文章目录
- kubenetes基础
-
- 第1部:客户端命令kubectl
- 集群Node管理
- [worker node节点管理集群](#worker node节点管理集群)
- dashboard界面
- 节点标签(label)
- YAML声明式文件
- YAML资源对象描述方法
- 命名空间(Namespace)
- 第2部:kubernetes核心概念
-
- 1:Pod
- 2:Controller
- 3:Label
- [4:Label Selector](#4:Label Selector)
- 5:Service
- 6:Endpoints
- 7:DNS
- kubernetes核心概念之间的关系
- 基于kubernetes集群容器化应用的微服务
kubenetes基础
第1部:客户端命令kubectl
1:命令帮助
集群中管理可以使用kubectl命令完成
bash
[root@master ~ 13:35:17]# kubectl -h
kubectl controls the Kubernetes cluster manager.
Find more information at: https://kubernetes.io/docs/reference/kubectl/
Basic Commands (Beginner):
create Create a resource from a file or from stdin
expose Take a replication controller, service, deployment or pod and expose it as
Kubernetes service
run 在集群上运行特定镜像
set 为对象设置指定特性
Basic Commands (Intermediate):
explain Get documentation for a resource
get 显示一个或多个资源
edit 编辑服务器上的资源
delete Delete resources by file names, stdin, resources and names, or by resource
label selector
Deploy Commands:
rollout Manage the rollout of a resource
scale Set a new size for a deployment, replica set, or replication controller
autoscale Auto-scale a deployment, replica set, stateful set, or replication control
Cluster Management Commands:
certificate Modify certificate resources
cluster-info Display cluster information
top Display resource (CPU/memory) usage
cordon 标记节点为不可调度
uncordon 标记节点为可调度
drain 清空节点以准备维护
taint 更新一个或者多个节点上的污点
Troubleshooting and Debugging Commands:
describe 显示特定资源或资源组的详细信息
logs 打印 Pod 中容器的日志
attach 挂接到一个运行中的容器
exec 在某个容器中执行一个命令
port-forward 将一个或多个本地端口转发到某个 Pod
proxy 运行一个指向 Kubernetes API 服务器的代理
cp Copy files and directories to and from containers
auth Inspect authorization
debug Create debugging sessions for troubleshooting workloads and nodes
events List events
Advanced Commands:
diff Diff the live version against a would-be applied version
apply Apply a configuration to a resource by file name or stdin
patch Update fields of a resource
replace Replace a resource by file name or stdin
wait Experimental: Wait for a specific condition on one or many resources
kustomize Build a kustomization target from a directory or URL
Settings Commands:
label 更新某资源上的标签
annotate 更新一个资源的注解
completion Output shell completion code for the specified shell (bash, zsh, fish, or
powershell)
Other Commands:
api-resources Print the supported API resources on the server
api-versions Print the supported API versions on the server, in the form of "group/vers
config 修改 kubeconfig 文件
plugin Provides utilities for interacting with plugins
version 输出客户端和服务端的版本信息
Usage:
kubectl [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).使用api-resources可以查看命令的简称
bash
[root@master ~ 13:46:39]# kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPND
bindings v1 true nding
componentstatuses cs v1 false mponentStatus
configmaps cm v1 true nfigMap
endpoints ep v1 true dpoints
events ev v1 true ent
limitranges limits v1 true mitRange
namespaces ns v1 false mespace
nodes no v1 false de
persistentvolumeclaims pvc v1 true rsistentVolumeClaim
persistentvolumes pv v1 false rsistentVolume
pods po v1 true d
podtemplates v1 true dTemplate
replicationcontrollers rc v1 true plicationController
resourcequotas quota v1 true sourceQuota
secrets v1 true cret
serviceaccounts sa v1 true rviceAccount
services svc v1 true rvice
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false tatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false lidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false stomResourceDefinition
apiservices apiregistration.k8s.io/v1 false IService
controllerrevisions apps/v1 true ntrollerRevision
daemonsets ds apps/v1 true emonSet
deployments deploy apps/v1 true ployment
replicasets rs apps/v1 true plicaSet
statefulsets sts apps/v1 true atefulSet
selfsubjectreviews authentication.k8s.io/v1 false lfSubjectReview
tokenreviews authentication.k8s.io/v1 false kenReview
localsubjectaccessreviews authorization.k8s.io/v1 true calSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io/v1 false lfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io/v1 false lfSubjectRulesReview
subjectaccessreviews authorization.k8s.io/v1 false bjectAccessReview
horizontalpodautoscalers hpa autoscaling/v2 true rizontalPodAutoscaler
cronjobs cj batch/v1 true onJob
jobs batch/v1 true b
certificatesigningrequests csr certificates.k8s.io/v1 false rtificateSigningRequest
leases coordination.k8s.io/v1 true ase
bgpconfigurations crd.projectcalico.org/v1 false PConfiguration
bgppeers crd.projectcalico.org/v1 false PPeer
blockaffinities crd.projectcalico.org/v1 false ockAffinity
caliconodestatuses crd.projectcalico.org/v1 false licoNodeStatus
clusterinformations crd.projectcalico.org/v1 false usterInformation
felixconfigurations crd.projectcalico.org/v1 false lixConfiguration
globalnetworkpolicies crd.projectcalico.org/v1 false obalNetworkPolicy
globalnetworksets crd.projectcalico.org/v1 false obalNetworkSet
hostendpoints crd.projectcalico.org/v1 false stEndpoint
ipamblocks crd.projectcalico.org/v1 false AMBlock
ipamconfigs crd.projectcalico.org/v1 false AMConfig
ipamhandles crd.projectcalico.org/v1 false AMHandle
ippools crd.projectcalico.org/v1 false Pool
ipreservations crd.projectcalico.org/v1 false Reservation
kubecontrollersconfigurations crd.projectcalico.org/v1 false beControllersConfiguration
networkpolicies crd.projectcalico.org/v1 true tworkPolicy
networksets crd.projectcalico.org/v1 true tworkSet
endpointslices discovery.k8s.io/v1 true dpointSlice
events ev events.k8s.io/v1 true ent
flowschemas flowcontrol.apiserver.k8s.io/v1beta3 false owSchema
prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta3 false iorityLevelConfiguration
ingressclasses networking.k8s.io/v1 false gressClass
ingresses ing networking.k8s.io/v1 true gress
networkpolicies netpol networking.k8s.io/v1 true tworkPolicy
runtimeclasses node.k8s.io/v1 false ntimeClass
poddisruptionbudgets pdb policy/v1 true dDisruptionBudget
clusterrolebindings rbac.authorization.k8s.io/v1 false usterRoleBinding
clusterroles rbac.authorization.k8s.io/v1 false usterRole
rolebindings rbac.authorization.k8s.io/v1 true leBinding
roles rbac.authorization.k8s.io/v1 true le
priorityclasses pc scheduling.k8s.io/v1 false iorityClass
csidrivers storage.k8s.io/v1 false IDriver
csinodes storage.k8s.io/v1 false INode
csistoragecapacities storage.k8s.io/v1 true IStorageCapacity
storageclasses sc storage.k8s.io/v1 false orageClass
volumeattachments storage.k8s.io/v1 false lumeAttachmentkubernetes的重点:
资源类型 调用插件 YAML文件 排故
kubectl命令的书写格式:
kubectl 命令 资源类型 资源名称 <参数1,参数2...>
2:命令详解
命令基础
bash
#创建deployment
[root@master ~ 14:17:23]# kubectl create deploy nginx --image=nginx --replicas=3
deployment.apps/nginx created
[root@master ~ 14:19:35]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-7854ff8877-2h925 0/1 ContainerCreating 0 13s
nginx-7854ff8877-dztxq 0/1 ContainerCreating 0 13s
nginx-7854ff8877-kqfmr 0/1 ContainerCreating 0 13s
#kubectl api-resources 查看资源类型的简称
[root@master ~ 14:21:08]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-7854ff8877-2h925 1/1 Running 0 3m42s
nginx-7854ff8877-dztxq 1/1 Running 0 3m42s
nginx-7854ff8877-kqfmr 1/1 Running 0 3m42s
#explain 查看资源名称的YAML的模块
[root@master ~ 14:15:43]# kubectl explain deploy
GROUP: apps
KIND: Deployment
VERSION: v1
DESCRIPTION:
Deployment enables declarative updates for Pods and ReplicaSets.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <ObjectMeta>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <DeploymentSpec>
Specification of the desired behavior of the Deployment.
