-7day-fudonghai-24106 027day]# kubectl rollout history deployment cce7days-app4-fudonghai --revision=2 deployments "cce7days-app4-fudonghai" with revision #2 Pod Template: Labels: app=cce7days-app4-fudonghai pod-template-hash=7b4bd886f4 Containers: container-0: Image: nginx:1.9.1 Port: <none> Host Port: <none> Environment: <none> Mounts: <none> Volumes: <none>
第五部分
Day5 Kubernetes网络管理原理分析
第4课:K8S网络管理实训
课上实验部分
(一)svc
建立类型为clusterip的service,名称为my-svc-cp
[root@cce-7day-fudonghai-24106 027day]# kubectl create service clusterip my-svc-cp --tcp=80:8080 service/my-svc-cp created [root@cce-7day-fudonghai-24106 027day]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cka-kubectl NodePort 10.247.1.217 <none> 3000:30078/TCP 4d22h kubernetes ClusterIP 10.247.0.1 <none> 443/TCP 28d my-svc-cp ClusterIP 10.247.100.116 <none> 80/TCP 31s [root@cce-7day-fudonghai-24106 027day]# curl 10.247.100.116:80 curl: (7) Failed connect to 10.247.100.116:80; Connection refused
k8s会产生同名的endpoint,此时endpoint还没有指定IP,所以看到为none
[root@cce-7day-fudonghai-24106 027day]# kubectl get endpoints NAME ENDPOINTS AGE cka-kubectl <none> 4d22h kubernetes 192.168.0.252:5444 28d my-svc-cp <none> 6m2s
查看这个service
[root@cce-7day-fudonghai-24106 027day]# kubectl describe service my-svc-cp Name: my-svc-cp Namespace: default Labels: app=my-svc-cp Annotations: <none> Selector: app=my-svc-cp Type: ClusterIP IP: 10.247.100.116 Port: 80-8080 80/TCP TargetPort: 8080/TCP Endpoints: <none> Session Affinity: None Events: <none>
建立类型为nodeport的service,名称为my-svc-np
[root@cce-7day-fudonghai-24106 027day]# kubectl create service nodeport my-svc-np --tcp=1234:80 service/my-svc-np created [root@cce-7day-fudonghai-24106 027day]# kubectl describe service my-svc-np Name: my-svc-np Namespace: default Labels: app=my-svc-np Annotations: <none> Selector: app=my-svc-np Type: NodePort IP: 10.247.109.121 Port: 1234-80 1234/TCP TargetPort: 80/TCP NodePort: 1234-80 31263/TCP Endpoints: <none> Session Affinity: None External Traffic Policy: Cluster Events: <none>
nodeport的svc与clusterip的svc相同之处在于也有clusterip,不同之处是还有一个主机的端口号(个人认为node端口号,可以从外网访问),这里是31263
也就是说nodeport 涵盖了 clusterip
[root@cce-7day-fudonghai-24106 027day]# curl 10.247.109.121:1234
curl: (7) Failed connect to 10.247.109.121:1234; Connection refused
You have new mail in /var/spool/mail/root
[root@cce-7day-fudonghai-24106 027day]# curl http://122.112.252.69:31263
curl: (7) Failed connect to 122.112.252.69:31263; Connection refused
建立类型为headless的svc,指定clusterip为None
[root@cce-7day-fudonghai-24106 027day]# kubectl create svc clusterip my-svc-headless --clusterip="None" service/my-svc-headless created [root@cce-7day-fudonghai-24106 027day]# kubectl describe svc my-svc-headless Name: my-svc-headless Namespace: default Labels: app=my-svc-headless Annotations: <none> Selector: app=my-svc-headless Type: ClusterIP IP: None Session Affinity: None Events: <none>
上面建立的3个svc都是没有后端的,下面建立一个名为hello-nginx的后端,为svc提供支撑
[root@cce-7day-fudonghai-24106 027day]# kubectl run hello-nginx --image=nginx
deployment.apps/hello-nginx created
You have new mail in /var/spool/mail/root
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
hello-nginx-79c6778c6f-pdqzl 1/1 Running 0 6s
使用expose命令建立svc,把这个deploy和这个svc连接起来,svc类型clusterip,端口8090
