k8s day03

昨日内容回顾:

  • 资源限制

  • 名称空间

  • 存储卷

  • POD重启策略

  • 容器镜像拉取策略

  • 环境变量

资源清单:

kind: Pod

apiVersion: v1

metadata:

name:

labels:

namespace:

spec:

nodeName:

hostNetwork:

restartPolicy:

volume:

  • name: data01

emptyDir: {}

  • name: data02

hostPath:

path:

  • name: data03

nfs:

server:

path:

containers:

  • name:

image:

env:

  • name:

value:

  • name:

valueFrom:

imagePullPolicy:

stdin:

command:

args:

resources:

limit:

request:

volumeMounts:

  • name: data01

mountPath:

  • name: data02

mountPath:

configMap资源简介:

configmap数据会存储在etcd数据库,其应用场景主要在于应用程序配置。

configMap支持的数据类型:

(1)键值对;

(2)多行数据;

Pod使用configmap资源有两种常见的方式:

(1)变量注入;

(2)数据卷挂载

推荐阅读:

https://kubernetes.io/docs/concepts/storage/volumes/#configmap

https://kubernetes.io/docs/concepts/configuration/configmap/

参考案例:

root@k8s151.oldboyedu.com cm\]# cat 01-cm-demo.yaml apiVersion: v1 kind: ConfigMap metadata: name: game-demo data: # 键值对,单行数据 player_initial_lives: "3" ui_properties_file_name: "user-interface.properties" # 键值对,多行数据 game.properties: \| enemy.types=aliens,monsters player.maximum-lives=5 user-interface.properties: \| color.good=purple color.bad=yellow allow.textmode=true --- apiVersion: v1 kind: Pod metadata: name: configmap-pod-001 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true volumeMounts: - name: config-vol mountPath: /oldboyedu/linux82 volumes: - name: config-vol # 指定存储卷的类型为cm资源 configMap: # 指定cm的名称 name: game-demo # 若不指定items,则引用cm的所有KEY哟 # 如果不需要使用全部的key,而需要单独使用某个KEY, items: # 指的是cm中的KEY - key: game.properties # 我们将key映射到容器的文件路径 path: oldboyedu-linux82-game.properties --- apiVersion: v1 kind: Pod metadata: name: configmap-pod-002 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true env: - name: OLDBOYEDU-LINUX82 value: test001 - name: OLDBOYEDU-LINUX82-GAME valueFrom: # 引用一个cm资源 configMapKeyRef: # 指定引用cm的名称 name: game-demo # 指定引用cm的某个KEY值 key: game.properties - name: OLDBOYEDU-LINUX82-PLAYER_INITIAL_LIVES valueFrom: configMapKeyRef: name: game-demo key: player_initial_lives \[root@k8s151.oldboyedu.com cm\]# 将游戏镜像的配置文件使用cm资源存储: \[root@k8s151.oldboyedu.com cm\]# cat 02-cm-games.yaml apiVersion: v1 kind: ConfigMap metadata: name: oldboyedu-games data: nginx.conf: \| worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; root /usr/local/nginx/html/bird/; server_name game01.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pinshu/; server_name game02.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/tanke/; server_name game03.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/chengbao/; server_name game04.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/motuo/; server_name game05.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/liferestart/; server_name game06.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/huangjinkuanggong/; server_name game07.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/feijidazhan/; server_name game08.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/zhiwudazhanjiangshi/; server_name game09.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/xiaobawang/; server_name game10.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pingtai/; server_name game11.oldboyedu.com; } } --- apiVersion: v1 kind: Pod metadata: name: oldboyedu-game-005 spec: containers: - name: game image: k8s151.oldboyedu.com:5000/oldboyedu-games/oldboyedu-games:v0.3 volumeMounts: - name: games # 载CM资源时,挂载点建议写绝对路径,若直接写目录,可能该目录下的所有资源都会被覆盖. mountPath: /etc/nginx/nginx.conf # 若mountPath写的是绝对路径,我们只需要将文件名的作为subPath的值,表示其会以一个文件的方式进行挂载而不会覆盖原有的数据。 # 值得注意的是,若不写subPath,则mountPath表示一个挂载点,对应的是一个目录 subPath: nginx.conf volumes: - name: games configMap: name: oldboyedu-games items: - key: nginx.conf path: nginx.conf \[root@k8s151.oldboyedu.com cm\]# Q1:为什么要用cm资源持久化配置文件? 1.复用配置文件,可以启动多个nginx的Pod,共同同一个cm资源; 2.便于修改,维护方便,若放在容器中,每次修改配置文件都需要重新编译镜像; secret简介: 与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。 使用secret主要存储的是凭据信息。 