status <DeploymentStatus>
Most recently observed status of the Deployment.
root@master ~ 14:16:47]# kubectl explain deploy.kind
#deploy.下一级的模块即可查看下一级的模块
#describe查看详细信息
[root@master ~ 14:19:48]# kubectl describe pod nginx-7854ff8877-2h925
#edit 编辑yaml文件
[root@master ~ 14:20:33]# kubectl edit pod nginx-7854ff8877-2h925
Edit cancelled, no changes made.
#delete删除
[root@master ~ 14:25:25]# kubectl delete pod nginx-7854ff8877-2h925
pod "nginx-7854ff8877-2h925" deleted创建metrics-server资源
bash
#下载
[root@master ~ 14:28:57]# wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml -O metrics-server-components.yaml
#修改配置文件
[root@master ~ 14:58:53]# sed -i 's/registry.k8s.io\/metrics-server/registry.cn-hangzhou.aliyuncs.com\/google_containers/g' metrics-server-components.yaml
[root@master ~ 15:00:59]# vim metrics-server-components.yaml
- --secure-port=10250
- --kubelet-insecure-tls #添加
#应用
[root@master ~ 15:01:50]# kubectl apply -f metrics-server-components.yaml
[root@master ~ 18:34:56]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-658d97c59c-hv65v 1/1 Running 3 (3h12m ago) 26h
calico-node-bgtph 1/1 Running 3 (3h12m ago) 26h
calico-node-vglmz 1/1 Running 0 179m
calico-node-x5w4t 1/1 Running 3 (3h12m ago) 26h
coredns-66f779496c-cklwm 1/1 Running 3 (3h12m ago) 26h
coredns-66f779496c-wgdfz 1/1 Running 3 (3h12m ago) 26h
etcd-master 1/1 Running 3 (3h12m ago) 26h
kube-apiserver-master 1/1 Running 7 (3h11m ago) 26h
kube-controller-manager-master 1/1 Running 3 (3h12m ago) 26h
kube-proxy-4zl57 1/1 Running 3 (3h12m ago) 26h
kube-proxy-h5sfp 1/1 Running 3 (3h12m ago) 26h
kube-proxy-rb52m 1/1 Running 3 (3h12m ago) 26h
kube-scheduler-master 1/1 Running 3 (3h12m ago) 26h
metrics-server-57999c5cf7-sfkv9 1/1 Running 1 (3h12m ago) 3h37m删除pod
bash
[root@master ~ 18:44:29]# kubectl delete pod metrics-server-57999c5cf7-sfkv9 -n kube-system
pod "metrics-server-57999c5cf7-sfkv9" deleted
#强制删除
[root@master ~ 18:47:42]# kubectl delete pod metrics-server-57999c5cf7-p5j8k -n kube-system --grace-period=0 --force
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.因为创建时设置了副本数,所以删除了还会创建
查看资源创建过程
bash
[root@master ~ 18:49:34]# kubectl describe pod metrics-server-57999c5cf7-tqwxt -n kube-system使用kubectl top 查看资源
bash
#有了metrics-server模块则可以使用top命令
[root@master ~ 15:02:48]# kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
master 141m 7% 957Mi 24%
node1 91m 2% 627Mi 10%
node2 87m 2% 577Mi 9%
[root@master ~ 15:03:22]# kubectl top node node2
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
node2 87m 2% 577Mi 9%
[root@master ~ 18:52:16]# kubectl top pod kube-apiserver-master -n kube-system
NAME CPU(cores) MEMORY(bytes)
kube-apiserver-master 32m 270Mi 部署命令
集群管理命令
显示集群信息
bash
[root@master ~ 18:52:36]# kubectl cluster-info
Kubernetes control plane is running at https://192.168.18.128:6443
CoreDNS is running at https://192.168.18.128:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.显示资源
bash
[root@master ~ 18:54:04]# kubectl top pod -n kube-system
NAME CPU(cores) MEMORY(bytes)
calico-kube-controllers-658d97c59c-hv65v 3m 73Mi
calico-node-bgtph 25m 216Mi
calico-node-vglmz 63m 129Mi
calico-node-x5w4t 54m 232Mi
coredns-66f779496c-cklwm 3m 68Mi
coredns-66f779496c-wgdfz 3m 18Mi
etcd-master 15m 119Mi
kube-apiserver-master 33m 266Mi
kube-controller-manager-master 8m 154Mi
kube-proxy-4zl57 1m 83Mi
kube-proxy-h5sfp 5m 81Mi
kube-proxy-rb52m 4m 82Mi
kube-scheduler-master 2m 75Mi
metrics-server-57999c5cf7-tqwxt 5m 21Mi 故障诊断和调试命令
高级命令
设置命令
其他命令
logs -f 动态查看,logs查看的是容器的日志不是pod的日志
bash
[root@master ~ 18:58:04]# kubectl logs nginx-7854ff8877-dztxq
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/。。。。。kubernetes客户端和服务端版本
bash
[root@master ~ 19:00:45]# kubectl version
Client Version: v1.28.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.0集群Node管理
1:查看集群信息
bash
[root@master ~ 19:00:52]# kubectl cluster-info
Kubernetes control plane is running at https://192.168.18.128:6443
CoreDNS is running at https://192.168.18.128:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.2:查看节点信息
查看集群节点信息
bash
[root@master ~ 19:01:54]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready control-plane 26h v1.28.0
node1 Ready <none> 26h v1.28.0
node2 Ready <none> 26h v1.28.0查看集群节点详细信息
bash
[root@master ~ 19:02:08]# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
