k8s day03

昨日内容回顾:

  • 资源限制

  • 名称空间

  • 存储卷

  • POD重启策略

  • 容器镜像拉取策略

  • 环境变量

资源清单:

kind: Pod

apiVersion: v1

metadata:

name:

labels:

namespace:

spec:

nodeName:

hostNetwork:

restartPolicy:

volume:

  • name: data01

emptyDir: {}

  • name: data02

hostPath:

path:

  • name: data03

nfs:

server:

path:

containers:

  • name:

image:

env:

  • name:

value:

  • name:

valueFrom:

imagePullPolicy:

stdin:

command:

args:

resources:

limit:

request:

volumeMounts:

  • name: data01

mountPath:

  • name: data02

mountPath:

configMap资源简介:

configmap数据会存储在etcd数据库,其应用场景主要在于应用程序配置。

configMap支持的数据类型:

(1)键值对;

(2)多行数据;

Pod使用configmap资源有两种常见的方式:

(1)变量注入;

(2)数据卷挂载

推荐阅读:

https://kubernetes.io/docs/concepts/storage/volumes/#configmap

https://kubernetes.io/docs/concepts/configuration/configmap/

参考案例:

[root@k8s151.oldboyedu.com cm]# cat 01-cm-demo.yaml

apiVersion: v1

kind: ConfigMap

metadata:

name: game-demo

data:

键值对,单行数据

player_initial_lives: "3"

ui_properties_file_name: "user-interface.properties"

键值对,多行数据

game.properties: |

enemy.types=aliens,monsters

player.maximum-lives=5

user-interface.properties: |

color.good=purple

color.bad=yellow

allow.textmode=true


apiVersion: v1

kind: Pod

metadata:

name: configmap-pod-001

spec:

containers:

  • name: demo01

image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1

stdin: true

volumeMounts:

  • name: config-vol

mountPath: /oldboyedu/linux82

volumes:

  • name: config-vol

指定存储卷的类型为cm资源

configMap:

指定cm的名称

name: game-demo

若不指定items,则引用cm的所有KEY哟

如果不需要使用全部的key,而需要单独使用某个KEY,

items:

指的是cm中的KEY

  • key: game.properties

我们将key映射到容器的文件路径

path: oldboyedu-linux82-game.properties


apiVersion: v1

kind: Pod

metadata:

name: configmap-pod-002

spec:

containers:

  • name: demo01

image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1

stdin: true

env:

  • name: OLDBOYEDU-LINUX82

value: test001

  • name: OLDBOYEDU-LINUX82-GAME

valueFrom:

引用一个cm资源

configMapKeyRef:

指定引用cm的名称

name: game-demo

指定引用cm的某个KEY值

key: game.properties

  • name: OLDBOYEDU-LINUX82-PLAYER_INITIAL_LIVES

valueFrom:

configMapKeyRef:

name: game-demo

key: player_initial_lives

[root@k8s151.oldboyedu.com cm]#

将游戏镜像的配置文件使用cm资源存储:

[root@k8s151.oldboyedu.com cm]# cat 02-cm-games.yaml

apiVersion: v1

kind: ConfigMap

metadata:

name: oldboyedu-games

data:

nginx.conf: |

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

server {

listen 80;

root /usr/local/nginx/html/bird/;

server_name game01.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/pinshu/;

server_name game02.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/tanke/;

server_name game03.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/chengbao/;

server_name game04.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/motuo/;

server_name game05.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/liferestart/;

server_name game06.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/huangjinkuanggong/;

server_name game07.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/feijidazhan/;

server_name game08.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/zhiwudazhanjiangshi/;

server_name game09.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/xiaobawang/;

server_name game10.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/pingtai/;

server_name game11.oldboyedu.com;

}

}


apiVersion: v1

kind: Pod

metadata:

name: oldboyedu-game-005

spec:

containers:

  • name: game

image: k8s151.oldboyedu.com:5000/oldboyedu-games/oldboyedu-games:v0.3

volumeMounts:

  • name: games

载CM资源时,挂载点建议写绝对路径,若直接写目录,可能该目录下的所有资源都会被覆盖.

mountPath: /etc/nginx/nginx.conf

若mountPath写的是绝对路径,我们只需要将文件名的作为subPath的值,表示其会以一个文件的方式进行挂载而不会覆盖原有的数据。

值得注意的是,若不写subPath,则mountPath表示一个挂载点,对应的是一个目录

subPath: nginx.conf

volumes:

  • name: games

configMap:

name: oldboyedu-games

items:

  • key: nginx.conf

path: nginx.conf

[root@k8s151.oldboyedu.com cm]#

Q1:为什么要用cm资源持久化配置文件?