参考链接: https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types 参考案例: \[root@k8s151.oldboyedu.com secrets\]# cat 01-secrets-demo.yaml apiVersion: v1 kind: Secret metadata: name: oldboyedu-linux82 type: Opaque data: school: b2xkYm95ZWR1Cg== USER_NAME: YWRtaW4= PASSWORD: MWYyZDFlMmU2N2Rm --- apiVersion: v1 kind: Pod metadata: name: secrets-pod-001 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true volumeMounts: - name: config-vol mountPath: /oldboyedu/linux82 volumes: - name: config-vol # 指定存储卷的类型为secret资源 secret: # 指定secret的名称 secretName: oldboyedu-linux82 # 若不指定items,则引用cm的所有KEY哟 # 如果不需要使用全部的key,而需要单独使用某个KEY, items: # 指的是secret中的KEY - key: school # 我们将key映射到容器的文件路径 path: oldboyedu-linux82-school - key: USER_NAME path: oldboyedu-linux82-username - key: PASSWORD path: oldboyedu-linux82-password --- apiVersion: v1 kind: Pod metadata: name: secret-pod-002 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true env: - name: OLDBOYEDU-LINUX82-SCHOOL valueFrom: # 引用一个secret资源 secretKeyRef: # 指定引用secret的名称 name: oldboyedu-linux82 # 指定引用cm的某个KEY值 key: school - name: OLDBOYEDU-LINUX82-username valueFrom: secretKeyRef: name: oldboyedu-linux82 key: USER_NAME \[root@k8s151.oldboyedu.com secrets\]# 扩展: echo b2xkYm95ZWR1Cg== \| base64 -d 解码。 echo oldboyedu \| base64 编码。 SHOW DATABASES; 查看数据库. SHOW TABLES FROM wrodpress; 查看wordpress数据库下的表。 删除secret: kubectl delete secrets oldboyedu-linux82 kubectl delete -f 01-secrets-demo.yaml 部署harbor: 1.安装docker环境 curl -o oldboyedu-docker-ce-20_10_17.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-ce-20_10_17.tar.gz tar xf oldboyedu-docker-ce-20_10_17.tar.gz \&\& cd docker-ce-20_10_17 \&\& yum -y localinstall \*.rpm systemctl enable --now docker 2.安装docker-compose curl -o oldboyedu-docker-compose.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-compose.tar.gz tar xf oldboyedu-docker-compose.tar.gz \&\& cd docker-compose \&\& yum -y localinstall \*.rpm 3.安装harbor curl -o harbor-offline-installer-v1.10.10.tgz http://192.168.17.253/Kubernetes/day03-/softwares/harbor-offline-installer-v1.10.10.tgz tar xf harbor-offline-installer-v1.10.10.tgz cd harbor vim harbor.yml ... hostname: 10.0.0.250 http: port: 80 ... # 记得注释https ... harbor_admin_password: 1 ./install.sh 基于命令行的方式创建harbor认证信息: --\> 响应式方式创建。 kubectl create secret docker-registry oldboyedu-harbor --docker-username=jasonyin2020 --docker-password=Oldboyedu@2022 --docker-email=jasonyin@oldboyedu.com --docker-server=10.0.0.250 各字段含义说明: --docker-username 指定用户名称。 --docker-password 指定密码。 --docker-email 指定邮箱地址。 --docker-server 私有仓库地址。 参考案例: ----\> 声明式方式创建secret,游戏镜像案例。 \[root@k8s151.oldboyedu.com secrets\]# cat 02-secrets-harbor-games.yaml apiVersion: v1 kind: ConfigMap metadata: name: oldboyedu-games data: nginx.conf: \| worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; root /usr/local/nginx/html/bird/; server_name game01.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pinshu/; server_name game02.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/tanke/; server_name game03.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/chengbao/; server_name game04.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/motuo/; server_name game05.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/liferestart/; server_name game06.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/huangjinkuanggong/; server_name game07.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/feijidazhan/; server_name game08.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/zhiwudazhanjiangshi/; server_name game09.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/xiaobawang/; server_name game10.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pingtai/; server_name game11.oldboyedu.com; } } --- apiVersion: v1 kind: Pod metadata: name: oldboyedu-game-secret spec: # 指定拉取镜像的secrets秘钥 imagePullSecrets: # 指定secret秘钥的名称 - name: oldboyedu-harbor containers: - name: game image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3 volumeMounts: - name: games mountPath: /etc/nginx/nginx.conf subPath: nginx.conf volumes: - name: games configMap: name: oldboyedu-games items: - key: nginx.conf path: nginx.conf --- apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19 kind: Secret metadata: name: oldboyedu-harbor type: kubernetes.io/dockerconfigjson \[root@k8s151.oldboyedu.com secrets\]# 挂载secret文件内容实战: 1.将文件内容转换为base64编码 cat \> /student.info \<\