master Ready control-plane 26h v1.28.0 192.168.18.128 <none> CentOS Linux 7 (Core) 3.10.0-1160.119.1.el7.x86_64 docker://26.1.4
node1 Ready <none> 26h v1.28.0 192.168.18.129 <none> CentOS Linux 7 (Core) 3.10.0-1160.119.1.el7.x86_64 docker://26.1.4
node2 Ready <none> 26h v1.28.0 192.168.18.136 <none> CentOS Linux 7 (Core) 3.10.0-1160.119.1.el7.x86_64 docker://26.1.4查看节点描述详细信息
bash
[root@master ~ 19:02:26]# kubectl describe node masterworker node节点管理集群
使用kubeadm安装如果想在node节点管理就会报错
bash
[root@node1 ~ 18:35:03]# kubectl get nodes
E0114 19:03:40.867444 43149 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
E0114 19:03:40.867657 43149 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
E0114 19:03:40.877637 43149 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
E0114 19:03:40.887794 43149 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
E0114 19:03:40.898137 43149 memcache.go:265] couldn't get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
The connection to the server localhost:8080 was refused - did you specify the right host or port?解决方法:只要把master上的管理文件/etc/kubernetes/admin.conf拷贝到node节点的$HOME/.kube/config就可以让node节点也可以实现kubectl命令管理
- 在node节点的用户家目录创建.kube目录
bash
[root@node1 ~ 19:03:40]# mkdir ~/.kube- 在master节点把admin.conf文件复制到node节点
bash
[root@master ~ 19:02:48]# scp /etc/kubernetes/admin.conf node1:/root/.kube/config
The authenticity of host 'node1 (192.168.18.129)' can't be established.
ECDSA key fingerprint is SHA256:Mybu0Emk/mh5+fern00Gs1prNuq7NJOQr5IqprDDgOo.
ECDSA key fingerprint is MD5:5a:14:c6:7d:53:b1:9d:6e:2d:27:f2:08:c7:db:e4:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node1,192.168.18.129' (ECDSA) to the list of known hosts.
root@node1's password: #输入密码
admin.conf 100% 5650 5.2MB/s 00:00 - 在node节点验证
bash
[root@node1 ~ 19:04:23]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready control-plane 26h v1.28.0
node1 Ready <none> 26h v1.28.0
node2 Ready <none> 26h v1.28.0dashboard界面
下载安装
下载资源
bash
[root@master ~ 19:07:40]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml修改文件
bash
[root@master ~ 19:07:53]# vim recommended.yaml
32 kind: Service
33 apiVersion: v1
34 metadata:
35 labels:
36 k8s-app: kubernetes-dashboard
37 name: kubernetes-dashboard
38 namespace: kubernetes-dashboard
39 spec:
40 ports:
41 - port: 443
42 targetPort: 8443
43 nodePort: 30001 #添加
44 selector:
45 k8s-app: kubernetes-dashboard
46 type: NodePort #添加应用修改后配置
bash
[root@master ~ 19:10:59]# kubectl apply -f recommended.yaml 查看pod状态
bash
[root@master ~ 19:12:07]# kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-5657497c4c-r9x5m 1/1 Running 0 61s
kubernetes-dashboard-746fbfd67c-lvfqf 1/1 Running 0 61s查看Service暴露端口
bash
[root@master ~ 19:12:26]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.99.18.205 <none> 8000/TCP 94s
kubernetes-dashboard NodePort 10.97.170.252 <none> 443:30001/TCP 94s访问dashborad界面
浏览器访问https://192.168.18.128:30001
创建访问令牌(Token)
配置管理员账户
创建rbac.yaml文件
bash
[root@master ~ 19:12:59]# vim rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system应用配置并获取Token
bash
[root@master ~ 19:22:22]# kubectl apply -f rbac.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created获取token,k8s1.22版本引入,默认有效期1小时,每次执行命令会生成新token,旧token会自动消失
bash
[root@master ~ 19:22:57]# kubectl create token dashboard-admin --namespace kube-system
#token:(一次只能用一个小时,一个小时后可以使用这条命令再次创建)
eyJhbGciOiJSUzI1NiIsImtpZCI6IkpQNUNsM0h0R3hPX2I2N3lpTTFIQTVzRjduV3BZSjdkb3hTSVRXMUpNUjQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzY4MzkzNDQ3LCJpYXQiOjE3NjgzODk4NDcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJkYXNoYm9hcmQtYWRtaW4iLCJ1aWQiOiI1N2JkZDVjZS0zYzYxLTQzM2ItYjY5Yy0zN2JkNzVhMDM1N2YifX0sIm5iZiI6MTc2ODM4OTg0Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.e5zcWQXJuvLJ41KmEkBs66Uy8efPzaw-EVwFddXNd5-p_Yh7Ye8S4Op6cFwx3Ksjclo_pH3XNShnYYE-KzA8Ql_oWMDADoUJXPDoO-asFH4KzX7tHSWqc6qHtESYmaLD6ClNPyzuYam_G9W9Ea9nqSLukncUyYXbnw8-3K8Pe0T7oa_6_DsnOP0PgP7Qb9-8wB5R6lRPdoSm4LIsP5o219HL1ELDJgR0YOfKeOeXMWYerMZTlztERZxqD87t6VEhhrcAuaSgKFJeyK8rS3Q1BgcC-lXJp2gyM-ce52K8QyxgdsSGeCFTHCZeT8P0qF-vVSVDpq93fRyNvSzJ_QvGFA
进入图形界面查看,发现有5个命名空间
利用命令行查看
bash
[root@master ~ 19:24:07]# kubectl get namespace
NAME STATUS AGE
default Active 27h
kube-node-lease Active 27h
kube-public Active 27h
kube-system Active 27h
kubernetes-dashboard Active 15m补充说明:
kubectl get nodes 发现节点NoReady状态:
指定问题所在点:CNI组建问题 本次部署使用的CNI组建是calico 因为使用BGP协议,动态路由,外部网关
