7 kubernets核心实战

7.1 资源创建方式

  • 命令行
  • yaml

7.2 namespace

名称空间来隔离资源

命令行方式

kubectl create ns hello
kubectl delete ns hello

yaml方式

apiVersion: v1
kind: Namespace
metadata:
name: hellp

使用 kubectl apply -f xx.yaml

7.3 pod

运行中的一组容器,pod是kubernetes中应用最小的单位

7.3.1 通过kubectl run 创建容器

kubectl run mynginx --image=nginx

7.3.2 通过yaml的方式创建容器

一个pod一个服务

apiVersion: v1
kind: Pod
metadata:
labels:
run: mynginx
name: mynginx
namespace: default
spec:
containers:
- image: nginx
name: mynginx

一个pod多个服务

apiVersion: v1
kind: Pod
metadata:
labels:
run: apps
name: apps
namespace: default
spec:
containers:
- image: nginx
name: nginx
- image: tomcat:8.5.68
name: tomcat

常用命令

# 查看default命名空间的pod
kubectl get pod # 查看描述
kubectl describe pod 你的pod名字 # 删除
kubectl delete pod 你的pod名字 # 查看日志
kubectl logs 你的pod名字 # 每个pod k8s都会分配一个ip,查看分配的ip
# 集群中的任意一个机器以及任意的应用都能通过pod分配的ip来访问这个pod
kubectl get pod -owide

7.4 deployment

控制pod,使pod拥有多个副本、自愈、扩缩容等能力

# 使用两种方式创建pod,然后再删除pod,对比一下效果
kubectl run mynginx --image=nginx
kubectl create deployment mytomcat --image=tomcat:8.5.68

结论:使用run没有自愈能力,而使用create deployment 有自愈能力

8 多副本、扩缩容

8.1 多副本

命令行方式:

kubectl create deployment my-dep --image=nginx --replicas=3

yaml方式:

vi my-dep.yaml

kubectl apply -f my-dep.yaml

yaml内容:

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: my-dep
name: my-dep
spec:
replicas: 3
selector:
matchLabels:
app: my-dep
template:
metadata:
labels:
app: my-dep
spec:
containers:
- image: nginx
name: nginx

常用命令

# 查看default命名空间的pod
kubectl get pod # 查看描述
kubectl describe pod 你的pod名字 # 删除
kubectl delete pod 你的pod名字 # 查看日志
kubectl logs 你的pod名字 # 每个pod k8s都会分配一个ip,查看分配的ip
# 集群中的任意一个机器以及任意的应用都能通过pod分配的ip来访问这个pod
kubectl get pod -owide # deployment 方式删除
kubectl delete deploy 你的pod名称

8.2 扩缩容

扩容

# 方式一
kubectl scale --replicas=5 deployment/my-dep # 方式二
kubectl edit deployment my-dep
# 修改 replicas

8.3 自愈&故障转移

自愈:当pod因为某种原因宕机时,k8s会自动重启pod

故障转移:当pod所在服务器宕机时,能在其他节点重新部署对应的pod,所在服务恢复时,所在服务的pod将被删除

8.4 滚动更新

查看当前pod内应用使用的版本

kubectl get deployment my-dep -oyaml

滚动更新

方式一:--record 记录更新版本信息

kubectl set image deployment/my-dep nginx=nginx:1.16.1 --record



方式二:

修改 image 对应的版本号

kubectl edit deployment/my-dep

流程:先创建一个新的pod,当新的running后,删除一个老的pod,依次执行这个流程,知道所有旧版本全部被替换

8.5 版本回退

查看历史版本

kubectl rollout history deployment/my-dep



查看某个历史版本详情

kubectl rollout history deployment/my-dep --revision=2

回滚到上个版本

kubectl rollout undo deployment/my-dep

回滚版本到指定版本

kubectl rollout undo deployment/my-dep --to-revision=1

8.6 更多知识

工作负载:

Deployment:无状态应用部署,类似一些微服务、提供多副本等功能

StatefulSet:有状态应用部署,类似Redis,mysql,提供稳定的存储、网络等功能

DaemonSet:守护进程集,守护型应用部署,比如日志收集组件,在每个机器都有一份

Job/CronJob:任务/定时任务,比如垃圾清理组件,可以指定时间运行

9 Service

9.1 将一组Pods公开为网络服务的抽象方法

9.1.1 不带type 模式type 是 ClusterIP

方式一:

# 暴露deploy --port pod对外暴露的端口,--target-port=80 pod内部的端口 my-dep:pod名 my-dep-service:service名字
kubectl expose deployment my-dep --name=my-dep-service --prot=8000 --target-port=80

方式二:

apiVersion: v1
kind: Service
metadata:
labels:
app: my-dep
name: my-dep-service
spec:
selector:
app: my-dep
ports:
- port: 8000
protocol: TCP
targetPort: 80

使用标签检索pod

kubectl get pod -l app=my-dep

查看使用service 暴露的ip和端口

# 查看所有的service暴露的ip和端口
kubectl get service
# 查看指定的
kubectl get service 你的service名字
# 删除指定的service
kubectl delete service 你的service名字

9.1.2 带type

9.1.2.1 ClusterIP

方式一:

# 暴露deploy --port pod对外暴露的端口,--target-port=80 pod内部的端口 my-dep:pod名 my-dep-service:service名字
kubectl expose deployment my-dep --name=my-dep-service --prot=8000 --target-port=80 --type=ClusterIP

方式二:

apiVersion: v1
kind: Service
metadata:
labels:
app: my-dep
name: my-dep-service
spec:
selector:
app: my-dep
type: ClusterIP
ports:
- port: 8000
protocol: TCP
targetPort: 80

9.1.2.2 NodePort

方式一:

# 暴露deploy --port pod对外暴露的端口,--target-port=80 pod内部的端口 my-dep:pod名 my-dep-service:service名字
kubectl expose deployment my-dep --name=my-dep-service --prot=8000 --target-port=80 --type=NodePort

方式二:

apiVersion: v1
kind: Service
metadata:
labels:
app: my-dep
name: my-dep-service
spec:
selector:
app: my-dep
type: NodePort
ports:
- port: 8000
protocol: TCP
targetPort: 80

NodePort范围在 30000-32767 之间

9 Ingress

9.1.1 安装

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml

#修改镜像
vi deploy.yaml
#1、将image k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a的值改为如下值:
registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
#2、在修改了image的上一层增加 hostNetwork: true,如下图1 #3、找到secretName将ingress-nginx-admission改为ingress-nginx-admission-token # 安装
kubectl apply -f deploy.yaml # 检查安装的结果
kubectl get pod,svc -n ingress-nginx

图1:

如果下载不到这个文件或者不想修改,就用下面的文件(当前文件已经修改了image的值和其他内容)

apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx ---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io # k8s 1.14+
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- apiGroups:
- ''
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io # k8s 1.14+
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- ingress-controller-leader-nginx
verbs:
- get
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- create
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
revisionHistoryLimit: 10
minReadySeconds: 0
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
spec:
hostNetwork: true
dnsPolicy: ClusterFirst
containers:
- name: controller
image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission-token
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission
path: /networking/v1beta1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-create
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
spec:
template:
metadata:
name: ingress-nginx-admission-create
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: create
image: docker.io/jettech/kube-webhook-certgen:v1.5.1
imagePullPolicy: IfNotPresent
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
spec:
template:
metadata:
name: ingress-nginx-admission-patch
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: patch
image: docker.io/jettech/kube-webhook-certgen:v1.5.1
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
kubectl apply -f deploy.yaml

9.1.2 查看状态

kubectl get pod -n ingress-nginx

我们看到ingress-nginx-controller-78965bffd5-qp6k8容器处于ContainerCreating,我们需要修改

也看参考这个issues:https://github.com/kubernetes/ingress-nginx/issues/5932

kubectl get secret -A | grep ingress-nginx

9.1.2.1 命令行修改方式:

# 复制 (自己的)-mh7zg ,将下图对应的位置,加上-mh7zg
kubectl edit deployment ingress-nginx-controller -n ingress-nginx



完成修改后



查看状态已经可以了

kubectl get pod -n ingress-nginx

9.1.2.2 界面修改修改方式:

找到Deployments



编辑



更新

9.1.3 验证

kubectl get svc -A

分别可以使用以下网址,如果能展示下图,就成功了

http://k8s集群任意ip:31483

https://k8s集群任意ip:30893

9.2 使用

ingress的一些高价功能:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

9.2.1 测试环境准备

应用如下yaml,准备好测试环境

vi test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-server
spec:
replicas: 2
selector:
matchLabels:
app: hello-server
template:
metadata:
labels:
app: hello-server
spec:
containers:
- name: hello-server
image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/hello-server
ports:
- containerPort: 9000
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-demo
name: nginx-demo
spec:
replicas: 2
selector:
matchLabels:
app: nginx-demo
template:
metadata:
labels:
app: nginx-demo
spec:
containers:
- image: nginx
name: nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-demo
name: nginx-demo
spec:
selector:
app: nginx-demo
ports:
- port: 8000
protocol: TCP
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-server
name: hello-server
spec:
selector:
app: hello-server
ports:
- port: 8000
protocol: TCP
targetPort: 9000

部署

kubectl apply -f test.yaml

查看是否已经部署完成

kubectl get pod

kubectl get svc

访问

9.2.2 域名访问

vi ingress-rule.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-bar
spec:
ingressClassName: nginx
rules:
- host: "hello.hg.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: hello-server
port:
number: 8000
- host: "demo.hg.com"
http:
paths:
- pathType: Prefix
path: "/" # 把请求会转给下面的服务,下面的服务一定要能处理这个路径,不能处理就是404
backend:
service:
name: nginx-demo ## java,比如使用路径重写,去掉前缀nginx
port:
number: 8000
kubectl apply -f ingress-rule.yaml

如果执行有报错



查看

kubectl get validatingwebhookconfigurations

删除

kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission-token

重新部署

kubectl apply -f ingress-rule.yaml

查看ingress状态

kubectl get ingress



访问机器增加hosts域名配置

浏览器访问



修改对应的ingress

kubectl edit ingress ingress名称
kubectl edit ingress ingress-host-bar

9.2.3 路径重写

vi ingress-rule.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: ingress-host-bar
spec:
ingressClassName: nginx
rules:
- host: "hello.hg.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: hello-server
port:
number: 8000
- host: "demo.hg.com"
http:
paths:
- pathType: Prefix
path: "/nginx(/|$)(.*)" # 把请求会转给下面的服务,下面的服务一定要能处理这个路径,不能处理就是404
backend:
service:
name: nginx-demo ## java,比如使用路径重写,去掉前缀nginx
port:
number: 8000

部署

kubectl apply -f ingress-rule.yaml

查看

kubectl get ingress

使用浏览器访问



效果:和之前不加/nginx一致,相当于在ingress处理的时候,将/nginx去掉了

9.2.4 流量限制

vi ingress-limit-rate.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-limit-rate
annotations:
nginx.ingress.kubernetes.io/limit-rps: "1"
spec:
ingressClassName: nginx
rules:
- host: "haha.hg.com"
http:
paths:
- pathType: Exact
path: "/"
backend:
service:
name: nginx-demo
port:
number: 8000

部署

kubectl apply -f ingree-limit-rate.yaml

查看状态

kubectl get ingress



使用浏览器查看,当快速访问时:

10 存储抽象

10.1 环境准备

10.1.1 所有节点

yum install -y nfs-utils

10.1.2 主节点

#nfs主节点
echo "/nfs/data/ *(insecure,rw,sync,no_root_squash)" > /etc/exports mkdir -p /nfs/data
systemctl enable rpcbind --now
systemctl enable nfs-server --now
#配置生效
exportfs -r

10.1.3 从节点

# 查看nfs服务能挂载的信息
showmount -e nfs服务所在ip #执行以下命令挂载 nfs 服务器上的共享目录到本机路径 /nfs/data
mkdir -p /nfs/data mount -t nfs nfs服务所在ip:/nfs/data /nfs/data
# 写入一个测试文件
echo "hello nfs server" > /nfs/data/test.txt