[root@cce-7day-fudonghai-24106 027day]# kubectl expose deploy hello-nginx --type=ClusterIP --name=my-svc-nginx --port=8090 --target-port=80 service/my-svc-nginx exposed You have new mail in /var/spool/mail/root [root@cce-7day-fudonghai-24106 027day]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cka-kubectl NodePort 10.247.1.217 <none> 3000:30078/TCP 4d23h kubernetes ClusterIP 10.247.0.1 <none> 443/TCP 28d my-svc-cp ClusterIP 10.247.100.116 <none> 80/TCP 80m my-svc-headless ClusterIP None <none> <none> 36m my-svc-nginx ClusterIP 10.247.205.107 <none> 8090/TCP 7s my-svc-np NodePort 10.247.109.121 <none> 1234:31263/TCP 68m
测试一下,成功
[root@cce-7day-fudonghai-24106 027day]# curl 10.247.205.107:8090 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
k8s会产生同名的endpoint,其IP就是刚才那个nginx pod的IP:172.16.0.20
[root@cce-7day-fudonghai-24106 027day]# kubectl get endpoints NAME ENDPOINTS AGE cka-kubectl <none> 4d23h kubernetes 192.168.0.252:5444 28d my-svc-cp <none> 84m my-svc-headless <none> 41m my-svc-nginx 172.16.0.20:80 4m41s my-svc-np <none> 72m [root@cce-7day-fudonghai-24106 027day]# kubectl describe pod hello-nginx-79c6778c6f-pdqzl Name: hello-nginx-79c6778c6f-pdqzl Namespace: default Priority: 0 PriorityClassName: <none> Node: 192.168.0.184/192.168.0.184 Start Time: Mon, 29 Jul 2019 15:47:31 +0800 Labels: pod-template-hash=79c6778c6f run=hello-nginx Annotations: <none> Status: Running IP: 172.16.0.20 Controlled By: ReplicaSet/hello-nginx-79c6778c6f
也可以用pod IP测试
[root@cce-7day-fudonghai-24106 027day]# curl 172.16.0.20 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
(二)查域名
查域名需要有工具nslookup,而实际考试环境没有,需要找到一个有的docker镜像run起来
[root@cce-7day-fudonghai-24106 027day]# wget https://kubernetes.io/examples/admin/dns/busybox.yaml
--2019-07-29 16:17:12-- https://kubernetes.io/examples/admin/dns/busybox.yaml
Resolving kubernetes.io (kubernetes.io)... 45.54.44.102
Connecting to kubernetes.io (kubernetes.io)|45.54.44.102|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 234 [application/x-yaml]
Saving to: ‘busybox.yaml’
100%[========================================================================================>] 234 --.-K/s in 0s
2019-07-29 16:17:14 (7.26 MB/s) - ‘busybox.yaml’ saved [234/234]
busybox1.28的镜像带nslookup
apiVersion: v1
kind: Pod
metadata:
name: busybox
namespace: default
spec:
containers:
- name: busybox
image: busybox:1.28
command:
- sleep #需要睡眠阻塞住,不然一下就运行完了
- "3600"
imagePullPolicy: IfNotPresent
restartPolicy: Always
运行这个busybox镜像
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f busybox.yaml
pod/busybox created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 22s
hello-nginx-79c6778c6f-pdqzl 1/1 Running 0 46m
使用nslookup命令 查看 kubernetes服务的IP
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it busybox -- nslookup kubernetes.default
Server: 10.247.3.10
Address 1: 10.247.3.10 coredns.kube-system.svc.cluster.local
Name: kubernetes.default
Address 1: 10.247.0.1 kubernetes.default.svc.cluster.local
10.247.3.10 是DNS server的IP,在kube-system的namespace里面
[root@cce-7day-fudonghai-24106 027day]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE coredns ClusterIP 10.247.3.10 <none> 53/UDP,53/TCP,8080/TCP 28d
kubernetes服务的IP是 10.247.0.1,它后端的pod是API Server
[root@cce-7day-fudonghai-24106 027day]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cka-kubectl NodePort 10.247.1.217 <none> 3000:30078/TCP 5d kubernetes ClusterIP 10.247.0.1 <none> 443/TCP 28d