检查该节点的calico-node组建是否正常运行,再检查cert证书是否过期,网络问题检查cert证书是否过期,网络问题
节点标签(label)
副本名称=控制器名称+副本ID
pod名称=控制器名称+副本ID+podID
kubernetes集群由大量节点组成,可将节点打上对应的标签,然后通过标签进行筛选及查看,更好的进 行资源对象的相关选择与匹配。
查看节点标签信息
显示的标签以键值对的形式出现,键名:值
bash
#显示节点的标签
[root@master ~ 09:05:07]# kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
master Ready control-plane 40h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
node1 Ready <none> 40h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node1,kubernetes.io/os=linux
node2 Ready <none> 40h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node2,kubernetes.io/os=linux设置节点标签信息
设置节点标签
bash
[root@master ~ 09:14:44]# kubectl label node node2 region=nanjing
node/node2 labeled
[root@master ~ 09:26:58]# kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
master Ready control-plane 41h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
node1 Ready <none> 40h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node1,kubernetes.io/os=linux
node2 Ready <none> 40h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node2,kubernetes.io/os=linux,region=nanjing查看特定键的标签节点
-L 指定特定键名,查看
bash
[root@master ~ 09:27:18]# kubectl get nodes -L region
NAME STATUS ROLES AGE VERSION REGION
master Ready control-plane 41h v1.28.0
node1 Ready <none> 40h v1.28.0
node2 Ready <none> 40h v1.28.0 nanjing查看特定键值对的标签节点
-l 指定特定键值对,查看
bash
[root@master ~ 09:27:46]# kubectl get nodes -l region=nanjing
NAME STATUS ROLES AGE VERSION
node2 Ready <none> 40h v1.28.0多维度标签
设置多维度标签,用于不同的需要区分的场景
如把node1标签为合肥,南区机房,测试环境,AI业务
bash
[root@master ~ 09:27:59]# kubectl label node node1 region=hefei zone=south env=test bussiness=AI
node/node1 labeled
[root@master ~ 09:39:08]# kubectl get node node1 --show-labels
NAME STATUS ROLES AGE VERSION LABELS
node1 Ready <none> 41h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,bussiness=AI,env=test,kubernetes.io/arch=amd64,kubernetes.io/hostname=node1,kubernetes.io/os=linux,region=hefei,zone=south查看**(键值对用小写l;键名用大写L)**
bash
[root@master ~ 09:39:28]# kubectl get nodes -L region,zone
NAME STATUS ROLES AGE VERSION REGION ZONE
master Ready control-plane 41h v1.28.0
node1 Ready <none> 41h v1.28.0 hefei south
node2 Ready <none> 41h v1.28.0 nanjing
[root@master ~ 09:39:50]# kubectl get nodes -l region=hefei
NAME STATUS ROLES AGE VERSION
node1 Ready <none> 41h v1.28.0标签的修改(overwrite:使用复写功能)
bash
[root@master ~ 09:40:22]# kubectl label nodes node1 zone=west --overwrite=true
node/node1 labeled
[root@master ~ 09:41:34]# kubectl get nodes -L zone
NAME STATUS ROLES AGE VERSION ZONE
master Ready control-plane 41h v1.28.0
node1 Ready <none> 41h v1.28.0 west
node2 Ready <none> 41h v1.28.0 标签删除
使用key加一个减号的写法来取消标签
只能一个一个的删除
bash
[root@master ~ 09:41:46]# kubectl label nodes node1 env-
node/node1 unlabeled
[root@master ~ 09:42:29]# kubectl get nodes -L env
NAME STATUS ROLES AGE VERSION ENV
master Ready control-plane 41h v1.28.0
node1 Ready <none> 41h v1.28.0
node2 Ready <none> 41h v1.28.0
[root@master ~ 09:43:00]# kubectl label node node1 bussiness-
node/node1 unlabeled
[root@master ~ 09:43:54]# kubectl get nodes node1 --show-labels
NAME STATUS ROLES AGE VERSION LABELS
node1 Ready <none> 41h v1.28.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node1,kubernetes.io/os=linux,region=hefei,zone=west标签选择器
用于筛选匹配特定标签的资源,主要分两类:
- 等值匹配
- 精确匹配键值: app=nginx (匹配 app 值为 nginx 的资源)
- 排除匹配:env!=dev (排除 env=dev 的资源)
- 集合匹配
- key in (value1, value2):匹配值在集合中的资源(如env in (prod,staging))
- key notin (value):排除指定值(如 tier notin (backend))
- 存在性检测:key(仅检测键是否存在)
bash
[root@master ~ 09:44:01]# kubectl label node node1 env=test1
node/node1 labeled
[root@master ~ 09:44:51]# kubectl label node node2 env=test2
node/node2 labeled
[root@master ~ 09:44:59]# kubectl get nodes -l env!=test1
NAME STATUS ROLES AGE VERSION
master Ready control-plane 41h v1.28.0
node2 Ready <none> 41h v1.28.0
[root@master ~ 09:45:35]# kubectl get nodes -l "env in (test1,test2)"
NAME STATUS ROLES AGE VERSION
node1 Ready <none> 41h v1.28.0
node2 Ready <none> 41h v1.28.0YAML声明式文件
YAML:仍是一种标记语言,但为了强调这种语言以数据做为中心,而不是以标记语言为重点。是一个可 读性高,用来表达数据序列的格式。
基本语法
- 低版本(1.0、2.0)缩进时不允许使用Tab键,只允许使用空格
- 缩进的空格数目不重要,只要相同层级的元素左侧对齐即可
- #标识注释,从这个字符一直到行尾,都会被解释器忽略
数据结构
- 对象:键值对的集合,又称为映射(mapping)/哈希(hashes)/字典(dictionary)
- 数组:一组按次序排列的值,又称为序列(sequence)/列表(list)
- 纯量(scalars):单个的、不可再分的值
对象类型:对象的一组键值对,使用冒号结构表示
\
name: Tom #对于字符串不需要使用引号,但是如果字符串中间有空格需要引号
age: 20
heigh: 175Yaml 也允许另一种写法,将所有键值对写成一个行内对象
