k8s - 7

service 管理

clusterIP

服务的自动感知

• 服务会创建一个clusterIP这个地址对应资源地址，不管Pod如何变化，服务总能找到对应的Pod，且clusterIP保持不变

创建服务

资源清单文件

root@master \~\]# kubectl create service clusterip websvc --tcp=80:80 --dry-run=client -o yaml \[root@master \~\]# vim websvc.yaml > --- > > kind: Service # 资源对象类型 > > apiVersion: v1 # 版本 > > metadata: # 服务类型 > > name: websvc > > spec: > > type: ClusterIP > > selector: # 选择算符 > > app: web # Pod标签 > > ports: # 端口 > > - protocol: TCP # 协议 > > port: 80 # 服务的端口 > > targetPort: 80 # 后端Pod端口 \[root@master \~\]# kubectl apply -f websvc.yaml service/websvc created \[root@master \~\]# kubectl get service > NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) > > kubernetes ClusterIP 10.245.0.1 \ 443/TCP > > websvc ClusterIP 10.245.5.18 \ 80/TCP ##### 解析域名 # **安装工具软件包** \[root@master \~\]# **dnf install -y bind-utils** # 查看 DNS 服务地址 \[root@master \~\]# kubectl -n kube-system get service kube-dns > NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) > > kube-dns ClusterIP 10.245.0.10 \ 53/UDP,53/TCP,9153/TCP # **域名解析测试** \[root@master \~\]# **host websvc.default.svc.cluster.local 10.245.0.10** > Using domain server: > > Name: 10.245.0.10 > > Address: 10.245.0.10#53 > > Aliases: > > websvc.default.svc.cluster.local has address 10.245.5.18 ##### 创建后端应用 \[root@master \~\]# vim web1.yaml > --- > > kind: Pod > > apiVersion: v1 > > metadata: > > name: web1 > > labels: > > app: web # 服务靠标签寻找后端 > > spec: > > containers: > > - name: apache > > image: myos:httpd \[root@master \~\]# kubectl apply -f web1.yaml pod/web1 created \[root@master \~\]# curl http://10.245.5.18 > Welcome to The Apache. ##### 负载均衡 \[root@master \~\]# **sed 's,web1,web2,' web1.yaml \|kubectl apply -f -** pod/web2 created \[root@master \~\]# **sed 's,web1,web3,' web1.yaml \|kubectl apply -f -** pod/web3 created \[root@master \~\]# curl -s http://10.245.5.18/info.php \|grep php_host > php_host: web1 \[root@master \~\]# curl -s http://10.245.5.18/info.php \|grep php_host > php_host: web2 \[root@master \~\]# curl -s http://10.245.5.18/info.php \|grep php_host > php_host: web3 ##### 固定 IP 服务 \[root@master \~\]# vim websvc.yaml > --- > > kind: Service > > apiVersion: v1 > > metadata: > > name: websvc > > spec: > > type: ClusterIP > > clusterIP: 10.245.1.80 # 可以设置 ClusterIP > > selector: > > app: web # 引用标签 > > ports: > > - protocol: TCP > > port: 80 > > targetPort: 80 \[root@master \~\]# **kubectl replace --force -f websvc.yaml** service "websvc" deleted service/websvc replaced \[root@master \~\]# kubectl get service > NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) > > kubernetes ClusterIP 10.245.0.1 \ 443/TCP > > websvc ClusterIP 10.245.1.80 \ 80/TCP ##### 端口别名 \[root@master \~\]# vim websvc.yaml > --- > > kind: Service > > apiVersion: v1 > > metadata: > > name: websvc > > spec: > > type: ClusterIP > > clusterIP: 10.245.1.80 # 固定IP > > selector: > > app: web > > ports: > > - protocol: TCP > > port: 80 > > targetPort: myhttp # 使用别名查找后端服务端口 \[root@master \~\]# kubectl replace --force -f websvc.yaml service "websvc" deleted service/websvc replaced \[root@master \~\]# **kubectl delete pod --all** pod "web1" deleted pod "web2" deleted pod "web3" deleted \[root@master \~\]# vim web1.yaml > --- > > kind: Pod > > apiVersion: v1 > > metadata: > > name: web1 > > labels: > > app: web > > spec: > > containers: > > - name: apache > > image: myos:httpd > > ports: # 配置端口规范 > > - name: myhttp # 端口别名 > > protocol: TCP # 协议 > > containerPort: 80 # 端口号 \[root@master \~\]# kubectl apply -f web1.yaml pod/web1 created \[root@master \~\]# curl http://10.245.1.80 Welcome to The Apache. > **发布服务** > > * ClusterIP服务可以解决集群内应用互访的问题，但外部的应用无法访问集群内的资源，某些应用需要访问集群内的资源，我们就需要对外发布服务。 > > **服务类型** > > * ClusterIP:默认类型，可以实现Pod的自动感知与负载均衡，是最核心的服务类型，但ClusterIP不能对外发布服务，如果想对外发布服务可以使用NodePort 或Ingress  ##### 服务排错 > --- > > kind: Service > > apiVersion: v1 > > metadata: > > name: web123 > > spec: > > type: ClusterIP > > clusterIP: 192.168.88.80 > > selector: > > app: apache > > ports: > > - protocol: TCP > > port: 80 > > targetPort: web #### nodePort > **NodePort服务** > > **NodePort 与 Ingress** > > * NodePort:使用基于端口映射(默认值:30000-32767)的方式对外发布服务，可以发布任意服务(四层)-使用 Ingress控制器(一般由Nginx 或HAProxy构成)，用来发布http、https服务(七层)  ##### 对外发布服务 \[root@master \~\]# vim mysvc.yaml > --- > > kind: Service > > apiVersion: v1 > > metadata: > > name: mysvc > > spec: > > type: NodePort # 服务类型 > > selector: > > app: web > > ports: > > - protocol: TCP > > port: 80 > > nodePort: 30080 # 映射端口号 > > targetPort: 80 \[root@master \~\]# kubectl apply -f mysvc.yaml service/mysvc configured \[root@master \~\]# kubectl get service > NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) > > kubernetes ClusterIP 10.245.0.1 \ 443/TCP > > websvc ClusterIP 10.245.1.80 \ 80/TCP > > mysvc NodePort 10.245.3.88 \ 80:30080/TCP \[root@master \~\]# curl http://node-0001:30080 Welcome to The Apache. \[root@master \~\]# curl http://node-0002:30080 Welcome to The Apache. \[root@master \~\]# curl http://node-0003:30080 Welcome to The Apache. #### Ingress > **Ingress是什么?** > > * Ingress公开从集群外部到集群内服务的HTTP和HTTPS路由。流量路由由Ingress资源上定义的规则控制。 > * Ingress控制器通常由负载均衡器来实现(Nginx、HAProxy)  ##### 安装控制器 > **安装Ingress控制器** > > * Ingress服务由(规则+控制器)组成 > * 规则负责制定策略，控制器负责执行 > * 如果没有控制器，单独设置规则无效 > * 获取控制器镜像及资源文件- 地址: https://github.com/kubernetes/ingress-nginx \[root@master \~\]# **cd plugins/ingress** \[root@master ingress\]# docker load -i ingress.tar.xz \[root@master ingress\]# docker images\|while read i t _;do \[\[ "${t}" == "TAG" \]\] \&\& continue \[\[ "${i}" =\~ \^"harbor:443/".+ \]\] \&\& continue docker tag ${i}:${t} harbor:443/plugins/${i##\*/}:${t} docker push harbor:443/plugins/${i##\*/}:${t} docker rmi ${i}:${t} harbor:443/plugins/${i##\*/}:${t} done \[root@master ingress\]# **sed -ri 's,\^(\\s\*image: )(.\*/)?(.+),\\1harbor:443/plugins/\\3,' deploy.yaml** > 443: image: registry.k8s.io/ingress-nginx/controller:v1.9.6 > > 546: image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06 > > 599: image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06 \[root@master ingress\]# kubectl apply -f deploy.yaml \[root@master ingress\]# kubectl -n ingress-nginx get pods > NAME READY STATUS RESTARTS > > ingress-nginx-admission-create--1-lm52c 0/1 Completed 0 > > ingress-nginx-admission-patch--1-sj2lz 0/1 Completed 0 > > ingress-nginx-controller-5664857866-tql24 1/1 Running 0 ##### 验证后端服务 \[root@master \~\]# kubectl get pods,services > NAME READY STATUS RESTARTS AGE > > pod/web1 1/1 Running 0 35m > > NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) > > service/kubernetes ClusterIP 10.245.0.1 \ 443/TCP > > service/websvc ClusterIP 10.245.1.80 \ 80/TCP > > service/mysvc NodePort 10.245.3.88 \ 80:30080/TCP \[root@master \~\]# curl http://10.245.1.80 > Welcome to The Apache. ##### 对外发布服务 # **查询 ingress 控制器类名称** \[root@master \~\]# kubectl get ingressclasses.networking.k8s.io > NAME CONTROLLER PARAMETERS AGE > > nginx k8s.io/ingress-nginx \ 5m7s # 资源清单文件 \[root@master \~\]# kubectl create ingress mying --class=nginx --rule=nsd.tedu.cn/\*=mysvc:80 --dry-run=client -o yaml \[root@master \~\]# vim mying.yaml > --- > > kind: Ingress # 资源对象类型 > > apiVersion: networking.k8s.io/v1 # 资源对象版本 > > metadata: # 元数据 > > name: mying # 资源对象名称 > > spec: # 资源对象定义 > > ingressClassName: nginx # 使用的类名称 > > rules: # ingress 规则定义 > > - host: nsd.tedu.cn # 域名定义，没有可以不写 > > http: # 协议 > > paths: # 访问的路径定义 > > - path: / # 访问的url路径 > > pathType: Prefix # 路径的类型(Exact. Prefix) > > backend: # 后端服务 > > service: # 服务声明 > > name: websvc # 服务名称 > > port: # 端口号声明 > > number: 80 #访问服务的端口号 \[root@master \~\]# kubectl apply -f mying.yaml ingress.networking.k8s.io/mying created \[root@master \~\]# kubectl get ingress > NAME CLASS HOSTS ADDRESS PORTS > > mying nginx nsd.tedu.cn 192.168.88.51 80 \[root@master \~\]# curl -H "Host: nsd.tedu.cn" http://192.168.88.51 Welcome to The Apache. ### web 管理插件 #### 安装 Dashboard > **Dashboard是什么?** > > * Dashboard是基于网页的Kubernetes用户界面。 > * Dashboard同时展示了Kubernetes 集群中的资源状态信息和所有报错信息。 > * 你可以使用Dashboard将应用部署到集群中，也可以对容器应用排错，还能管理集群资源。例如，你可以对应用弹性伸缩、发起滚动升级、重启等等。 > > **Dashboard 官网地址:** > > * https://github.com/kubernetes/dashboard \[root@master \~\]# **cd plugins/dashboard** \[root@master dashboard\]# docker load -i dashboard.tar.xz \[root@master dashboard\]# docker images\|while read i t _;do \[\[ "${t}" == "TAG" \]\] \&\& continue \[\[ "${i}" =\~ \^"harbor:443/".+ \]\] \&\& continue docker tag ${i}:${t} harbor:443/plugins/${i##\*/}:${t} docker push harbor:443/plugins/${i##\*/}:${t} docker rmi ${i}:${t} harbor:443/plugins/${i##\*/}:${t} done \[root@master dashboard\]# sed -ri 's,\^(\\s\*image: )(.\*/)?(.+),\\1harbor:443/plugins/\\3,' recommended.yaml > 193: image: kubernetesui/dashboard:v2.7.0 > > 278: image: kubernetesui/metrics-scraper:v1.0.8 \[root@master dashboard\]# kubectl apply -f recommended.yaml \[root@master dashboard\]# kubectl -n kubernetes-dashboard get pods > NAME READY STATUS RESTARTS > > dashboard-metrics-scraper-66f6f56b59-b42ng 1/1 Running 0 > > kubernetes-dashboard-65ff57f4cf-lwtsk 1/1 Running 0 #### 发布服务 # 查看服务状态 \[root@master dashboard\]# kubectl -n kubernetes-dashboard get service > NAME TYPE CLUSTER-IP PORT(S) > > dashboard-metrics-scraper ClusterIP 10.245.205.236 8000/TCP > > kubernetes-dashboard ClusterIP 10.245.215.40 443/TCP # 获取服务资源对象文件 \[root@master dashboard\]# **sed -n '30,45p' recommended.yaml \>dashboard-svc.yaml** \[root@master dashboard\]# vim dashboard-svc.yaml > --- > > kind: Service > > apiVersion: v1 > > metadata: > > labels: > > k8s-app: kubernetes-dashboard > > name: kubernetes-dashboard > > namespace: kubernetes-dashboard > > spec: > > type: NodePort > > ports: > > - port: 443 > > nodePort: 30443 > > targetPort: 8443 > > selector: > > k8s-app: kubernetes-dashboard \[root@master dashboard\]# kubectl apply -f dashboard-svc.yaml service/kubernetes-dashboard configured \[root@master dashboard\]# kubectl -n kubernetes-dashboard get service > NAME TYPE CLUSTER-IP PORT(S) > > dashboard-metrics-scraper ClusterIP 10.245.205.236 8000/TCP > > kubernetes-dashboard NodePort 10.245.215.40 443:30443/TCP * 通过浏览器访问 Dashboard 登录页面 ### 服务账号与权限 #### 创建服务账号 # 资源对象模板 \[root@master \~\]# kubectl -n kubernetes-dashboard create serviceaccount kube-admin --dry-run=client -o yaml \[root@master \~\]# vim admin-user.yaml > --- > > kind: ServiceAccount #资源对象类型 > > apiVersion: v1 # 版本 > > metadata: #元数据 > > name: kube-admin # ServiceAccount 