欢迎关注我的公众号:
----------------------------------------------------------------------------------------------------------------------------------------
1)
•K8s核心资源,用于运行容器
•简称:po
•一个pod可以运行多个容器
•Pod中的容器可以共享网络和存储
常用命令:
kubectl create -f nginx-01.yaml
kubectl apply -f nginx-01.yaml
kubectl get pod
kubectl get pod -l name=nginx
kubectl delete pod nginx
kubectl delete pod –all
kubectl get pod -o wide
kubectl edit pod nginx
kubectl get pod nginx -o yaml
Kubectl delete pod –f nginx-01.yaml
kubectl label pod nginx project=web
kubectl annotate pod nginx project=web
kubectl exec -it nginx /bin/bash
kubectl cp default/nginx:/etc/nginx/nginx.conf ~/nginx.conf
kubectl cp ~/aa default/nginx:/tmp
kubectl logs nginx
2)Pod生命周期
3)Pod重启策略
•Pod的重启策略RestartPolicy可能的值为 Always、OnFailure 和 Never,默认为 Always
•Always:当容器失效时,由kubelet自动重启
•OnFailure:当容器终止运行且退出码不为0时,由kubelet自动重启
•Never:不论容器运行状态如何都不会重启
4)Pod健康检查
•LivenessProbe:存活性探测
ReadnessProbe:就绪性探测
其存活性探测的方法可配置以下三种实现方式:
ExecAction:在容器内执行指定命令。如果命令退出时返回码为 0 则表明容器健康
•TCPSocketAction:对指定端口上的容器的 IP 地址进行 TCP 检查。如果能够建立连接,则表明容器健康。
•HTTPGetAction:对指定的端口和路径上的容器的 IP 地址执行 HTTP Get 请求。如果响应的状态码大于等于200 且小于 400则表明容器健康
initialDelaySeconds和timeoutSeconds参数,分别表示首次检查等待时间以及超时时间。
periodSeconds: 15 #检查间隔时间
failureThreshold: 3最大失败次数
successThreshold: 1失败后测试成功的最小连接成功次数
[root@master01 readiness]# cat pod-readiness-exec.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
test: readiness-exec
name: readiness-exec
spec:
containers:
- name: liveness
image: busybox
args:
- /bin/sh
- -c
- echo ok > /tmp/health; sleep 10; rm -rf /tmp/health; sleep 600
readinessProbe:
exec:
command:
- cat
- /tmp/health
initialDelaySeconds: 15
timeoutSeconds: 1
[root@master01 readiness]# cat pod-readiness-http.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-http-healthcheck
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
readinessProbe:
httpGet:
path: /_status/healthz
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
[root@master01 readiness]# cat pod-readiness-tcp.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-tcp-healthcheck
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
readinessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
liveness:
[root@master01 readiness]# cat pod-liveness-exec.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
test: readiness-exec
name: liveness-exec
spec:
containers:
- name: liveness
image: busybox
args:
- /bin/sh
- -c
- echo ok > /tmp/health; sleep 10; rm -rf /tmp/health; sleep 600
livenessProbe:
exec:
command:
- cat
- /tmp/health
initialDelaySeconds: 15
timeoutSeconds: 1
[root@master01 readiness]# cat pod-liveness-http.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-liveness-http
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /_status/healthz
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
[root@master01 readiness]# cat pod-liveness-tcp.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-liveness-tcp
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
5)imagePullPolicy
三个选择Always、Never、IfNotPresent,每次启动时检查和更新(从registery)images的策略, # Always,每次都检查 # Never,每次都不检查(不管本地是否有) # IfNotPresent,如果本地有就不检查,如果没有就拉取
6)资源管理
[root@master01 resources]# cat tomcat.yaml
apiVersion: v1
kind: Pod
metadata:
name: volume-pod
spec:
containers:
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
volumeMounts:
- name: app-logs
mountPath: /usr/local/tomcat/logs
resources:
limits:
cpu: 0.1
memory: 100Mi
- name: busybox
image: busybox
command: ["sh", "-c", "tail -f /logs/catalina*.log"]
volumeMounts:
- name: app-logs
mountPath: /logs
volumes:
- name: app-logs
emptyDir: {}
[root@master01 resources]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
resources:
requests:
cpu: 0.01
memory: 1Mi
limits:
cpu: 0.5
memory: 10Mi
r equests
limits
yum -y install httpd -tools
ab -c 500 -n 20000 http://172.20.2.23:8080/index.html
# vim /etc/sysctl.conf
net.ipv4.tcp_syncookies = 0
# sysctl -p
7)生命周期管理
postStart : # 容器运行之前运行的任务
preStop :# 容器关闭之前运行的任务