bash
hash: { name: Tom, age: 20, heigh: 175 }数组类型:一组连词线开头的行,构成一个数组
bash
color
- blue
- red
- green数组也可以采用行内表示法
bash
color: [blue, red, green]复合结构:对象和数组可以结合使用,形成复合结构
bash
languages:
- java
- python
- go
websites:
YAML: yaml.org
Ruby: ruby-lang.org
Python: python.org
Perl: use.perl.org纯量:纯量是最基本的、不可再分的值。以下数据类型都属于纯量
bash
1 字符串 布尔值 整数 浮点数 Null
2 时间 日期
数值直接以字面量的形式表示
number: 3.14
布尔值用true和false表示
isSet: true
null用 ~ 表示
时间采用 ISO8601 格式
iso8601:2025-7-11t20:00:00.10-05:00
日期采用复合 iso8601 格式的年、月、日表示
date: 1990-07-10
YAML 允许使用两个感叹号,强制转换数据类型
e: !!str 123
f: !!str true宇符串
字符串默认不使用引号表示
如果字符串之中包含空格或特殊字符,需要放在引号之中
bash
str: hello
str: 'hello world'单引号和双引号都可以使用,双引号不会对特殊字符转义
bash
s1: '你好\n世界'
s2: "你好\n世界"单引号之中如果还有单引号,必须连续使用两个单引号转义
bash
str: 'let ''s go' 输出let 's go字符串可以写成多行,从第二行开始,必须有一个单空格缩进。换行符会被转为 空格
bash
str: 第一行
第二行
第三行多行字符串可以使用|保留换行符,也可以使用>折叠换行(配置文件场景)
bash
names: |
tom
jerry
jackYAML资源对象描述方法
在kubernetes中,一般使用yaml格式的文件来创建符合我们预期期望的pod,这样的yaml文件称为资源 清单文件。
常用字段
重点讲解:
version可以使用kubectl api-versions查看或者api-resources查看完整
spec.containers[].imagePullPolicy 镜像拉取策略:
-
Always每次都尝试重新拉取镜像(默认)
-
Never表示仅使用本地镜像
-
ifNotPresent如果本地有镜像就是用本地镜像,没有就拉取
端口类型:
节点端口:hostPort
cluster-IP端口:port
pod端口:targetport
容器端口:containerPort
bash
[root@master ~ 19:11:06]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2d2h
nginx ClusterIP 10.98.13.195 <none> 80/TCP 3h6m
tomcat-service NodePort 10.101.252.71 <none> 80:30080/TCP 3h10m
#注意这里使用的IP是seviceSubnet的网段,内部访问不适用podIP,podIP存放在endpoints列表,seviceIP对接endpoints列表
[root@master ~ 19:11:09]# curl 10.98.13.195:80
<!DOCTYPE html>资源限制:
- 运行时限制
- 启动时限制(通常比运行时花费的资源更多)
思考题:
当容器运行时出现卡顿情况,但是检查节点资源没有占用过多,这是因为容器运行时限制了资源占用,资源限制上限过低会引起卡顿,可以查看limits
容器重启策略:(由探针监测)
-
Always无论容器如何停止,kubelet都会重启它(kubelet管理pod的运行时生命周期,controller负责管理编排式pod生命周期)
-
OnFailure只有pod非正常退出时才会重启,正常退出时不会重启
-
Never退出后则不会重启
案例说明
查阅使用手册说明
pod的spec中包含可用属性设置
bash
kubectl explain pod.spec创建namespace
bash
apiVersion: v1 #使用kubectl api-version查看
kind: Namespace
metadata:
name: web-content创建pod资源
该配置包含Deployment和Service两部分。Deployment创建2个Tomcat Pod副本(使用官方镜像), Service通过NodePort类型将容器8080端口映射到主机30080端口,并通过8888服务端口暴露。访问方 式:<节点IP>:
bash
[root@master tomcat_dir 19:52:07]# cat tomcat.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: tomcat-web-content
data:
index.html: |
<html><body>Hello Tomcat</body></html>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-test
spec:
replicas: 2
selector:
matchLabels:
app: tomcat #必须与template.metadata.labels完全匹配
template:
metadata:
labels:
app: tomcat #必须与selector.matchLabels一致
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: tomcat
image: tomcat:9.0.85-jdk11
ports:
- containerPort: 8080 #容器端口
volumeMounts:
- name: web-content
mountPath: /usr/local/tomcat/webapps/ROOT/index.html
subPath: index.html
volumes:
- name: web-content
configMap:
name: tomcat-web-content
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-service
spec:
type: NodePort
selector:
app: tomcat #需与Pod标签匹配
ports:
- port: 80 #cluster-ip 端口
targetPort: 8080 #pod 端口
nodePort: 30080 #host端口
bash
#创建资源
kubectl apply -f tomcat.yaml如果显示create过程,则查看kubectl describe pod 查看详细情况
一般出现这种情况是因为网络的原因,需要重启calico
bash
kubectl rollout restart daemonset calico-node -n kube-system对于创建好的YAML文件apply后想要重新修改YTAML文件使其显示不同内容,需要先删除原来apply的yYAML文件
bash
kubectl delete -f tomcat.yaml打开网址
http://192.168.18.128:30080/index.html
命名空间(Namespace)
作用
- Namespace是对一组资源和对象的抽象集合。
- 常见的 pod, service,deployment 等都是属于某一个namespace的(默认是default)。
- 不是所有资源都属于namespace,如nodes,persistent volume,namespace 等资源则不属于任 何namespace。
查看namespace
bash
[root@master tomcat_dir 14:17:04]# kubectl get ns (namespaces)
NAME STATUS AGE
default Active 45h
kube-node-lease Active 45h
kube-public Active 45h
kube-system Active 45h
kubernetes-dashboard Active 19h查看namespace中的资源
使用kubectl get all --namespace=命名空间名称 可以查看此命名空间下的所有资源
bash
[root@master tomcat_dir 14:17:08]# kubectl get all --namespace=kube-system
NAME READY STATUS RESTARTS AGE
pod/calico-kube-controllers-658d97c59c-hv65v 1/1 Running 3 (22h ago) 45h
pod/calico-node-4k8kf 1/1 Running 0 111s
pod/calico-node-dhp6x 1/1 Running 0 90s
pod/calico-node-dpq8m 1/1 Running 0 80s
pod/coredns-66f779496c-cklwm 1/1 Running 3 (22h ago) 45h
pod/coredns-66f779496c-wgdfz 1/1 Running 3 (22h ago) 45h
pod/etcd-master 1/1 Running 3 (22h ago) 45h
pod/kube-apiserver-master 1/1 Running 7 (22h ago) 45h
pod/kube-controller-manager-master 1/1 Running 3 (22h ago) 45h
