k8s day03

昨日内容回顾:

• 资源限制

• 名称空间

• 存储卷

• POD重启策略

• 容器镜像拉取策略

• 环境变量

资源清单:

kind: Pod

apiVersion: v1

metadata:

name:

labels:

namespace:

spec:

nodeName:

hostNetwork:

restartPolicy:

volume:

• name: data01

emptyDir: {}

• name: data02

hostPath:

path:

• name: data03

nfs:

server:

path:

containers:

• name:

image:

env:

• name:

value:

• name:

valueFrom:

imagePullPolicy:

stdin:

command:

args:

resources:

limit:

request:

volumeMounts:

• name: data01

mountPath:

• name: data02

mountPath:

configMap资源简介:

configmap数据会存储在etcd数据库，其应用场景主要在于应用程序配置。

configMap支持的数据类型:

(1)键值对;

(2)多行数据;

Pod使用configmap资源有两种常见的方式:

(1)变量注入;

(2)数据卷挂载

推荐阅读:

https://kubernetes.io/docs/concepts/storage/volumes/#configmap

https://kubernetes.io/docs/concepts/configuration/configmap/

参考案例:

root@k8s151.oldboyedu.com cm\]# cat 01-cm-demo.yaml apiVersion: v1 kind: ConfigMap metadata: name: game-demo data: # 键值对，单行数据 player_initial_lives: "3" ui_properties_file_name: "user-interface.properties" # 键值对，多行数据 game.properties: \| enemy.types=aliens,monsters player.maximum-lives=5 user-interface.properties: \| color.good=purple color.bad=yellow allow.textmode=true --- apiVersion: v1 kind: Pod metadata: name: configmap-pod-001 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true volumeMounts: - name: config-vol mountPath: /oldboyedu/linux82 volumes: - name: config-vol # 指定存储卷的类型为cm资源 configMap: # 指定cm的名称 name: game-demo # 若不指定items，则引用cm的所有KEY哟 # 如果不需要使用全部的key，而需要单独使用某个KEY， items: # 指的是cm中的KEY - key: game.properties # 我们将key映射到容器的文件路径 path: oldboyedu-linux82-game.properties --- apiVersion: v1 kind: Pod metadata: name: configmap-pod-002 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true env: - name: OLDBOYEDU-LINUX82 value: test001 - name: OLDBOYEDU-LINUX82-GAME valueFrom: # 引用一个cm资源 configMapKeyRef: # 指定引用cm的名称 name: game-demo # 指定引用cm的某个KEY值 key: game.properties - name: OLDBOYEDU-LINUX82-PLAYER_INITIAL_LIVES valueFrom: configMapKeyRef: name: game-demo key: player_initial_lives \[root@k8s151.oldboyedu.com cm\]# 将游戏镜像的配置文件使用cm资源存储: \[root@k8s151.oldboyedu.com cm\]# cat 02-cm-games.yaml apiVersion: v1 kind: ConfigMap metadata: name: oldboyedu-games data: nginx.conf: \| worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; root /usr/local/nginx/html/bird/; server_name game01.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pinshu/; server_name game02.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/tanke/; server_name game03.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/chengbao/; server_name game04.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/motuo/; server_name game05.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/liferestart/; server_name game06.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/huangjinkuanggong/; server_name game07.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/feijidazhan/; server_name game08.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/zhiwudazhanjiangshi/; server_name game09.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/xiaobawang/; server_name game10.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pingtai/; server_name game11.oldboyedu.com; } } --- apiVersion: v1 kind: Pod metadata: name: oldboyedu-game-005 spec: containers: - name: game image: k8s151.oldboyedu.com:5000/oldboyedu-games/oldboyedu-games:v0.3 volumeMounts: - name: games # 载CM资源时，挂载点建议写绝对路径，若直接写目录，可能该目录下的所有资源都会被覆盖. mountPath: /etc/nginx/nginx.conf # 若mountPath写的是绝对路径，我们只需要将文件名的作为subPath的值，表示其会以一个文件的方式进行挂载而不会覆盖原有的数据。 # 值得注意的是，若不写subPath，则mountPath表示一个挂载点，对应的是一个目录 subPath: nginx.conf volumes: - name: games configMap: name: oldboyedu-games items: - key: nginx.conf path: nginx.conf \[root@k8s151.oldboyedu.com cm\]# Q1:为什么要用cm资源持久化配置文件？ 1.复用配置文件，可以启动多个nginx的Pod，共同同一个cm资源; 2.便于修改，维护方便，若放在容器中，每次修改配置文件都需要重新编译镜像; secret简介: 与ConfigMap类似，区别在于secret存储敏感数据，所有的数据都需要经过base64进行编码。 使用secret主要存储的是凭据信息。 