资源要求
请准备好doker环境,尽量用比较新的版本。我的docker环境如下
docker 环境: Docker version 20.10.21, build 20.10.21-0ubuntu1~18.04.3
安装kind
kind表现上就是一个二进制程序,下载对应版本并增加执行权限即可:
bash
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
chmod +x ./kind
mv ./kind /usr/bin/kind
kind version如何通过kind新建k8s集群?
kubectl是与k8s交互的客户端命令工具,因此需要先安装此工具。
bash
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client使用config文件创建k8s集群
extraPortMappings:把K8s容器(相当于K8s所在的服务器)端口暴露出来,这里暴露了30000-30005,可以理解为把docker部署的k8s集群中的服务,通过docker服务将端口映射出来给到宿主机可以访问。
kind-config.yaml
bash
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 30000
hostPort: 30000
protocol: TCP
- containerPort: 30001
hostPort: 30001
protocol: TCP
- containerPort: 30002
hostPort: 30002
protocol: TCP
- containerPort: 30003
hostPort: 30003
protocol: TCP
- containerPort: 30004
hostPort: 30004
protocol: TCP
- containerPort: 30005
hostPort: 30005
protocol: TCP使用以下命令来创建集群
bash
kind create cluster --name myk8s-01 --config kind-config.yaml
bash
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:
kubeadm join myk8s-01-control-plane:6443 --token <value withheld> \
--discovery-token-ca-cert-hash sha256:fc1aad44ac2b0d95ce17a0ed081a336768da10492f8091aeaf6ebfa060a55cf0 \
--control-plane
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join myk8s-01-control-plane:6443 --token <value withheld> \
--discovery-token-ca-cert-hash sha256:fc1aad44ac2b0d95ce17a0ed081a336768da10492f8091aeaf6ebfa060a55cf0
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-myk8s-01"
You can now use your cluster with:
kubectl cluster-info --context kind-myk8s-01
Thanks for using kind! 😊
bash
root@raypick:/home/raypick/k8s_resource/helen# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6b1f30ea4d28 kindest/node:v1.21.1 "/usr/local/bin/entr..." 25 minutes ago Up 25 minutes 0.0.0.0:30000-30005->30000-30005/tcp, 127.0.0.1:41957->6443/tcp myk8s-01-control-plane
root@raypick:/home/raypick/k8s_resource/helen#创建完成后正常会在宿主机的目录下生成这个文件,/etc/kubernetes/admin.conf,如果没有的话,docker cp,将容器集群中的
/etc/kubernetes/admin.conf文件拷贝出来到宿主机的/etc/kubernetes目录下即可,但是记住拷贝的话需要修改修改其中的server为127.0.0.1,默认是docker网段中的ip地址
执行以下命令,将k8s集群配置加载进环境变量中,之后即可开始后续的内容操作
bash
export KUBECONFIG=/etc/kubernetes/admin.conf创建资源进行测试
namespace.yaml
bash
apiVersion: v1
kind: Namespace
metadata:
name: helenserviceaccount.yaml
bash
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-helen
namespace: helenrole.yaml
bash
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-helen
namespace: helen
rules:
- apiGroups: [""]
resources:
- pods
- pods/exec
- pods/log
- services
- endpoints
- configmaps
- secrets
- persistentvolumeclaims
- serviceaccounts
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]rolebinding.yaml
bash
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: helen-sa-role-binding
namespace: helen
subjects:
- kind: ServiceAccount
name: sa-helen
namespace: helen
roleRef:
kind: Role
name: role-helen
apiGroup: rbac.authorization.k8s.iosecret-helen.yaml
bash
apiVersion: v1
kind: Secret
metadata:
name: helen-secret
namespace: helen
type: Opaque
stringData:
MYSQL_PASSWORD: mysql_pass
SFTP_PASSWORD: sftp_passnginx.yaml
bash
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: helen
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
serviceAccountName: sa-helen
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
env:
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: helen-secret
key: MYSQL_PASSWORD
- name: SFTP_PASSWORD
valueFrom:
secretKeyRef:
name: helen-secret
key: SFTP_PASSWORDservice.yaml
bash
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: helen
spec:
type: NodePort
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30000 # 你也可以不指定,由系统自动分配上面的文件依次apply后,即可将nginx服务启动,并通过宿主机ip:30000/进行访问nginx服务。这里的192.168.56.103是我虚拟机的ip
使用 ServiceAccount 模拟 kubectl 操作
🔧 步骤 1:获取该 ServiceAccount 的 Token
bash
SECRET_NAME=$(kubectl get sa sa-helen -n helen -o jsonpath='{.secrets[0].name}')
kubectl get secret $SECRET_NAME -n helen -o jsonpath='{.data.token}' | base64 -d > /tmp/sa-helen.token📜 步骤 2:获取当前集群的 CA 和 API Server 地址
bash
# 获取 CA
kubectl get secret $SECRET_NAME -n helen -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/ca.crt
# 获取 API Server 地址
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')🧪 步骤 3:生成一个 kubeconfig 文件
bash
cat <<EOF > /tmp/kubeconfig-sa-helen
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: /tmp/ca.crt
server: ${APISERVER}
name: kind-cluster
contexts:
- context:
cluster: kind-cluster
user: sa-helen
namespace: helen
name: sa-helen-context
current-context: sa-helen-context
users:
- name: sa-helen
user:
token: $(cat /tmp/sa-helen.token)
EOF✅ 步骤 4:使用这个 kubeconfig 来运行 kubectl
bash
KUBECONFIG=/tmp/kubeconfig-sa-helen kubectl get pods
KUBECONFIG=/tmp/kubeconfig-sa-helen kubectl get secrets
或者
export KUBECONFIG=/tmp/kubeconfig-sa-helen如果role-helen 中没有对某资源的权限授权,这时候命令会失败,提示 forbidden。