[root@master01 lifecycle]# cat nginx-postStart-exec.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
[root@master01 lifecycle]# cat nginx-preStop-exec.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
lifecycle:
preStop:
exec:
command: ["/usr/sbin/nginx","-s","quit"]
[root@master01 lifecycle]# cat nginx-preStop-httpGet.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
lifecycle:
preStop:
httpGet:
host: 192.168.4.170
path: api/v2/devops/pkg/upload_hooks
port: 8090
8)Init Container
[root@master01 initContainers]# cat init.yaml
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The app is running! && sleep 3600']
initContainers:
- name: init-myservice
image: busybox
command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
- name: init-mydb
image: busybox
command: ['sh', '-c', 'until nslookup mydb; do echo waiting for mydb; sleep 2; done;']
[root@master01 initContainers]# cat service.yaml
kind: Service
apiVersion: v1
metadata:
name: myservice
spec:
ports:
- protocol: TCP
port: 80
targetPort: 9376
---
kind: Service
apiVersion: v1
metadata:
name: mydb
spec:
ports:
- protocol: TCP
port: 80
targetPort: 9377
9)nodeSelector
[root@master01 nodeSelector]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
nodeSelector:
zone: node1
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
10)affinity
•podAffinity
•nodeAffinity
[root@master01 affinity]# cat node-affinity.yaml
apiVersion: v1
kind: Pod
metadata:
name: with-node-affinity
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/e2e-az-name
operator: In
values:
- e2e-az1
- e2e-az2
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: type
operator: In
values:
- ssd
containers:
- name: with-node-affinity
image: nginx
ports:
- containerPort: 80
[root@master01 podAffinity]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: with-anti-affinity
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S1
topologyKey: "kubernetes.io/hostname"
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S2
topologyKey: kubernetes.io/hostname
containers:
- name: with-anti-affinity
image: nginx
apiVersion: v1
kind: Pod
metadata:
name: pod-flag-s2
labels:
security: "S2"
app: "nginx"
spec:
containers:
- name: nginx
image: nginx
apiVersion: v1
kind: Pod
metadata:
name: pod-flag-s1
labels:
security: "S1"
app: "nginx"
spec:
containers:
- name: nginx
image: nginx
apiVersion: v1
kind: Pod
metadata:
name: pod-affinity
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S1
topologyKey: kubernetes.io/hostname
containers:
- name: with-pod-affinity
image: nginx
11)activeDeadlineSeconds
[root@master01 activeDeadlineSeconds]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
activeDeadlineSeconds: 30
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
12)dnsConfig
[root@master01 dnsConfig]# cat dns-example.yaml
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: dns-example
spec:
containers:
- name: test
image: busybox
args:
- "sh"
- "-c"
- "sleep 3600"
dnsPolicy: "None"
dnsConfig:
nameservers:
- 114.114.115.115
searches:
- ns1.svc.cluster.local
- my.dns.search.suffix
options:
- name: ndots
value: "2"
- name: edns0
13)dnsPolicy
•None
设置dnsConfig
•ClusterFirst
•ClusterFirstWithHostNet
•Default
[root@master01 dnsPolicy]# cat dns-policy-default.yaml
apiVersion: v1
kind: Pod
metadata:
name: dns-example
spec:
containers:
- name: test
image: busybox
args:
- "sh"
- "-c"
- "sleep 3600"
dnsPolicy: "Default"
[root@master01 dnsPolicy]# cat dns-policy-hostNetwork.yaml
apiVersion: v1
kind: Pod
metadata:
name: dns-example
spec:
containers:
- name: test
image: busybox
args:
- "sh"
- "-c"
- "sleep 3600"
dnsPolicy: "ClusterFirstWithHostNet"
hostNetwork: true
ephemeralContainers
[root@master01 ephemeralContainers]# cat ephemeral.json
{
"apiVersion": "v1",
"kind": "EphemeralContainers",
"metadata": {
"name": "nginx"
},
"ephemeralContainers": [{
"command": [
"bash"
],
"image": "shoganator/rpi-alpine-tools",
"imagePullPolicy": "Always",
"name": "diagtools",
"stdin": true,
"tty": true,
"terminationMessagePolicy": "File"
}]
}