永久挂载方式

vi /etc/fstab
# 新增一行
192.168.68.210:/nfs/data /nfs/data nfs defaults 0 0

nfs服务器端,也能看到新增的文件

10.1.4 原生方式数据挂载

vi mount.yaml
  • 修改对应nfs服务的ip

    server: 192.168.68.204
  • 创建路径

    path: /nfs/data/nginx-pv
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-pv-demo
name: nginx-pv-demo
spec:
replicas: 2
selector:
matchLabels:
app: nginx-pv-demo
template:
metadata:
labels:
app: nginx-pv-demo
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html
volumes:
- name: html
nfs:
server: 192.168.68.204
path: /nfs/data/nginx-pv
kubectl get pod



注意,如果一直在创建中,请使用 kubectl describe pod 对应的pod名字,一般是没有创建对应的文件夹

验证

# 进入pod容器内部
kubectl exec -it nginx-pv-demo-5b74676b65-cb9mh -- /bin/bash # 查看nginx存放页面的信息
ls /usr/share/nginx/html/



发现对应的文件夹下,并没有数据

新建一个连接,在nfs宿主机服务的 /nfs/data/nginx-pv下,或者挂载的服务器下,新建一个index.html文件,并填充内容

echo 111 > /nfs/data/nginx-pv/index.html

然后,在之前的容器中再查看是否有新的文件

ls /usr/share/nginx/html/

cat /usr/share/nginx/html/index.html



更换另一个pod,结果也是一样

10.2 PV&PVC

PV:持久卷(Persistent Volume),将应用需要持久化的数据保存到指定位置

PVC:持久卷申明(Persistent Volume Claim),申明需要使用的持久卷规格

10.2.1 创建PV池

静态供应

mkdir -p /nfs/data/{01,02,03}

创建PV

vi pv.yaml
  • 修改nfs服务ip

    server: 自己的nfs服务ip
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv01-10m
spec:
capacity:
storage: 10M
accessModes:
- ReadWriteMany
storageClassName: nfs
nfs:
path: /nfs/data/01
server: 192.168.68.204
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv02-1gi
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: nfs
nfs:
path: /nfs/data/02
server: 192.168.68.204
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv03-3gi
spec:
capacity:
storage: 3Gi
accessModes:
- ReadWriteMany
storageClassName: nfs
nfs:
path: /nfs/data/03
server: 192.168.68.204

部署

kubectl apply -f pv.yaml

查看

kubectl get pv

10.2.2 PVC创建与绑定

10.2.2.1 创建PVC

vi pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nginx-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 200Mi
storageClassName: nfs

部署

kubectl apply -f pvc.yaml

查看

kubectl get pvc



测试删除

kubectl delete -f pvc.yaml

查看

kubectl get pvc



再次部署

kubectl apply -f pvc.yaml

查看

kubectl get pvc



结论:会选用大于200M的pv,正在使用的pv会被 Bound,之前使用的,后面删除了,就会释放

10.2.2.2 创建Pod绑定PVC

vi pod-pvc.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-deploy-pvc
name: nginx-deploy-pvc
spec:
replicas: 2
selector:
matchLabels:
app: nginx-deploy-pvc
template:
metadata:
labels:
app: nginx-deploy-pvc
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html
volumes:
- name: html
persistentVolumeClaim:
claimName: nginx-pvc

部署

kubectl apply -f pod-pvc.yaml

查看pod

kubectl get pod

查看pvc和pv绑定关系

kubectl get pvc,pv



验证

进入启动一个pod容器内

# 进入容器,对应的pod名字修改为自己的
kubectl exec -it nginx-deploy-pvc-79fc8558c7-c8mh7 -- /bin/bash ## 展示容器内文件夹下的内容
ls /usr/share/nginx/html/