pod/kube-proxy-4zl57 1/1 Running 3 (22h ago) 45h
pod/kube-proxy-h5sfp 1/1 Running 3 (22h ago) 45h
pod/kube-proxy-rb52m 1/1 Running 3 (22h ago) 45h
pod/kube-scheduler-master 1/1 Running 3 (22h ago) 45h
pod/metrics-server-57999c5cf7-tqwxt 1/1 Running 0 19h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 45h
service/metrics-server ClusterIP 10.110.158.233 <none> 443/TCP 23h
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/calico-node 3 3 3 3 3 kubernetes.io/os=linux 45h
daemonset.apps/kube-proxy 3 3 3 3 3 kubernetes.io/os=linux 45h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/calico-kube-controllers 1/1 1 1 45h
deployment.apps/coredns 2/2 2 2 45h
deployment.apps/metrics-server 1/1 1 1 23h
NAME DESIRED CURRENT READY AGE
replicaset.apps/calico-kube-controllers-658d97c59c 1 1 1 45h
replicaset.apps/coredns-66f779496c 2 2 2 45h
replicaset.apps/metrics-server-57999c5cf7 1 1 1 23h查看所有pod资源
bash
[root@master tomcat_dir 14:17:42]# kubectl get pods -A #A指所有命名空年间
NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-7854ff8877-dztxq 1/1 Running 1 (22h ago) 23h
default nginx-7854ff8877-kqfmr 1/1 Running 1 (22h ago) 23h
default nginx-7854ff8877-mt8qt 1/1 Running 1 (22h ago) 23h
default tomcat-test-75469fdc74-bw5d9 1/1 Running 0 14m
default tomcat-test-75469fdc74-kvj2m 1/1 Running 0 14m
kube-system calico-kube-controllers-658d97c59c-hv65v 1/1 Running 3 (22h ago) 45h
kube-system calico-node-4k8kf 1/1 Running 0 2m15s
kube-system calico-node-dhp6x 1/1 Running 0 114s
kube-system calico-node-dpq8m 1/1 Running 0 104s
kube-system coredns-66f779496c-cklwm 1/1 Running 3 (22h ago) 45h
kube-system coredns-66f779496c-wgdfz 1/1 Running 3 (22h ago) 45h
kube-system etcd-master 1/1 Running 3 (22h ago) 45h
kube-system kube-apiserver-master 1/1 Running 7 (22h ago) 45h
kube-system kube-controller-manager-master 1/1 Running 3 (22h ago) 45h
kube-system kube-proxy-4zl57 1/1 Running 3 (22h ago) 45h
kube-system kube-proxy-h5sfp 1/1 Running 3 (22h ago) 45h
kube-system kube-proxy-rb52m 1/1 Running 3 (22h ago) 45h
kube-system kube-scheduler-master 1/1 Running 3 (22h ago) 45h
kube-system metrics-server-57999c5cf7-tqwxt 1/1 Running 0 19h
kubernetes-dashboard dashboard-metrics-scraper-5657497c4c-r9x5m 1/1 Running 0 19h
kubernetes-dashboard kubernetes-dashboard-746fbfd67c-lvfqf 1/1 Running 0 19h创建namespace
命令创建
bash
[root@master tomcat_dir 14:18:06]# kubectl create namespace web1
namespace/web1 created
[root@master tomcat_dir 14:18:25]# kubectl get ns
NAME STATUS AGE
default Active 45h
kube-node-lease Active 45h
kube-public Active 45h
kube-system Active 45h
kubernetes-dashboard Active 19h
web1 Active 9sYAML文件创建
- k8s中几乎所有的资源都可以通这YAML编排来创建
- 可以使用 kubectl edit 资源类型 资源名 编辑资源的YAML语法
- 也可以使用kubectl get 资源类型 资源名 -o yaml来查看
bash
[root@master tomcat_dir 14:18:34]# kubectl edit ns web1
Edit cancelled, no changes made.
[root@master tomcat_dir 14:18:55]# kubectl get ns web1 -o yaml
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2026-01-15T06:18:25Z"
labels:
kubernetes.io/metadata.name: web1
name: web1
resourceVersion: "63270"
uid: 32b204dc-ce31-413a-a085-ec42f991f590
spec:
finalizers:
- kubernetes
status:
phase: Active- 还可通过 kubectl explain 资源类型 来查看语法文档
查看namespace相关语法参数
bash
Kubectl explain namespace编写创建namespace的YAML文件
bash
[root@master tomcat_dir 14:19:08]# vim create_web2.yaml
[root@master tomcat_dir 14:20:27]# cat create_web2.yaml
apiVersion: v1
kind: Namespace
metadata:
name: web2
[root@master tomcat_dir 14:21:05]# kubectl apply -f create_web2.yaml
namespace/web2 created
[root@master tomcat_dir 14:21:09]# kubectl get ns
NAME STATUS AGE
default Active 45h
kube-node-lease Active 45h
kube-public Active 45h
kube-system Active 45h
kubernetes-dashboard Active 19h
web1 Active 2m55s
web2 Active 11s删除namespace
-
删除一个namespace会自动删除所有属于该namespace的资源(类似MySQL中drop库会删除库里 的所有表一样,请慎重操作)
-
default,kube-system,kube-public命名空间不可删除
- 命令删除
bash
[root@master tomcat_dir 14:21:20]# kubectl delete ns web1
namespace "web1" deleted- YAML文件删除
bash
[root@master tomcat_dir 14:22:19]# kubectl delete -f create_web2.yaml
namespace "web2" deleted第2部:kubernetes核心概念
1:Pod
Pod是可以在 Kubernetes 中创建和管理的、最小的可部署的计算单元
container(容器)--- 一颗豌豆
Pod(容器组) --- 一个豌豆荚
Node (节点) --- 一根豌豆藤
Cluster(集群) --- 整个豌豆田
2:Controller
在 Kubernetes中,用于管理和运行Pod的对象
pod有静态形式和动态形式
- **静态 Pod 是 **直接由节点上的