参考链接: https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types 参考案例: \[root@k8s151.oldboyedu.com secrets\]# cat 01-secrets-demo.yaml apiVersion: v1 kind: Secret metadata: name: oldboyedu-linux82 type: Opaque data: school: b2xkYm95ZWR1Cg== USER_NAME: YWRtaW4= PASSWORD: MWYyZDFlMmU2N2Rm --- apiVersion: v1 kind: Pod metadata: name: secrets-pod-001 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true volumeMounts: - name: config-vol mountPath: /oldboyedu/linux82 volumes: - name: config-vol # 指定存储卷的类型为secret资源 secret: # 指定secret的名称 secretName: oldboyedu-linux82 # 若不指定items，则引用cm的所有KEY哟 # 如果不需要使用全部的key，而需要单独使用某个KEY， items: # 指的是secret中的KEY - key: school # 我们将key映射到容器的文件路径 path: oldboyedu-linux82-school - key: USER_NAME path: oldboyedu-linux82-username - key: PASSWORD path: oldboyedu-linux82-password --- apiVersion: v1 kind: Pod metadata: name: secret-pod-002 spec: containers: - name: demo01 image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1 stdin: true env: - name: OLDBOYEDU-LINUX82-SCHOOL valueFrom: # 引用一个secret资源 secretKeyRef: # 指定引用secret的名称 name: oldboyedu-linux82 # 指定引用cm的某个KEY值 key: school - name: OLDBOYEDU-LINUX82-username valueFrom: secretKeyRef: name: oldboyedu-linux82 key: USER_NAME \[root@k8s151.oldboyedu.com secrets\]# 扩展: echo b2xkYm95ZWR1Cg== \| base64 -d 解码。 echo oldboyedu \| base64 编码。 SHOW DATABASES; 查看数据库. SHOW TABLES FROM wrodpress; 查看wordpress数据库下的表。 删除secret： kubectl delete secrets oldboyedu-linux82 kubectl delete -f 01-secrets-demo.yaml 部署harbor: 1.安装docker环境 curl -o oldboyedu-docker-ce-20_10_17.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-ce-20_10_17.tar.gz tar xf oldboyedu-docker-ce-20_10_17.tar.gz \&\& cd docker-ce-20_10_17 \&\& yum -y localinstall \*.rpm systemctl enable --now docker 2.安装docker-compose curl -o oldboyedu-docker-compose.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-compose.tar.gz tar xf oldboyedu-docker-compose.tar.gz \&\& cd docker-compose \&\& yum -y localinstall \*.rpm 3.安装harbor curl -o harbor-offline-installer-v1.10.10.tgz http://192.168.17.253/Kubernetes/day03-/softwares/harbor-offline-installer-v1.10.10.tgz tar xf harbor-offline-installer-v1.10.10.tgz cd harbor vim harbor.yml ... hostname: 10.0.0.250 http: port: 80 ... # 记得注释https ... harbor_admin_password: 1 ./install.sh 基于命令行的方式创建harbor认证信息: --\> 响应式方式创建。 kubectl create secret docker-registry oldboyedu-harbor --docker-username=jasonyin2020 --docker-password=Oldboyedu@2022 --docker-email=jasonyin@oldboyedu.com --docker-server=10.0.0.250 各字段含义说明: --docker-username 指定用户名称。 --docker-password 指定密码。 --docker-email 指定邮箱地址。 --docker-server 私有仓库地址。 参考案例: ----\> 声明式方式创建secret，游戏镜像案例。 \[root@k8s151.oldboyedu.com secrets\]# cat 02-secrets-harbor-games.yaml apiVersion: v1 kind: ConfigMap metadata: name: oldboyedu-games data: nginx.conf: \| worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; root /usr/local/nginx/html/bird/; server_name game01.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pinshu/; server_name game02.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/tanke/; server_name game03.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/chengbao/; server_name game04.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/motuo/; server_name game05.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/liferestart/; server_name game06.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/huangjinkuanggong/; server_name game07.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/feijidazhan/; server_name game08.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/zhiwudazhanjiangshi/; server_name game09.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/xiaobawang/; server_name game10.oldboyedu.com; } server { listen 80; root /usr/local/nginx/html/pingtai/; server_name game11.oldboyedu.com; } } --- apiVersion: v1 kind: Pod metadata: name: oldboyedu-game-secret spec: # 指定拉取镜像的secrets秘钥 imagePullSecrets: # 指定secret秘钥的名称 - name: oldboyedu-harbor containers: - name: game image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3 volumeMounts: - name: games mountPath: /etc/nginx/nginx.conf subPath: nginx.conf volumes: - name: games configMap: name: oldboyedu-games items: - key: nginx.conf path: nginx.conf --- apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19 kind: Secret metadata: name: oldboyedu-harbor type: kubernetes.io/dockerconfigjson \[root@k8s151.oldboyedu.com secrets\]# 挂载secret文件内容实战: 1.将文件内容转换为base64编码 cat \> /student.info \<\