我们发现,文件夹下,还没有文件

从绑定关系中得知,使用的pv03-3gi在nfs服务对应的 /nfs/data/03文件夹或者挂载了nfs的服务器上,我们这03文件夹中创建文件 index.html文件

echo 333 > /nfs/data/03/index.html

再次查看,已经有了index.html文件



查看另外一个pod,也是如此

10.3 ConfigMap

抽取应用配置,并且可以自动更新

10.3.1 redis示例

10.3.1.1 创建redis.conf配置文件

vi redis.conf

内容

appendonly yes

10.3.1.2 把配置文件创建为配置集

方式一:命令行方式

# 创建配置,redis保存到k8s的etcd;
kubectl create cm redis-conf --from-file=redis.conf



删除cm配置

# kubectl delete cm cm名称
kubectl delete cm redis-conf

方式二:yaml方式

vi cm.yaml
apiVersion: v1
data: #data是所有真正的数据,key:默认是文件名 value:配置文件的内容
redis.conf: |
appendonly yes
kind: ConfigMap
metadata:
name: redis-conf
namespace: default

部署

kubectl apply -f cm.yaml

10.3.1.3 创建pod

vi redis-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: redis
spec:
containers:
- name: redis
image: redis
command:
- redis-server
- "/redis-master/redis.conf" #指的是redis容器内部的位置
ports:
- containerPort: 6379
volumeMounts:
- mountPath: /data
name: data
- mountPath: /redis-master
name: config
volumes:
- name: data
emptyDir: {}
- name: config
configMap:
name: redis-conf
items:
- key: redis.conf
path: redis.conf

查看

kubectl get pod

10.3.1.3 检查默认配置

kubectl exec -it redis -- redis-cli

10.3.1.4 修改ConfigMap

kubectl edit cm redis-conf
    maxmemory 2mb
maxmemory-policy allkeys-lru

10.3.1.5 检查配置是否更新

kubectl exec -it redis -- redis-cli



检查指定文件内容是否已经更新

修改了CM。Pod里面的配置文件会跟着变

配置值未更改,因为需要重新启动 Pod 才能从关联的 ConfigMap 中获取更新的值。

原因:我们的Pod部署的中间件自己本身没有热更新能力

重启pod

kubectl replace --force -f redis-pod.yaml

检查配置是否更新

kubectl exec -it redis -- redis-cli

10.4 Secret

Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和 SSH 密钥。 将这些信息放在 secret 中比放在 Pod 的定义或者 容器镜像 中来说更加安全和灵活。

10.4.1 命令方式

kubectl create secret docker-registry 密钥名 \
--docker-server=<你的镜像仓库服务器> \
--docker-username=<你的用户名> \
--docker-password=<你的密码> \
--docker-email=<你的邮箱地址>

10.4.2 创建容器

apiVersion: v1
kind: Pod
metadata:
name: private-nginx
spec:
containers:
- name: private-nginx
image: xx/xx:v1.0
imagePullSecrets:
- name: 密钥名

3、k8s 核心实战的更多相关文章

  1. k8s经典实战—搭建WordPress

    k8s经典实战—搭建WordPress说明:需要在k8s上部署lnmp环境,建议跟着步骤来端口最好不要改,希望你也能搭建成功,完成这个搭建后你对Kubernetes的技术基本上是入门了.首先看下效果图 ...

  2. k8s核心资源之Pod概念&入门使用讲解(三)

    目录 1. k8s核心资源之Pod 1.1 什么是Pod? 1.2 Pod如何管理多个容器? 1.3 Pod网络 1.4 Pod存储 1.5 Pod工作方式 1.5.1 自主式Pod 1.5.2 控制 ...

  3. 图解 K8s 核心概念和术语

    我第一次接触容器编排调度工具是 Docker 自家的 Docker Swarm,主要解决当时公司内部业务项目部署繁琐的问题,我记得当时项目实现容器化之后,花在项目部署运维的时间大大减少了,当时觉得这玩 ...

  4. k8s 核心功能 - 每天5分钟玩转 Docker 容器技术(116)

    本节带领大家快速体验 k8s 的核心功能:应用部署.访问.Scale Up/Down 以及滚动更新. 部署应用 执行命令: kubectl run kubernetes-bootcamp \ --im ...

