从零到一k8s(六)集群管理深入

建议要从官方文档中学习并熟练的技能：

入门：

https://kubernetes.io/zh/docs/tutorials/

安全：

•      apparmor(Many Linux distributions (e.g. Debian, Ubuntu, OpenSUSE) ship with AppArmor.) 如果用其他分支linux 系统在运行k8s 没必要关系这个类selinux 的安全工具

     

kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.kubeletVersion}\n{end}'
1 #确保 kubernetes 版本在1.4以上，才支持此功能
cat /sys/module/apparmor/parameters/enabled
Y
2 #确认开启了此模块
3 #主流runtime 都支持apparmor
4 # 查看目前 apparmor 支持那些文件

 sudo cat /sys/kernel/security/apparmor/profiles | sort

•  seccomp

         

# 更改kubelet 参数
--feature-gates=SeccompDefault=true --seccomp-default
#创建 seccomp 文件
cd /var/lib/kubelet/seccomp
mkdir ./profiles
curl -L -o profiles/audit.json https://k8s.io/examples/pods/security/seccomp/profiles/audit.json
curl -L -o profiles/violation.json https://k8s.io/examples/pods/security/seccomp/profiles/violation.json
curl -L -o profiles/fine-grained.json https://k8s.io/examples/pods/security/seccomp/profiles/fine-grained.json
ls profiles
#创建pod 
kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/audit-pod.yaml
kubectl expose pod audit-pod --type NodePort --port 5678
root@us-test00:~# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
audit-pod    NodePort    172.18.51.138   <none>        5678:30784/TCP   15m

root@us-test00:~# curl 172.17.0.1:30784

just made some syscalls!

grep 'http-echo' /var/log/syslog |tail. (非Ubuntu 系统参考 message文件)

Mar  9 09:48:24 us-test02 kernel: [76705.078649] audit: type=1326 audit(1646819304.186:1393): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1543 comm="http-echo" exe="/http-echo" sig=0 arch=c000003e syscall=202 compat=0 ip=0x455e53 code=0x7ffc0000

 

创建statefulset 应用

•    wordpress

      

#kubernetes 声明式的定义

cat <<EOF >./kustomization.yaml

secretGenerator:
- name: mysql-pass
  literals:
  - password=YOUR_PASSWORD
resources:
  - mysql-deployment.yaml
  - wordpress-deployment.yaml
  - wordpress-ingress.yaml
EOF

mkdir statefuleset

curl -LO https://k8s.io/examples/application/wordpress/mysql-deployment.yaml

curl -LO https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml

cat <<EOF >.wordpress-ingress.yaml 

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: wordpress

  annotations:

    kubernetes.io/ingress.class: "nginx"

spec:

  rules:

    - host: wordpress.song.test

      http:

        paths:

          - path: /

            pathType: Prefix

            backend:

              service:

                name: wordpress

                port:

                  number: 80

EOF

kubectl apply -k ./statefuleset

 

• cassandra 部署
• zookeeper 部署

 

提升：

https://kubernetes.io/zh/docs/tasks/