},

"GaoYunFei": {

"name": "高云飞",

"gender": "boy",

"hobby": ["动漫","刘东"]

}

}

EOF

cat /student.info | base64

2.将编码后的内容写入到secret自定义类型中

apiVersion: v1

kind: Secret

metadata:

name: oldboyedu-linux82-student

type: Opaque

data:

注意，KEY对应的值不能换行哟，否则会报错!!!

student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K

3.参考案例:

root@k8s151.oldboyedu.com secrets\]# cat 03-secrets-subPath.yaml apiVersion: v1 kind: Pod metadata: name: oldboyedu-game-secret-subpath-002 spec: imagePullSecrets: - name: oldboyedu-harbor containers: - name: game image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3 volumeMounts: - name: games mountPath: /etc/nginx/oldboyedu-linux82-student.json # 特别注意，此处的subPath名称需要和"volues"的"path"值保持一致。否则mountPath表示的是一个目录. subPath: oldboyedu-student.json volumes: - name: games secret: secretName: oldboyedu-linux82-student items: - key: student.info path: oldboyedu-student.json --- apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19 kind: Secret metadata: name: oldboyedu-harbor type: kubernetes.io/dockerconfigjson --- apiVersion: v1 kind: Secret metadata: name: oldboyedu-linux82-student type: Opaque data: # 注意，KEY对应的值不能换行哟，否则会报错!!! student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K \[root@k8s151.oldboyedu.com secrets\]# comannd: ---\> - command: - "/bin/bash" - "-c" - "touch /tmp/oldboyedu-linux82-health \&\& sleep 5 \&\& rm -f /tmp/oldboyedu-linux82-health \&\& sleep 300" Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 18s default-scheduler Successfully assigned default/oldboyedu-linux82-livenessprobe-005 to k8s152.oldboyedu.com Normal Pulled 17s kubelet, k8s152.oldboyedu.com Container image "k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1" already present on machine Normal Created 17s kubelet, k8s152.oldboyedu.com Created container linux82-web Normal Started 17s kubelet, k8s152.oldboyedu.com Started container linux82-web Warning Unhealthy 0s (x3 over 2s) kubelet, k8s152.oldboyedu.com Liveness probe failed: cat: /tmp/oldboyedu-linux82-health: No such file or directory Normal Killing 0s kubelet, k8s152.oldboyedu.com Container linux82-web failed liveness probe, will be restarted Pod总启动时间是: 18S (x3 over 2s) : 检测了3次失败，举例第一次超时时间是2秒 ---\> 18 - 2 ---\> 16 ---\> 第一次检测失败！ httpGet实战案例: \[root@k8s151.oldboyedu.com po\]# cat 17-pods-livenessProbe-httpGet.yaml apiVersion: v1 kind: Pod metadata: name: oldboyedu-linux82-livenessprobe-httpget-002 spec: containers: # - command: # - "/bin/bash" # - "-c" # - "touch /tmp/oldboyedu-linux82-health \&\& sleep 5 \&\& rm -f /tmp/oldboyedu-linux82-health \&\& sleep 300" - name: linux82-web image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1 # 配置健康检查，若检查成功则不做任何处理，若检查失败，则重启容器(重新创建容器)，重启次数加1. livenessProbe: # 执行命令，根据命令的执行结果判断是否支持成功，类似于shell中的"echo $?" # exec: # # 定义具体的命令 # command: # - cat # - /tmp/oldboyedu-linux82-health # # 发送http请求，根据请求的状态码，判断服务是否健康 httpGet: # 指定服务的端口 port: 80 # 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html path: / # 检测服务失败次数的累加值，默认值是3次，最小值是1。当检测服务成功后，该值会被重置! failureThreshold: 3 # 指定多久之后进行健康状态检查，即此时间段内检测服务失败并不会对failureThreshold进行计数。 initialDelaySeconds: 15 # 指定探针检测的频率，默认是10s，最小值为1. periodSeconds: 1 # 检测服务成功次数的累加值，默认值为1次，最小值1. successThreshold: 1 # 一次检测周期超时的秒数，默认值是1秒，最小值为1. timeoutSeconds: 1 \[root@k8s151.oldboyedu.com po\]# tcpSocket案例： \[root@k8s151.oldboyedu.com po\]# cat 18-pods-livenessProbe-tcpSocket.yaml apiVersion: v1 kind: Pod metadata: name: oldboyedu-linux82-livenessprobe-tcpsocket-001 spec: containers: - name: linux82-web image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1 # 配置健康检查，若检查成功则不做任何处理，若检查失败，则重启容器(重新创建容器)，重启次数加1. livenessProbe: # 执行命令，根据命令的执行结果判断是否支持成功，类似于shell中的"echo $?" # exec: # # 定义具体的命令 # command: # - cat # - /tmp/oldboyedu-linux82-health # # 发送http请求，根据请求的状态码，判断服务是否健康 # httpGet: # # 指定服务的端口 # port: 80 # # 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html # path: / # # 检测端口号，相当于telnet命令。 tcpSocket: port: 88 # 检测服务失败次数的累加值，默认值是3次，最小值是1。当检测服务成功后，该值会被重置! failureThreshold: 3 # 指定多久之后进行健康状态检查，即此时间段内检测服务失败并不会对failureThreshold进行计数。 initialDelaySeconds: 15 # 指定探针检测的频率，默认是10s，最小值为1. periodSeconds: 1 # 检测服务成功次数的累加值，默认值为1次，最小值1. successThreshold: 1 # 一次检测周期超时的秒数，默认值是1秒，最小值为1. timeoutSeconds: 1 \[root@k8s151.oldboyedu.com po\]# 今日内容回顾: - ConfigMap ---\> cm 应用场景： 程序配置文件。 数据存储: etcd数据库。 - secrets 应用场景： 敏感数据存储，例如: docker仓库的认证信息，自定义的用户名，密码，.... secret的数据并不是加密处理的，而是基于base64编码格式进行编码，Pod引用时会自动解码。 - 探针: - livenessProbe 应用场景： 检查服务是否启动，若检查失败，则重启容器。 - readinessProbe 应用场景: 检查服务是否可用，若检查失败，则标记为未就绪状态，并在svc的ep资源中无法自动发现。 - 使用env引用secret和cm资源。 明日内容预告: - 静态Pod，Pod状态，... - RC,RS,DEPLOYMENT,SERVICE,ENDPOINTS,...