1.复用配置文件,可以启动多个nginx的Pod,共同同一个cm资源;

2.便于修改,维护方便,若放在容器中,每次修改配置文件都需要重新编译镜像;

secret简介:

与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。

使用secret主要存储的是凭据信息。

参考链接:

https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types

参考案例:

[root@k8s151.oldboyedu.com secrets]# cat 01-secrets-demo.yaml

apiVersion: v1

kind: Secret

metadata:

name: oldboyedu-linux82

type: Opaque

data:

school: b2xkYm95ZWR1Cg==

USER_NAME: YWRtaW4=

PASSWORD: MWYyZDFlMmU2N2Rm


apiVersion: v1

kind: Pod

metadata:

name: secrets-pod-001

spec:

containers:

  • name: demo01

image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1

stdin: true

volumeMounts:

  • name: config-vol

mountPath: /oldboyedu/linux82

volumes:

  • name: config-vol

指定存储卷的类型为secret资源

secret:

指定secret的名称

secretName: oldboyedu-linux82

若不指定items,则引用cm的所有KEY哟

如果不需要使用全部的key,而需要单独使用某个KEY,

items:

指的是secret中的KEY

  • key: school

我们将key映射到容器的文件路径

path: oldboyedu-linux82-school

  • key: USER_NAME

path: oldboyedu-linux82-username

  • key: PASSWORD

path: oldboyedu-linux82-password


apiVersion: v1

kind: Pod

metadata:

name: secret-pod-002

spec:

containers:

  • name: demo01

image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1

stdin: true

env:

  • name: OLDBOYEDU-LINUX82-SCHOOL

valueFrom:

引用一个secret资源

secretKeyRef:

指定引用secret的名称

name: oldboyedu-linux82

指定引用cm的某个KEY值

key: school

  • name: OLDBOYEDU-LINUX82-username

valueFrom:

secretKeyRef:

name: oldboyedu-linux82

key: USER_NAME

[root@k8s151.oldboyedu.com secrets]#

扩展:

echo b2xkYm95ZWR1Cg== | base64 -d

解码。

echo oldboyedu | base64

编码。

SHOW DATABASES;

查看数据库.

SHOW TABLES FROM wrodpress;

查看wordpress数据库下的表。

删除secret:

kubectl delete secrets oldboyedu-linux82

kubectl delete -f 01-secrets-demo.yaml

部署harbor:

1.安装docker环境

curl -o oldboyedu-docker-ce-20_10_17.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-ce-20_10_17.tar.gz

tar xf oldboyedu-docker-ce-20_10_17.tar.gz && cd docker-ce-20_10_17 && yum -y localinstall *.rpm

systemctl enable --now docker

2.安装docker-compose

curl -o oldboyedu-docker-compose.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-compose.tar.gz

tar xf oldboyedu-docker-compose.tar.gz && cd docker-compose && yum -y localinstall *.rpm

3.安装harbor

curl -o harbor-offline-installer-v1.10.10.tgz http://192.168.17.253/Kubernetes/day03-/softwares/harbor-offline-installer-v1.10.10.tgz

tar xf harbor-offline-installer-v1.10.10.tgz

cd harbor

vim harbor.yml

...

hostname: 10.0.0.250

http:

port: 80

...

记得注释https

...

harbor_admin_password: 1

./install.sh

基于命令行的方式创建harbor认证信息: --> 响应式方式创建。

kubectl create secret docker-registry oldboyedu-harbor --docker-username=jasonyin2020 --docker-password=Oldboyedu@2022 --docker-email=jasonyin@oldboyedu.com --docker-server=10.0.0.250

各字段含义说明:

--docker-username

指定用户名称。

--docker-password

指定密码。

--docker-email

指定邮箱地址。

--docker-server

私有仓库地址。

参考案例: ----> 声明式方式创建secret,游戏镜像案例。

[root@k8s151.oldboyedu.com secrets]# cat 02-secrets-harbor-games.yaml

apiVersion: v1

kind: ConfigMap

metadata:

name: oldboyedu-games

data:

nginx.conf: |

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

server {

listen 80;

root /usr/local/nginx/html/bird/;

server_name game01.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/pinshu/;

server_name game02.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/tanke/;

server_name game03.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/chengbao/;

server_name game04.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/motuo/;

server_name game05.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/liferestart/;

server_name game06.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/huangjinkuanggong/;

server_name game07.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/feijidazhan/;

server_name game08.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/zhiwudazhanjiangshi/;

server_name game09.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/xiaobawang/;

server_name game10.oldboyedu.com;