kubectl -n default replace --raw / api /v1/namespaces/default/pods/ nginx / ephemeralcontainers -f ./ ephemeral.json
15)hostalias
[root@master01 hostalias]# cat hostalias.yaml
apiVersion: v1
kind: Pod
metadata:
name: hostaliases-pod
spec:
restartPolicy: Never
hostAliases:
- ip: "127.0.0.1"
hostnames:
- "foo.local"
- "bar.local"
- ip: "10.1.2.3"
hostnames:
- "foo.remote"
- "bar.remote"
containers:
- name: cat-hosts
image: nginx
command:
- cat
args:
- "/etc/hosts"
16)hostname
[root@master01 hostname]# cat hostname.yaml
apiVersion: v1
kind: Pod
metadata:
name: hostname-pod
spec:
restartPolicy: Never
hostname: mark
containers:
- name: cat-hosts
image: nginx
command:
- hostname
17)nodeName
[root@master01 nodename]# cat nodename.yaml
apiVersion: v1
kind: Pod
metadata:
name: nodename-pod
spec:
restartPolicy: Never
nodeName: 192.168.198.156
containers:
- name: cat-hosts
image: nginx
18)preemptionPolicy
[root@master01 preemptionPolicy]# cat preemption.yaml
apiVersion: v1
kind: Pod
metadata:
name: preemption-pod
spec:
restartPolicy: Never
preemptionPolicy: PreemptLowerPriority
containers:
- name: cat-hosts
image: nginx
19)priority
[root@master01 priority]# cat priority.yaml
apiVersion: v1
kind: Pod
metadata:
name: priority-pod
spec:
restartPolicy: Never
preemptionPolicy: PreemptLowerPriority
priority: 1000
containers:
- name: cat-hosts
image: nginx
20)priorityClassName
[root@master01 priorityClass]# cat priorityClass.yaml
apiVersion: v1
kind: Pod
metadata:
name: priorityclass-pod
spec:
restartPolicy: Never
priorityClassName: high-priority
containers:
- name: cat-hosts
image: nginx
[root@master01 priorityClass]# cat high-priority.yaml
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: high-priority
value: 1000000
globalDefault: false
description: "This priority class should be used for XYZ service pods only."
21)readinessGates
[root@master01 readinessGates]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
readinessGates:
- conditionType: "www.example.com/feature-1"
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
22)Security Context
•Container-level Security Context:仅应用到指定的容器
•Pod-level Security Context:应用到Pod内所有容器以及Volume
•Pod Security Policies(PSP):应用到集群内部所有Pod以及Volume
[root@master01 podSecurityContext]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-1
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo-2
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-3
spec:
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
privileged: true
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4-1
spec:
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-5
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-7
spec:
securityContext:
fsGroup: 1234
supplementalGroups: [5678]
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-8
spec:
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
drop:
- NET_RAW
- CHOWN
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-9
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
23)serviceAccountName
[root@master01 serviceAccountName]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
serviceAccountName: default
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
24)subdomain
[root@master01 subdomain]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: nginx-0
spec:
hostname: mark
subdomain: com
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
25)terminationGracePeriodSeconds
[root@master01 terminationGracePeriodSeconds]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
terminationGracePeriodSeconds: 0
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
hostPort: 80
26)tolerations
Taints 和 Tolerations
taint 定义在 node 上,排斥 pod
toleration 定义在 pod 中, 容忍 taint
kubectl taint nodes node1 key=value:NoSchedule
kubectl taint nodes node1 key:NoSchedule-
Affect:
NoSchedule
NoExecute
[root@master01 tolerations]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
env: test
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
tolerations:
- key: "example-key"
operator: "Exists"
effect: "NoSchedule"