kubelet进程独立管理 的 Pod,不受 Master 节点的 kube-apiserver、kube-controller-manager 管控。 - 由 K8s 的各类控制器 (Controller) 创建和管理 的 Pod
kubelet用于管理静态pod生命周期
controller用于管理动态pod生命周期
在 Kubernetes 中,控制器通过监控集群的公共状态,并致力于将当前状态转变为期望的状态
举例说明Controller(控制器)作用:房间里的温度自动调节器
当你设置了温度,告诉了温度自动调节器你的期望状态(Desired state)。房间的实际温度是当前状态 (Current state)。 通过对设备的开关控制,温度自动调节器让其当前状态接近期望状态。
一个控制器至少追踪一种类型的 Kubernetes 资源。这些对象有一个代表期望状态的 spec 字段。 该资 源的控制器负责确保其当前状态接近期望状态。
有共有六中控制器:
-
deployment
- 部署无状态应用
- 部署无状态应用:认为pod 都一样,没有顺序要求,不用考虑在哪个node 运行,随意进行扩 展和伸缩。
- 管理Pod和 ReplicaSet。
- 部署、滚动升级等。
- 典型的像web服务、分布式服务等。
-
StatefulSet
- 部署有状态应用
- 有状态应用,每个pod 都独立运行,保持pod 启动顺序和唯一性;有唯一的网络标识符,持久 存储;有序,比如mysql主从;主机名称固定。 而且其扩容以及升级等操作也是按顺序进行的操 作。
-
DaemonSet
- 部署守护进程
- Daemonset保证在每个Node上都运行一个容器副本,常用来部署一些集群的日志、监控或者 其他系统管理应用。 新加入的node 也同样运行在一个pod 里面。
-
job
-
一次性任务
-
job负责批量处理短暂的一次性任务(short lived one-off tasks),即仅执行一次的任务,它保 证批处理任务的一个或多个Pod成功结束。
-
cronjob
- 周期性定时任务
3:Label
概念
Label是附着到object上(例如Pod)的键值对。可以在创建object的时候指定,也可以在object创建后随时 指定。Labels的值对系统本身并没有什么含义,只是对用户才有意义。
一个Label是一个key=value的键值对,其中key与value由用户自己指定:
Label可以附加到各种资源对象上,例如Node、Pod、Service、RC等,一个资源对象可以定义任意数量 的Label.同一个Label可以被添加到任意数量的资源对象上去,Label通常在资源对象定义时确定,也可 以在对象创建后动态添加或者删除。
可以通过指定的资源对象捆绑一个或多个不同的Label来实现多维度的资源分组管理功能,以便于灵活、 方便地进行资源分配、调度、配置、部署等管理工作。例如:部署不同版本的应用到不同的环境中;或者监 控和分析应用(日志记录、监控、告警)等。
常用label示例如下所示:
bash
版本标签:"release":"stable","release":"canary"...
环境标签:"environment":"dev","environment":"production"
架构标签:"tier":"frontend","tier":"backend","tier":"middleware'
分区标签:"partition":"customerA","partition":"customerB"...
质量管控标签:"track":"daily","track":"weekly"Label相当于我们熟悉的"标签",给某个资源对象定义一个Label,就相当于给它打了一个标签,随后可 以通过LabelSelector(标签选择器)查询和筛选拥有某些Label的资源对象,Kubernetes通过这种方式实 现了类似SOL的简单又通用的对象查询机制。
语法与字符集
Label key的组成:
- 不得超过63个字符
- 可以使用前缀,使用/分隔,前缀必须是DNS子域,不得超过253个字符,系统中的自动化组件创建 的label必须指定前缀,kubernetes.io/由kubernetes保留
- 起始必须是字母(大小写都可以)或数字,中间可以有连字符、下划线和点
Label value的组成:
- 不得超过63个字符
- 起始必须是字母(大小写都可以)或数字,中间可以有连字符、下划线和点
4:Label Selector
通过label selector,客户端/用户可以指定一个object集合,通过label selector对object的集合进行操 作。
Label selector有两种类型:
- equality-based(基于等式):可以使用=、==、!=操作符,可以使用逗号分隔多个表达式
- set-based(基于集合):可以使用in、not in、!操作符,另外还可以没有操作符,直接写出某个label 的key,表示过滤有某个key的object而不管该key的value是何值,!表示没有该label的object
例如:
Label selector可以被类比为SQL语句中的where查询条件,例如,name=redis-slave这个label Selector作用于Pod时,可以被类比为select * from pod where pods name ='redis-slave'这样的语 句。
5:Service
将运行在一组 Pods上的应用程序公开为网络服务的抽象方法。
由于Pod是非永久性资源对象,如果使用Controller运行应用程序,可以动态创建和销毁Pod,这样就会 导致无法准确访问到所想要访问的Pod
例如:如果一组 Pod(称为"后端")为集群内的其他Pod(称为"前端")提供功能, 那么前端如何找出并跟踪要 连接的IP 地址,以便前端可以使用提供工作负载的后端部分?
是一组iptables或ipvs规划,通过把客户端的请求转发到服务端(Pod),如有多个Pod情况,亦可实现负载 均衡的效果。
例如:一个图片处理后端,它运行了3个副本(Pod)。这些副本是可互换的 -- 前端不需要关心它们调用了哪 个后端副本。 然而组成这一组后端程序的 Pod 实际上可能会发生变化,前端客户端不应该也没必要知 道,而且也不需要跟踪这一组后端的状态。
6:Endpoints
为Service管理后端Pod,当后端Pod被创建或销毁时,endpoints列表会更新Pod对应的IP地址,以便 Service访问请求能够确保被响应。
7:DNS
为kubernetes集群内资源对象的访问提供名称解析,这样就可以实现通过DNS名称而非IP地址来访问服 务。
- 实现集群内Service名称解析
- 实现集群内Pod内Container中应用访问互联网提供域名解析
kubernetes核心概念之间的关系
1:Pod与Controller
pod 是通过Controller 实现应用的运维,比如伸缩,滚动升级等待。pod和 controller 通过label 标签建 立关系。
案例:删除其中一个pod,查看controller自动创建新pod
bash
[root@master ~ 23:15:06]# kubectl get replicasets
NAME DESIRED CURRENT READY AGE
nginx-7854ff8877 3 3 3 33h
tomcat-test-75469fdc74 2 2 2 7h19m
[root@master ~ 23:20:19]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-7854ff8877-dztxq 1/1 Running 2 (6h57m ago) 33h
nginx-7854ff8877-kqfmr 1/1 Running 2 (6h57m ago) 33h
nginx-7854ff8877-mt8qt 1/1 Running 2 (6h57m ago) 32h
tomcat-test-75469fdc74-jrqjb 1/1 Running 1 (6h57m ago) 7h20m
tomcat-test-75469fdc74-kpnbk 1/1 Running 1 (6h57m ago) 7h20m
[root@master ~ 23:20:31]# kubectl delete pod tomcat-test-75469fdc74-kpnbk
pod "tomcat-test-75469fdc74-kpnbk" deleted
[root@master ~ 23:21:09]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-7854ff8877-dztxq 1/1 Running 2 (6h58m ago) 33h
nginx-7854ff8877-kqfmr 1/1 Running 2 (6h58m ago) 33h
nginx-7854ff8877-mt8qt 1/1 Running 2 (6h58m ago) 32h
tomcat-test-75469fdc74-jrqjb 1/1 Running 1 (6h58m ago) 7h20m
tomcat-test-75469fdc74-pk8hw 1/1 Running 0 5s查看控制器管理的标签Selector
bash
[root@master ~ 23:22:21]# kubectl describe replicasets tomcat-test-75469fdc74
Name: tomcat-test-75469fdc74
Namespace: default
Selector: app=tomcat,pod-template-hash=75469fdc74
Labels: app=tomcat
pod-template-hash=75469fdc74
Annotations: deployment.kubernetes.io/desired-replicas: 2
deployment.kubernetes.io/max-replicas: 3