名称 > > namespace: kubernetes-dashboard #名称空间 \[root@master \~\]# kubectl apply -f admin-user.yaml serviceaccount/kube-admin created \[root@master \~\]# kubectl -n kubernetes-dashboard get serviceaccounts > NAME SECRETS AGE > > default 0 16m > > kube-admin 0 11s > > kubernetes-dashboard 0 16m #### 获取用户 token \[root@master \~\]# kubectl -n kubernetes-dashboard create token kube-admin \ #### 角色与鉴权 > | 资源对象 | 描述 | 作用域 | > |------------------------|-------------------------------|--------| > | **ServiceAccount** | 服务账号，为 Pod 中运行的进程提供了一个身份 | 单一名称空间 | > | **Role** | 角色，包含一组代表相关权限的规则 | 单一名称空间 | > | **ClusterRole** | 角色，包含一组代表相关权限的规则 | 全集群 | > | **RoleBinding** | 将权限赋予用户，Role、ClusterRole 均可使用 | 单一名称空间 | > | **ClusterRoleBinding** | 将权限赋予用户，只可以使用 ClusterRole | 全集群 | > > **资源对象权限** > > | create | delete | deletecollection | get | list | patch | update | watch | > |--------|--------|------------------|----------|----------|--------|--------|--------| > | **创建** | **删除** | **删除集合** | **获取属性** | **获取列表** | **补丁** | **更新** | **监控** | ##### 普通角色 \[root@master \~\]# kubectl cluster-info dump \|grep authorization-mode "--authorization-mode=Node,RBAC", # 资源对象模板 \[root@master \~\]# kubectl -n default create role myrole --resource=pods --verb=get,list --dry-run=client -o yaml \[root@master \~\]# kubectl -n default create rolebinding kube-admin-role --role=myrole --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml \[root@master \~\]# vim myrole.yaml > --- > > kind: Role > > apiVersion: rbac.authorization.k8s.io/v1 > > metadata: > > name: myrole # 角色名称 > > namespace: default > > rules: # 规则 > > - apiGroups: # 资源对象所属组信息 > > - "" # 分组信息 > > resources: # 要设置权限的资源对象 > > - pods # 授权资源对象名称 > > verbs: # 权限设置 > > - get # 权限 > > - list # 权限 > > --- > > kind: RoleBinding > > apiVersion: rbac.authorization.k8s.io/v1 > > metadata: > > name: kube-admin-role > > namespace: default # 授权策略名称 > > roleRef: # 关联权限 > > apiGroup: rbac.authorization.k8s.io # 角色对象组 > > kind: Role # 角色对象 > > name: myrole # 角色名称 > > subjects: # 授权信息 > > - kind: ServiceAccount # 账号资源对象 > > name: kube-admin # 账号名称 > > namespace: kubernetes-dashboard # 账号所在的名称空间 \[root@master \~\]# kubectl apply -f myrole.yaml role.rbac.authorization.k8s.io/myrole created rolebinding.rbac.authorization.k8s.io/kube-admin-role created \[root@master \~\]# kubectl delete -f myrole.yaml role.rbac.authorization.k8s.io "myrole" deleted rolebinding.rbac.authorization.k8s.io "kube-admin-role" deleted ##### 集群管理员 \[root@master \~\]# kubectl get clusterrole > NAME CREATED AT > > admin 2022-06-24T08:11:17Z > > cluster-admin 2022-06-24T08:11:17Z > > ... ... # 资源对象模板 \[root@master \~\]# kubectl create clusterrolebinding kube-admin-role --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml \[root@master \~\]# vim admin-user.yaml > --- > > kind: ServiceAccount > > apiVersion: v1 > > metadata: > > name: kube-admin > > namespace: kubernetes-dashboard > > --- > > kind: ClusterRoleBinding > > apiVersion: rbac.authorization.k8s.io/v1 > > metadata: # 元数据 > > name: kube-admin-role # 授权策略名称 > > roleRef: # 关联权限 > > apiGroup: rbac.authorization.k8s.io # 角色对象组 > > kind: ClusterRole # 角色对象 > > name: cluster-admin # 角色名称 > > subjects: # 授权信息 > > - kind: ServiceAccount # 账号资源对象 > > name: kube-admin # 账号名称 > > namespace: kubernetes-dashboard # 账号所在的名称空间 \[root@master \~\]# kubectl apply -f admin-user.yaml serviceaccount/kube-admin unchanged clusterrolebinding.rbac.authorization.k8s.io/kube-admin-role created