  5. [转]k8s核心概念

    转载自 https://blog.csdn.net/real_myth/article/details/78719244 什么是kubernetes 首先,他是一个全新的基于容器技术的分布式架构领先方 ...

  6. 从零开始入门 K8s| 阿里技术专家详解 K8s 核心概念

    作者| 阿里巴巴资深技术专家.CNCF 9个 TCO 之一 李响 一.什么是 Kubernetes Kubernetes,从官方网站上可以看到,它是一个工业级的容器编排平台.Kubernetes 这个 ...

  7. 3.k8s核心概念

    k8s的核心概念 一. Pod pod,中文翻译过来叫豆荚,如下图.我们都知道豆荚,一个豆荚里面有很多豆子.豆荚就可以理解为pod,一个个的豆子就可以理解为容器.pod和容器的关系是一个pod里面可以 ...

  8. K8s核心概念详解

    kubernetes(通常简称为K8S),是一个用于管理在容器中运行的应用的容器编排工具. Kubernetes不仅有你所需要的用来支持复杂容器应用的所有东西,它还是市面上最方便开发和运维的框架. K ...

  9. k8s 核心功能[转]

    部署应用 执行命令: kubectl run kubernetes-bootcamp \ --image=docker.io/jocatalin/kubernetes-bootcamp:v1 \ -- ...

  10. k8s核心资源之namespace与pod污点容忍度生命周期进阶篇(四)

    目录 1.命名空间namespace 1.1 什么是命名空间? 1.2 namespace应用场景 1.3 namespacs常用指令 1.4 namespace资源限额 2.标签 2.1 什么是标签 ...

随机推荐

  1. 使用ProPerties集合存储数据-Properties集合中的方法store

    使用ProPerties集合存储数据 java.util.Properties`继承于Hashtable,来表示一个持久的属性集.它使用键值结构存储数据每个键及其对应值都是一个字符串.该类也被许多Ja ...

  2. 前端知识点(js部分)

    目录 一.JS简介 简介 ECMAScript的历史 二.JS基础 1.注释语法 2.引入js的多种方式 3.结束符号 三.变量与常量 编写和运行js代码的两种方式 变量声明 四.基本数据类型 1.数 ...

  3. Vue35 路由

    1 简介 vue-router是vue的一个插件,专门用来实现SPA应用.SPA也就是单页Web应用,特点是:整个应用只有一个完整的页面,点击页面中的导航链接不会刷新页面,只会做页面的局部更新,数据需 ...

  4. 线程基础知识02-CompletableFuture

    1 简介 Futrue可以监视目标线程调用call的情况,当你调用Future的get()方法以获得结果时,调用方的线程就被阻塞,直到目标线程的call方法结束并返回结果. 线程的实现方式有几种方式, ...

  5. .net core 上传文件到本地服务器

    1.本文是上传文件到本地服务器,主要以作者做的业务上传apk为例子,下面直接上代码 [HttpGet, HttpPost, HttpOptions] [Consumes("applicati ...

  6. vim之YouCompleteMe插件问题:The ycmd server SHUT DOWN (restart with ...low the instructions in the documen

    cd ~/.vim/plugged/YouCompleteMe 然后运行./install.py 1.因为我是单独下载的Youcompleteme,所以要将整个文件夹拷贝到上述目录下,再运行

  7. video多视频轮播Swiper 播放视频不轮播不循环

    在实际工作中经常会遇到swiper轮播多个视频,播放视频不轮播不循环 loop:true下问题: (1)slides前后会复制若干个slide,成一个环路,不会复制绑定在dom上@click事件, 解 ...

  8. CSS 定位position

    .link span { position: absolute; top: 0; left: 50%; transform: translateX(-50%); }

  9. 三天吃透Java并发八股文!

    本文已经收录到Github仓库,该仓库包含计算机基础.Java基础.多线程.JVM.数据库.Redis.Spring.Mybatis.SpringMVC.SpringBoot.分布式.微服务.设计模式 ...

  10. IntelliJ IDEA 程序运行的控制台乱码

    参考:https://blog.csdn.net/zp357252539/article/details/124614007 上方导航栏"Run→Edit Configurations-&q ...