解析my-svc-nginx域名
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it busybox -- nslookup my-svc-nginx
Server: 10.247.3.10
Address 1: 10.247.3.10 coredns.kube-system.svc.cluster.local
Name: my-svc-nginx
Address 1: 10.247.205.107 my-svc-nginx.default.svc.cluster.local
解析hello-nginx-79c6778c6f-pdqzl 这个pod的IP,失败,原因未明
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it busybox -- nslookup hello-nginx-79c6778c6f-pdqzl
Server: 10.247.3.10
Address 1: 10.247.3.10 coredns.kube-system.svc.cluster.local
nslookup: can't resolve 'hello-nginx-79c6778c6f-pdqzl'
换busybox这个pod,成功
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it busybox -- nslookup busybox
Server: 10.247.3.10
Address 1: 10.247.3.10 coredns.kube-system.svc.cluster.local
Name: busybox
Address 1: 172.16.0.21 busybox
课下实验部分
1,创建1个Service和1个Pod作为其后端。通过kubectl describe获得该Service和对应Endpoints信息。
pod的yaml
apiVersion: v1
kind: Pod
metadata:
name: cce7days-app5-pod-fudonghai
labels:
app: cce7days-app5-pod-fudonghai
spec:
#此处亲和性设置是为了将pod调度到有EIP的节点,便于下载外网镜像
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- 192.168.0.184
containers:
- image: nginx:latest
imagePullPolicy: IfNotPresent
name: container-0
restartPolicy: Always
schedulerName: default-scheduler
svc的yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: cce7days-app5-svc-fudonghai
name: cce7days-app5-svc-fudonghai
spec:
ports:
- name: service0
port: 80
protocol: TCP
targetPort: 80
selector: #选中对应的pod
app: cce7days-app5-pod-fudonghai
type: NodePort
建立
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day5-pod.yaml
pod/cce7days-app5-pod-fudonghai created
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day5-service.yaml
service/cce7days-app5-svc-fudonghai created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-app5-pod-fudonghai 1/1 Running 0 32s
查看
[root@cce-7day-fudonghai-24106 027day]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cce7days-app5-svc-fudonghai NodePort 10.247.103.223 <none> 80:31367/TCP 6m19s kubernetes ClusterIP 10.247.0.1 <none> 443/TCP 29d
[root@cce-7day-fudonghai-24106 027day]# kubectl get endpoints
NAME ENDPOINTS AGE
cce7days-app5-svc-fudonghai 172.16.0.22:80 6s
kubernetes 192.168.0.252:5444 29d
[root@cce-7day-fudonghai-24106 027day]# kubectl describe svc cce7days-app5-svc-fudonghai Name: cce7days-app5-svc-fudonghai Namespace: default Labels: app=cce7days-app5-svc-fudonghai Annotations: <none> Selector: app=cce7days-app5-pod-fudonghai Type: NodePort IP: 10.247.103.223 Port: service0 80/TCP TargetPort: 80/TCP NodePort: service0 31367/TCP Endpoints: 172.16.0.22:80 Session Affinity: None External Traffic Policy: Cluster Events: <none> [root@cce-7day-fudonghai-24106 027day]# kubectl describe endpoints cce7days-app5-svc-fudonghai Name: cce7days-app5-svc-fudonghai Namespace: default Labels: app=cce7days-app5-svc-fudonghai Annotations: <none> Subsets: Addresses: 172.16.0.22 NotReadyAddresses: <none> Ports: Name Port Protocol ---- ---- -------- service0 80 TCP Events: <none>
因为是svc是nodeport类型的,可以从外网使用http://122.112.252.69:31367/ 访问
第六部分
Day6 Kubernetes存储管理原理分析
第5课:K8S存储管理实训
课上实验部分
把configMap挂在到容器指定的目录里面
ConfigMap的yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: special-config
namespace: default