deployment.kubernetes.io/revision: 1
Controlled By: Deployment/tomcat-test
Replicas: 2 current / 2 desired
Pods Status: 2 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
Labels: app=tomcat
pod-template-hash=75469fdc74
Containers:
tomcat:
Image: tomcat:9.0.85-jdk11
Port: 8080/TCP
Host Port: 0/TCP
Environment: <none>
Mounts:
/usr/local/tomcat/webapps/ROOT/index.html from web-content (rw,path="index.html")
Volumes:
web-content:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: tomcat-web-content
Optional: false
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SuccessfulCreate 87s replicaset-controller Created pod: tomcat-test-75469fdc74-pk8hw对应上pod的标签就能进行有效管理
bash
[root@master ~ 23:22:33]# kubectl describe pod tomcat-test-75469fdc74
Name: tomcat-test-75469fdc74-jrqjb
Namespace: default
Priority: 0
Service Account: default
Node: node2/192.168.18.136
Start Time: Thu, 15 Jan 2026 16:00:24 +0800
Labels: app=tomcat
pod-template-hash=75469fdc74
Annotations: cni.projectcalico.org/containerID: 3a0dd78fb171397cf345018dc4d40fe9e84f0a8f26bd6d75c669fdb2860616d4
cni.projectcalico.org/podIP: 10.244.104.19/32
cni.projectcalico.org/podIPs: 10.244.104.19/32
Status: Running
IP: 10.244.104.19
IPs:
IP: 10.244.104.19
Controlled By: ReplicaSet/tomcat-test-75469fdc74
Containers:
tomcat:
Container ID: docker://5324f2a141dbca52b38c07e0fefb45e583b3b9a9eb07558b402a28c1f55fba38
Image: tomcat:9.0.85-jdk11
Image ID: docker-pullable://tomcat@sha256:b2a4b6f5e09e147ee81f094051cb43d69efd56a68e76ca5b450b7584c5564c77
Port: 8080/TCP
Host Port: 0/TCP
State: Running
Started: Thu, 15 Jan 2026 16:23:57 +0800
Last State: Terminated
Reason: Error
Exit Code: 143
Started: Thu, 15 Jan 2026 16:00:25 +0800
Finished: Thu, 15 Jan 2026 16:22:46 +0800
Ready: True
Restart Count: 1
Environment: <none>
Mounts:
/usr/local/tomcat/webapps/ROOT/index.html from web-content (rw,path="index.html")
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-stt89 (ro)
.......2:Pod与Service
service 是为了防止pod 失联,提供的服务发现,类似于微服务的注册中心。定义一组pod 的访问策 略。可以为一组具有相同功能的容器应用提供一个统一的入口地址,并将请求负载分发到后端的各个容 器应用上
service 通过selector 来管控对应的pod。根据label和selector 建立关联,通过service 实现pod 的负载 均衡。
查看所有service
bash
[root@master ~ 23:23:33]# kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2d7h
nginx ClusterIP 10.98.13.195 <none> 80/TCP 7h22m
tomcat-service NodePort 10.101.252.71 <none> 80:30080/TCP 7h27m查看指定tomcat-service的service
bash
[root@master ~ 23:27:44]# kubectl describe svc tomcat-service
Name: tomcat-service
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=tomcat
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.101.252.71
IPs: 10.101.252.71
Port: <unset> 80/TCP
TargetPort: 8080/TCP
NodePort: <unset> 30080/TCP
Endpoints: 10.244.104.19:8080,10.244.166.153:8080
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>查看endpoints,
bash
[root@master ~ 23:28:01]# kubectl get endpoints
NAME ENDPOINTS AGE
kubernetes 192.168.18.128:6443 2d7h
nginx 10.244.104.20:80,10.244.104.21:80,10.244.166.148:80 7h23m
tomcat-service 10.244.104.19:8080,10.244.166.153:8080 7h27m3:Service与DNS
通过DNS实现对Service名称解析,以此达到访问后端Pod目的。
查看dns的pod
bash
[root@master ~ 23:31:34]# kubectl get pods -n kube-system | grep dns
coredns-66f779496c-cklwm 1/1 Running 4 (7h9m ago) 2d7h
coredns-66f779496c-wgdfz 1/1 Running 4 (7h9m ago) 2d7h查看service获取集群IP,dns的地址为10.96.0.10
bash
[root@master ~ 23:32:04]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 2d7h
metrics-server ClusterIP 10.110.158.233 <none> 443/TCP 32h查看dns对应的pod地址
bash
[root@master ~ 23:32:59]# kubectl get endpoints -n kube-system
NAME ENDPOINTS AGE
kube-dns 10.244.166.151:53,10.244.166.152:53,10.244.166.151:53 + 3 more... 2d7h
metrics-server 10.244.104.18:10250 32h或者
bash
[root@master ~ 23:33:57]# kubectl get pods -n kube-system -o wide | grep dns
coredns-66f779496c-cklwm 1/1 Running 4 (7h12m ago) 2d7h 10.244.166.152 node1 <none> <none>
coredns-66f779496c-wgdfz 1/1 Running 4 (7h12m ago) 2d7h 10.244.166.151 node1 <none> <none>使用dns解析tomcat-service
bash
[root@master ~ 23:35:47]# yum install -y bind-utils基于kubernetes集群容器化应用的微服务
1:服务部署方式介绍
-
单体服务架构
- 所有服务进程运行在同一台主机内
-
分布式服务架构
- 服务进程分布于不同的主机,其中一台主机出现故障,不影响其它主机上的服务运行
-
微服务架构
- 使用容器化技术把分布式服务架构运行起来,并实现对不同的服务进程的高可用及快速发布 等。
2:微服务架构服务组件(kubernetes核心概念)之间关系
以在kubernetes集群中运行LNMT(Linux、NGINX、MySQL、Tomcat)应用为例:
把kubernetes集群看做是一个IDC机房,把LNMT的Web架构应用以微服务(kubernetes集群资源对象) 的方式部署到kubernetes集群中。