},

"GaoYunFei": {

"name": "高云飞",

"gender": "boy",

"hobby": ["动漫","刘东"]

}

}

EOF

cat /student.info | base64

2.将编码后的内容写入到secret自定义类型中

apiVersion: v1

kind: Secret

metadata:

name: oldboyedu-linux82-student

type: Opaque

data:

注意,KEY对应的值不能换行哟,否则会报错!!!

student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K

3.参考案例:

root@k8s151.oldboyedu.com secrets\]# cat 03-secrets-subPath.yaml apiVersion: v1 kind: Pod metadata: name: oldboyedu-game-secret-subpath-002 spec: imagePullSecrets: - name: oldboyedu-harbor containers: - name: game image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3 volumeMounts: - name: games mountPath: /etc/nginx/oldboyedu-linux82-student.json # 特别注意,此处的subPath名称需要和"volues"的"path"值保持一致。否则mountPath表示的是一个目录. subPath: oldboyedu-student.json volumes: - name: games secret: secretName: oldboyedu-linux82-student items: - key: student.info path: oldboyedu-student.json --- apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19 kind: Secret metadata: name: oldboyedu-harbor type: kubernetes.io/dockerconfigjson --- apiVersion: v1 kind: Secret metadata: name: oldboyedu-linux82-student type: Opaque data: # 注意,KEY对应的值不能换行哟,否则会报错!!! student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K \[root@k8s151.oldboyedu.com secrets\]# comannd: ---\> - command: - "/bin/bash" - "-c" - "touch /tmp/oldboyedu-linux82-health \&\& sleep 5 \&\& rm -f /tmp/oldboyedu-linux82-health \&\& sleep 300" Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 18s default-scheduler Successfully assigned default/oldboyedu-linux82-livenessprobe-005 to k8s152.oldboyedu.com Normal Pulled 17s kubelet, k8s152.oldboyedu.com Container image "k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1" already present on machine Normal Created 17s kubelet, k8s152.oldboyedu.com Created container linux82-web Normal Started 17s kubelet, k8s152.oldboyedu.com Started container linux82-web Warning Unhealthy 0s (x3 over 2s) kubelet, k8s152.oldboyedu.com Liveness probe failed: cat: /tmp/oldboyedu-linux82-health: No such file or directory Normal Killing 0s kubelet, k8s152.oldboyedu.com Container linux82-web failed liveness probe, will be restarted Pod总启动时间是: 18S (x3 over 2s) : 检测了3次失败,举例第一次超时时间是2秒 ---\> 18 - 2 ---\> 16 ---\> 第一次检测失败! httpGet实战案例: \[root@k8s151.oldboyedu.com po\]# cat 17-pods-livenessProbe-httpGet.yaml apiVersion: v1 kind: Pod metadata: name: oldboyedu-linux82-livenessprobe-httpget-002 spec: containers: # - command: # - "/bin/bash" # - "-c" # - "touch /tmp/oldboyedu-linux82-health \&\& sleep 5 \&\& rm -f /tmp/oldboyedu-linux82-health \&\& sleep 300" - name: linux82-web image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1 # 配置健康检查,若检查成功则不做任何处理,若检查失败,则重启容器(重新创建容器),重启次数加1. livenessProbe: # 执行命令,根据命令的执行结果判断是否支持成功,类似于shell中的"echo $?" # exec: # # 定义具体的命令 # command: # - cat # - /tmp/oldboyedu-linux82-health # # 发送http请求,根据请求的状态码,判断服务是否健康 httpGet: # 指定服务的端口 port: 80 # 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html path: / # 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置! failureThreshold: 3 # 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。 initialDelaySeconds: 15 # 指定探针检测的频率,默认是10s,最小值为1. periodSeconds: 1 # 检测服务成功次数的累加值,默认值为1次,最小值1. successThreshold: 1 # 一次检测周期超时的秒数,默认值是1秒,最小值为1. timeoutSeconds: 1 \[root@k8s151.oldboyedu.com po\]# tcpSocket案例: \[root@k8s151.oldboyedu.com po\]# cat 18-pods-livenessProbe-tcpSocket.yaml apiVersion: v1 kind: Pod metadata: name: oldboyedu-linux82-livenessprobe-tcpsocket-001 spec: containers: - name: linux82-web image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1 # 配置健康检查,若检查成功则不做任何处理,若检查失败,则重启容器(重新创建容器),重启次数加1. livenessProbe: # 执行命令,根据命令的执行结果判断是否支持成功,类似于shell中的"echo $?" # exec: # # 定义具体的命令 # command: # - cat # - /tmp/oldboyedu-linux82-health # # 发送http请求,根据请求的状态码,判断服务是否健康 # httpGet: # # 指定服务的端口 # port: 80 # # 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html # path: / # # 检测端口号,相当于telnet命令。 tcpSocket: port: 88 # 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置! failureThreshold: 3 # 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。 initialDelaySeconds: 15 # 指定探针检测的频率,默认是10s,最小值为1. periodSeconds: 1 # 检测服务成功次数的累加值,默认值为1次,最小值1. successThreshold: 1 # 一次检测周期超时的秒数,默认值是1秒,最小值为1. timeoutSeconds: 1 \[root@k8s151.oldboyedu.com po\]# 今日内容回顾: - ConfigMap ---\> cm 应用场景: 程序配置文件。 数据存储: etcd数据库。 - secrets 应用场景: 敏感数据存储,例如: docker仓库的认证信息,自定义的用户名,密码,.... secret的数据并不是加密处理的,而是基于base64编码格式进行编码,Pod引用时会自动解码。 - 探针: - livenessProbe 应用场景: 检查服务是否启动,若检查失败,则重启容器。 - readinessProbe 应用场景: 检查服务是否可用,若检查失败,则标记为未就绪状态,并在svc的ep资源中无法自动发现。 - 使用env引用secret和cm资源。 明日内容预告: - 静态Pod,Pod状态,... - RC,RS,DEPLOYMENT,SERVICE,ENDPOINTS,...

相关推荐
nathan05298 分钟前
Kubernetes 实战练习指南
云原生·容器·kubernetes
無名之輩40 分钟前
Nvidia Device Plugin入门二之envvar策略
kubernetes
云和数据.ChenGuang2 小时前
微服务技术栈
微服务·云原生·架构
syty20202 小时前
K8s是什么
容器·kubernetes·dubbo
江团1io04 小时前
微服务雪崩问题与系统性防御方案
微服务·云原生·架构
Evan Wang4 小时前
使用Terraform管理阿里云基础设施
阿里云·云原生·terraform
向上的车轮5 小时前
基于go语言的云原生TodoList Demo 项目,验证云原生核心特性
开发语言·云原生·golang
灵犀物润5 小时前
Kubernetes 配置检查与发布安全清单
安全·容器·kubernetes
360智汇云6 小时前
k8s交互桥梁:走进Client-Go
golang·kubernetes·交互
xy_recording6 小时前
Day20 K8S学习
学习·容器·kubernetes