data:
special.how: very
special.type: charm
deploy的yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cce7days-configmap-fudonghai
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: cce7days-configmap-fudonghai
template:
metadata:
labels:
app: cce7days-configmap-fudonghai
spec:
containers:
- image: 'nginx:latest'
name: container-0
volumeMounts:
- name: test
mountPath: /tmp
volumes:
- name: test
configMap:
name: special-config
defaultMode: 420
items:
- key: special.how
path: welcome/how
# 此处亲和性设置是为了将pod调度到有EIP的节点,便于下载外网镜像
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- 192.168.0.184
如果pod没有找到对应的configMap,会一直处于 ContainerCreating状态,直到建立起这个configMap后,pod才会Running
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day6-configmap-deployment.yaml
deployment.apps/cce7days-configmap-fudonghai created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-configmap-fudonghai-79c5584d67-cmd9f 0/1 ContainerCreating 0 2s
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day6-configmap.yaml
configmap/special-config created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-configmap-fudonghai-79c5584d67-cmd9f 0/1 ContainerCreating 0 33s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-configmap-fudonghai-79c5584d67-cmd9f 0/1 ContainerCreating 0 34s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-configmap-fudonghai-79c5584d67-cmd9f 1/1 Running 0 41s
进入容器查看,键值是文件内容,path是文件名,path可以带多级路径的,如welcome/how,welcome是目录,how是最终文件
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it cce7days-configmap-fudonghai-57bf99985d-bjd4w /bin/sh
# cd /tmp
# ls
welcome
# cd welcome
# ls
how
# cat how
very#
PVC方式测试详见课后实验
云硬盘类型
[root@cce-7day-fudonghai-24106 027day]# kubectl get storageclass
NAME PROVISIONER AGE
efs-performance flexvolume-huawei.com/fuxiefs 29d
efs-standard flexvolume-huawei.com/fuxiefs 29d
nfs-rw flexvolume-huawei.com/fuxinfs 29d
obs-standard flexvolume-huawei.com/fuxiobs 29d
obs-standard-ia flexvolume-huawei.com/fuxiobs 29d
sas flexvolume-huawei.com/fuxivol 29d
sata flexvolume-huawei.com/fuxivol 29d
ssd flexvolume-huawei.com/fuxivol 29d
课下实验部分
1、部署一个statefulset应用,使用持久化卷,通过pvc声明所需的存储大小1G及访问模式为RWX。
建立pvc
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-evs-auto
namespace: default
annotations:
volume.beta.kubernetes.io/storage-class: sata #云硬盘类型
volume.beta.kubernetes.io/storage-provisioner: flexvolume-huawei.com/fuxivol
labels:
failure-domain.beta.kubernetes.io/region: cn-east-2
failure-domain.beta.kubernetes.io/zone: cn-east-2a
spec:
accessModes: #访问模式
- ReadWriteMany
resources:
requests:
storage: 1Gi
create并查看
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day6-pvc.yaml
persistentvolumeclaim/pvc-evs-auto created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
pvc-evs-auto Bound pvc-927bc7a9-b29c-11e9-8bbd-fa163eb87d99 1Gi RWX sata 15s
statefulset的yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: cce7days-app11-fudonghai
namespace: default
spec:
podManagementPolicy: OrderedReady
serviceName: cce7days-app11-fudonghai-headless
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: cce7days-app11-fudonghai
failure-domain.beta.kubernetes.io/region: cn-east-2
failure-domain.beta.kubernetes.io/zone: cn-east-2a
template:
metadata:
labels:
app: cce7days-app11-fudonghai
failure-domain.beta.kubernetes.io/region: cn-east-2