}

server {

listen 80;

root /usr/local/nginx/html/pingtai/;

server_name game11.oldboyedu.com;

}

}


apiVersion: v1

kind: Pod

metadata:

name: oldboyedu-game-secret

spec:

指定拉取镜像的secrets秘钥

imagePullSecrets:

指定secret秘钥的名称

  • name: oldboyedu-harbor

containers:

  • name: game

image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3

volumeMounts:

  • name: games

mountPath: /etc/nginx/nginx.conf

subPath: nginx.conf

volumes:

  • name: games

configMap:

name: oldboyedu-games

items:

  • key: nginx.conf

path: nginx.conf


apiVersion: v1

data:

.dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19

kind: Secret

metadata:

name: oldboyedu-harbor

type: kubernetes.io/dockerconfigjson

[root@k8s151.oldboyedu.com secrets]#

挂载secret文件内容实战:

1.将文件内容转换为base64编码

cat > /student.info <<EOF

{

"WangJianPing": {

"name": "王建平",

"gender": "boy",

"hobby": ["欧美","日韩","国产"]

},

"GaoYunFei": {

"name": "高云飞",

"gender": "boy",

"hobby": ["动漫","刘东"]

}

}

EOF

cat /student.info | base64

2.将编码后的内容写入到secret自定义类型中

apiVersion: v1

kind: Secret

metadata:

name: oldboyedu-linux82-student

type: Opaque

data:

注意,KEY对应的值不能换行哟,否则会报错!!!

student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K

3.参考案例:

[root@k8s151.oldboyedu.com secrets]# cat 03-secrets-subPath.yaml

apiVersion: v1

kind: Pod

metadata:

name: oldboyedu-game-secret-subpath-002

spec:

imagePullSecrets:

  • name: oldboyedu-harbor

containers:

  • name: game

image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3

volumeMounts:

  • name: games

mountPath: /etc/nginx/oldboyedu-linux82-student.json

特别注意,此处的subPath名称需要和"volues"的"path"值保持一致。否则mountPath表示的是一个目录.

subPath: oldboyedu-student.json

volumes:

  • name: games

secret:

secretName: oldboyedu-linux82-student

items:

path: oldboyedu-student.json


apiVersion: v1

data:

.dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19

kind: Secret

metadata:

name: oldboyedu-harbor

type: kubernetes.io/dockerconfigjson


apiVersion: v1

kind: Secret

metadata:

name: oldboyedu-linux82-student

type: Opaque

data:

注意,KEY对应的值不能换行哟,否则会报错!!!

student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K

[root@k8s151.oldboyedu.com secrets]#

comannd: --->

  • command:

  • "/bin/bash"

  • "-c"

  • "touch /tmp/oldboyedu-linux82-health && sleep 5 && rm -f /tmp/oldboyedu-linux82-health && sleep 300"

Events:

Type Reason Age From Message


Normal Scheduled 18s default-scheduler Successfully assigned default/oldboyedu-linux82-livenessprobe-005 to k8s152.oldboyedu.com

Normal Pulled 17s kubelet, k8s152.oldboyedu.com Container image "k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1" already present on machine

Normal Created 17s kubelet, k8s152.oldboyedu.com Created container linux82-web

Normal Started 17s kubelet, k8s152.oldboyedu.com Started container linux82-web

Warning Unhealthy 0s (x3 over 2s) kubelet, k8s152.oldboyedu.com Liveness probe failed: cat: /tmp/oldboyedu-linux82-health: No such file or directory

Normal Killing 0s kubelet, k8s152.oldboyedu.com Container linux82-web failed liveness probe, will be restarted

Pod总启动时间是: 18S

(x3 over 2s) : 检测了3次失败,举例第一次超时时间是2秒 ---> 18 - 2 ---> 16 ---> 第一次检测失败!

httpGet实战案例:

[root@k8s151.oldboyedu.com po]# cat 17-pods-livenessProbe-httpGet.yaml

apiVersion: v1

kind: Pod

metadata:

name: oldboyedu-linux82-livenessprobe-httpget-002

spec:

containers:

- command:

- "/bin/bash"

- "-c"

- "touch /tmp/oldboyedu-linux82-health && sleep 5 && rm -f /tmp/oldboyedu-linux82-health && sleep 300"

  • name: linux82-web

image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1

配置健康检查,若检查成功则不做任何处理,若检查失败,则重启容器(重新创建容器),重启次数加1.

livenessProbe:

执行命令,根据命令的执行结果判断是否支持成功,类似于shell中的"echo $?"

exec:

# 定义具体的命令

command:

- cat

- /tmp/oldboyedu-linux82-health

发送http请求,根据请求的状态码,判断服务是否健康

httpGet:

指定服务的端口

port: 80

指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html

path: /

检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!

failureThreshold: 3

指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。

initialDelaySeconds: 15

指定探针检测的频率,默认是10s,最小值为1.

periodSeconds: 1

检测服务成功次数的累加值,默认值为1次,最小值1.

successThreshold: 1

一次检测周期超时的秒数,默认值是1秒,最小值为1.

timeoutSeconds: 1

[root@k8s151.oldboyedu.com po]#

tcpSocket案例:

[root@k8s151.oldboyedu.com po]# cat 18-pods-livenessProbe-tcpSocket.yaml

apiVersion: v1

kind: Pod

metadata:

name: oldboyedu-linux82-livenessprobe-tcpsocket-001

spec:

containers:

  • name: linux82-web

image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1

配置健康检查,若检查成功则不做任何处理,若检查失败,则重启容器(重新创建容器),重启次数加1.

livenessProbe:

执行命令,根据命令的执行结果判断是否支持成功,类似于shell中的"echo $?"

exec:

# 定义具体的命令

command:

- cat

- /tmp/oldboyedu-linux82-health

发送http请求,根据请求的状态码,判断服务是否健康

httpGet:

# 指定服务的端口

port: 80

# 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html

path: /

检测端口号,相当于telnet命令。

tcpSocket:

port: 88

检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!

failureThreshold: 3

指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。

initialDelaySeconds: 15

指定探针检测的频率,默认是10s,最小值为1.

periodSeconds: 1

检测服务成功次数的累加值,默认值为1次,最小值1.

successThreshold: 1

一次检测周期超时的秒数,默认值是1秒,最小值为1.

timeoutSeconds: 1

[root@k8s151.oldboyedu.com po]#

今日内容回顾:

  • ConfigMap ---> cm

应用场景: 程序配置文件。

数据存储: etcd数据库。

  • secrets

应用场景: 敏感数据存储,例如: docker仓库的认证信息,自定义的用户名,密码,....

secret的数据并不是加密处理的,而是基于base64编码格式进行编码,Pod引用时会自动解码。

  • 探针:

  • livenessProbe

应用场景: 检查服务是否启动,若检查失败,则重启容器。

  • readinessProbe

应用场景: 检查服务是否可用,若检查失败,则标记为未就绪状态,并在svc的ep资源中无法自动发现。

  • 使用env引用secret和cm资源。

明日内容预告:

  • 静态Pod,Pod状态,...

  • RC,RS,DEPLOYMENT,SERVICE,ENDPOINTS,...

相关推荐
南猿北者36 分钟前
docker容器
docker·容器
YCyjs2 小时前
K8S群集调度二
云原生·容器·kubernetes
Hoxy.R2 小时前
K8s小白入门
云原生·容器·kubernetes
€☞扫地僧☜€5 小时前
docker 拉取MySQL8.0镜像以及安装
运维·数据库·docker·容器
全能全知者6 小时前
docker快速安装与配置mongoDB
mongodb·docker·容器
为什么这亚子8 小时前
九、Go语言快速入门之map
运维·开发语言·后端·算法·云原生·golang·云计算
ZHOU西口10 小时前
微服务实战系列之玩转Docker(十八)
分布式·docker·云原生·架构·数据安全·etcd·rbac
牛角上的男孩10 小时前
Istio Gateway发布服务
云原生·gateway·istio
JuiceFS12 小时前
好未来:多云环境下基于 JuiceFS 建设低运维模型仓库
运维·云原生
景天科技苑12 小时前
【云原生开发】K8S多集群资源管理平台架构设计
云原生·容器·kubernetes·k8s·云原生开发·k8s管理系统