failure-domain.beta.kubernetes.io/zone: cn-east-2a
spec:
affinity: {}
containers:
- image: swr.cn-east-2.myhuaweicloud.com/fudonghai/tank:v1.0
imagePullPolicy: IfNotPresent
name: container-0
resources: {}
volumeMounts:
- mountPath: /tmp
name: pvc-evs-example
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: default-secret
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: pvc-evs-example
persistentVolumeClaim:
claimName: pvc-evs-auto #对应PVC的名字
updateStrategy:
type: RollingUpdate
建立并查看
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day6-statefulset.yaml
statefulset.apps/cce7days-app11-fudonghai created
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES cce7days-app11-fudonghai-0 1/1 Running 0 43s 172.16.0.26 192.168.0.184 <none> <none>
进入容器内操作
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -ti cce7days-app11-fudonghai-0 /bin/sh
# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/docker-253:1-788010-e5d376529d38bb6e9fa8e5a2fc33894198c53f52d559787ae67cdf0259fad6de 10475520 152016 10323504 2% /
tmpfs 65536 0 65536 0% /dev
tmpfs 1940016 0 1940016 0% /sys/fs/cgroup
/dev/sda 999320 2564 927944 1% /tmp
# echo "this is a test" > /tmp/test.txt
# cat /tmp/test.txt
this is a test
# exit
退出容器并删除pod
[root@cce-7day-fudonghai-24106 027day]# kubectl delete pod cce7days-app11-fudonghai-0
pod "cce7days-app11-fudonghai-0" deleted
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-app11-fudonghai-0 0/1 ContainerCreating 0 3s
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cce7days-app11-fudonghai-0 1/1 Running 0 64s
再次进入pod,看看之前建立的文件是否还在
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -ti cce7days-app11-fudonghai-0 /bin/sh
# cat /tmp/test.txt
this is a test
完成任务后及时删除pvc和statefulset
[root@cce-7day-fudonghai-24106 027day]# kubectl delete -f day6-statefulset.yaml
statefulset.apps "cce7days-app11-fudonghai" deleted
[root@cce-7day-fudonghai-24106 027day]# kubectl delete -f day6-pvc.yaml
persistentvolumeclaim "pvc-evs-auto" deleted
第七部分
Day7 Kubernetes安全原理分析
第6课:K8S安全管理实训
课上实验部分
1,networkpolicy
networkpolicy的yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: wangbo
namespace: default
spec:
podSelector:
matchLabels: #nginx使用这个role: db加入 NetworkPolicy
role: db
policyTypes:
- Ingress
ingress:
- from:
- podSelector: #只接受远端带有role: frontend标签的pod访问
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 80 #nginx的端口是80
通过cce控制台创建无状态工作负载:nginx,查看
[root@cce-7day-fudonghai-24106 027day]# kubectl get deploy NAME READY UP-TO-DATE AVAILABLE AGE nginx 1/1 1 1 6s [root@cce-7day-fudonghai-24106 027day]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-656f6bf4f8-zmf52 1/1 Running 0 13s [root@cce-7day-fudonghai-24106 027day]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-656f6bf4f8-zmf52 1/1 Running 0 37s 172.16.0.28 192.168.0.184 <none> <none>
建立一个pod:fudongahi,不带什么特殊标签,从pod里可以正常访问nginx
apiVersion: v1
kind: Pod
metadata:
name: fudonghai
labels:
run: normal
spec:
containers:
- name: euleros
image: euleros:2.2.5
command:
- "/bin/sh"
- "-c"
- "sleep 3600"
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f normal-pod.yaml pod/fudonghai created [root@cce-7day-fudonghai-24106 027day]# kubectl exec -it fudonghai /bin/sh sh-4.2# curl 172.16.0.28:80 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
给nginx那个pod打上标签,关联networkpolicy
[root@cce-7day-fudonghai-24106 027day]# kubectl edit pod nginx-656f6bf4f8-zmf52
pod/nginx-656f6bf4f8-zmf52 edited
新增标签内容
labels:
role: db
这个时候我们再从pod:fudonghai里面访问nginx,失败
[root@cce-7day-fudonghai-24106 027day]# kubectl exec -it fudonghai sh
sh-4.2# curl 172.16.0.28:80
^C
继续修改pod:fudonghai的标签,加上role: frontend就可以正常访问了
[root@cce-7day-fudonghai-24106 027day]# kubectl edit pod fudonghai pod/fudonghai edited [root@cce-7day-fudonghai-24106 027day]# kubectl exec -it fudonghai sh sh-4.2# curl 172.16.0.28:80 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> sh-4.2# exit
课下实验部分
1,serviceaccount认证方式,使用kubectl为CCE集群创建一个pod只读用户,该用户只能查询指定namespace下的pod权限。
建立namespace:cce
[root@cce-7day-fudonghai-24106 027day]# kubectl create namespace cce
namespace/cce created
[root@cce-7day-fudonghai-24106 027day]# kubectl get ns
NAME STATUS AGE
cce Active 4s
default Active 30d
kube-public Active 30d
kube-system Active 30d
在cce namespace下创建一个serviceAccount(sa)并获取对应的secret下的token
[root@cce-7day-fudonghai-24106 027day]# kubectl create sa cce-service-account -ncce
serviceaccount/cce-service-account created
[root@cce-7day-fudonghai-24106 027day]# kubectl get sa -ncce
NAME SECRETS AGE
cce-service-account 1 14s
default 1 5m1s
获取sa对应的secret名字:
[root@cce-7day-fudonghai-24106 027day]# kubectl get sa cce-service-account -ncce -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2019-07-31T06:58:21Z
name: cce-service-account
namespace: cce
resourceVersion: "7070120"
selfLink: /api/v1/namespaces/cce/serviceaccounts/cce-service-account
uid: 950cea18-b360-11e9-8bbd-fa163eb87d99
secrets:
- name: cce-service-account-token-8hgjd
获取secret下的token,并base64解码获取token明文:
[root@cce-7day-fudonghai-24106 027day]# token=`kubectl get secret cce-service-account-token-8hgjd -ncce -oyaml |grep token: | awk '{print $2}' | xargs echo -n | base64 -d`
[root@cce-7day-fudonghai-24106 027day]# echo $token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2NlLXNlcnZpY2UtYWNjb3VudC10b2tlbi04aGdqZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjY2Utc2VydmljZS1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTUwY2VhMTgtYjM2MC0xMWU5LThiYmQtZmExNjNlYjg3ZDk5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNjZTpjY2Utc2VydmljZS1hY2NvdW50In0.H_6utsk_IqTzutOmjUCDvaIMUQ0F4W7PlyH41cO7JC2M6H4-ZS5AnRIwbP4E-5-b5lvof4d6UZv6MsvqgHWUUQwDRe5Ju21eBsED_pz7nltKNWgJhDKx50gxMytdelf0mDfznccSs66Sly_JJ48yF8636Q4XuNwaO1qPfnOvqWRUCDlDnJkza73l8qYUotQMZ9zjLXjOMnAo1DM7RPI2zGlv3c8KCSqqj6UYU2Jg_u8dz9nzOnWjZCkg5dRs5DBtKdkhnlCNnlC7fH8I7OkS-URq_rvxrAqWkPIWD2H3qKzZks6Q4Ydp-zdCnD_f4Va-ICxqjHBPGThKX_Xt1wSwYQ
新增cce-user用户
[root@cce-7day-fudonghai-24106 027day]# kubectl config set-cluster cce-viewer --server=https://192.168.0.252:5443 --certificate-authority=/var/paas/srv/kubernetes/ca.crt
Cluster "cce-viewer" set.
[root@cce-7day-fudonghai-24106 027day]# kubectl config set-context cce-viewer --cluster=cce-7days-fudonghai
Context "cce-viewer" created.
[root@cce-7day-fudonghai-24106 027day]# kubectl set-credentials cce-user --token=$token
Error: unknown command "set-credentials" for "kubectl"
Run 'kubectl --help' for usage.
unknown command "set-credentials" for "kubectl"
[root@cce-7day-fudonghai-24106 027day]# kubectl config set-credentials cce-user --token=$token
User "cce-user" set.
[root@cce-7day-fudonghai-24106 027day]# kubectl config set-context cce-viewer --user=cce-user
Context "cce-viewer" modified.
通过如下命令可以看到已经有新建的context:
[root@cce-7day-fudonghai-24106 027day]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
cce-viewer cce-7days-fudonghai cce-user
* internal internalCluster user
授予cce-user只读权限的role并通过rolebinding绑定对应的serviceAccount
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day7-role.yaml
role.rbac.authorization.k8s.io/pod-reader created
[root@cce-7day-fudonghai-24106 027day]# kubectl create -f day7-rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/pod-reader-binding created
role.yaml,role文件规定了,资源和对资源的权限。鉴权方式:RBAC(基于角色的访问控制)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: cce
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
rolebinding.yaml,rolebinding文件规定了role和serviceAccount的绑定
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: cce
subjects:
- kind: ServiceAccount
name: cce-service-account #步骤2中创建的serviceAccount名称
namespace: cce
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
切换context到cce-viewer用户下,验证权限设置结果:
[root@cce-7day-fudonghai-24106 027day]# kubectl config use-context cce-viewer
Switched to context "cce-viewer".
查看default namespace下的pod,应该会返回403无权限的错误
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
但是提示错误:
The connection to the server localhost:8080 was refused - did you specify the right host or port?
使用下面命令解决:
export KUBERNETES_MASTER=https://192.168.0.252:5443
继续kubectl get pods出现新错误
No resources found.
Unable to connect to the server: x509: certificate signed by unknown authority
最后使用这句跳过了509,终于提示没有权限
[root@cce-7day-fudonghai-24106 027day]# kubectl get pods --insecure-skip-tls-verify=true
No resources found.
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cce:cce-service-account" cannot list resource "pods" in API group "" in the namespace "default"
继续查看namespace:cce里面的pod,权限正常
[root@cce-7day-fudonghai-24106 027day]# kubectl get pods -ncce --insecure-skip-tls-verify=true
No resources found.
使用如下命令即可切换回admin管理员权限的context:
[root@cce-7day-fudonghai-24106 027day]# kubectl config use-context internal
Switched to context "internal".
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod
No resources found.
[root@cce-7day-fudonghai-24106 027day]# kubectl get pod -ncce
No resources found.
查看之前所有操作所作的配置
[root@cce-7day-fudonghai-24106 027day]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority: /var/paas/srv/kubernetes/ca.crt
server: https://192.168.0.252:5443
name: cce-viewer
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.0.252:5443
name: internalCluster
contexts:
- context:
cluster: cce-7days-fudonghai
user: cce-user
name: cce-viewer
- context:
cluster: internalCluster
user: user
name: internal
current-context: internal
kind: Config
preferences: {}
users:
- name: cce-user
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2NlLXNlcnZpY2UtYWNjb3VudC10b2tlbi04aGdqZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjY2Utc2VydmljZS1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTUwY2VhMTgtYjM2MC0xMWU5LThiYmQtZmExNjNlYjg3ZDk5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNjZTpjY2Utc2VydmljZS1hY2NvdW50In0.H_6utsk_IqTzutOmjUCDvaIMUQ0F4W7PlyH41cO7JC2M6H4-ZS5AnRIwbP4E-5-b5lvof4d6UZv6MsvqgHWUUQwDRe5Ju21eBsED_pz7nltKNWgJhDKx50gxMytdelf0mDfznccSs66Sly_JJ48yF8636Q4XuNwaO1qPfnOvqWRUCDlDnJkza73l8qYUotQMZ9zjLXjOMnAo1DM7RPI2zGlv3c8KCSqqj6UYU2Jg_u8dz9nzOnWjZCkg5dRs5DBtKdkhnlCNnlC7fH8I7OkS-URq_rvxrAqWkPIWD2H3qKzZks6Q4Ydp-zdCnD_f4Va-ICxqjHBPGThKX_Xt1wSwYQ
- name: user
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
第八部分
第7课:K8S集群运维与安装配置实训
第8课:K8S问题排查实训
课上实验部分
课下实验部分
