3、k8s 核心实战
阅读原文时间:2023年07月09日阅读:3

7 kubernets核心实战

  • 命令行
  • yaml

名称空间来隔离资源

命令行方式

kubectl create ns hello
kubectl delete ns hello

yaml方式

apiVersion: v1
kind: Namespace
metadata:
  name: hellp

使用 kubectl apply -f xx.yaml

运行中的一组容器,pod是kubernetes中应用最小的单位

7.3.1 通过kubectl run 创建容器

kubectl run mynginx --image=nginx

7.3.2 通过yaml的方式创建容器

一个pod一个服务

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: mynginx
  name: mynginx
  namespace: default
spec:
  containers:
  - image: nginx
    name: mynginx

一个pod多个服务

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: apps
  name: apps
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - image: tomcat:8.5.68
    name: tomcat

常用命令

# 查看default命名空间的pod
kubectl get pod

# 查看描述
kubectl describe pod 你的pod名字

# 删除
kubectl delete pod 你的pod名字

# 查看日志
kubectl logs 你的pod名字

# 每个pod k8s都会分配一个ip,查看分配的ip
# 集群中的任意一个机器以及任意的应用都能通过pod分配的ip来访问这个pod
kubectl get pod -owide

控制pod,使pod拥有多个副本、自愈、扩缩容等能力

# 使用两种方式创建pod,然后再删除pod,对比一下效果
kubectl run mynginx --image=nginx
kubectl create deployment mytomcat --image=tomcat:8.5.68

结论:使用run没有自愈能力,而使用create deployment 有自愈能力

8 多副本、扩缩容

命令行方式:

kubectl create deployment my-dep --image=nginx --replicas=3

yaml方式:

vi my-dep.yaml

kubectl apply -f my-dep.yaml

yaml内容:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: my-dep
  name: my-dep
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-dep
  template:
    metadata:
      labels:
        app: my-dep
    spec:
      containers:
      - image: nginx
        name: nginx

常用命令

# 查看default命名空间的pod
kubectl get pod

# 查看描述
kubectl describe pod 你的pod名字

# 删除
kubectl delete pod 你的pod名字

# 查看日志
kubectl logs 你的pod名字

# 每个pod k8s都会分配一个ip,查看分配的ip
# 集群中的任意一个机器以及任意的应用都能通过pod分配的ip来访问这个pod
kubectl get pod -owide

# deployment 方式删除
kubectl delete deploy 你的pod名称

扩容

# 方式一
kubectl scale --replicas=5 deployment/my-dep

# 方式二
kubectl edit deployment my-dep
# 修改 replicas

自愈:当pod因为某种原因宕机时,k8s会自动重启pod

故障转移:当pod所在服务器宕机时,能在其他节点重新部署对应的pod,所在服务恢复时,所在服务的pod将被删除

查看当前pod内应用使用的版本

kubectl get deployment my-dep -oyaml

滚动更新

方式一:--record 记录更新版本信息

kubectl set image deployment/my-dep nginx=nginx:1.16.1 --record

方式二:

修改 image 对应的版本号

kubectl edit deployment/my-dep

流程:先创建一个新的pod,当新的running后,删除一个老的pod,依次执行这个流程,知道所有旧版本全部被替换

查看历史版本

kubectl rollout history deployment/my-dep

查看某个历史版本详情

kubectl rollout history deployment/my-dep --revision=2

回滚到上个版本

kubectl rollout undo deployment/my-dep

回滚版本到指定版本

kubectl rollout undo deployment/my-dep --to-revision=1

工作负载:

Deployment:无状态应用部署,类似一些微服务、提供多副本等功能

StatefulSet:有状态应用部署,类似Redis,mysql,提供稳定的存储、网络等功能

DaemonSet:守护进程集,守护型应用部署,比如日志收集组件,在每个机器都有一份

Job/CronJob:任务/定时任务,比如垃圾清理组件,可以指定时间运行

9 Service

9.1.1 不带type 模式type 是 ClusterIP

方式一:

# 暴露deploy --port pod对外暴露的端口,--target-port=80 pod内部的端口 my-dep:pod名 my-dep-service:service名字
kubectl expose deployment my-dep --name=my-dep-service --prot=8000 --target-port=80

方式二:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: my-dep
  name: my-dep-service
spec:
  selector:
    app: my-dep
  ports:
  - port: 8000
    protocol: TCP
    targetPort: 80

使用标签检索pod

kubectl get pod -l app=my-dep

查看使用service 暴露的ip和端口

# 查看所有的service暴露的ip和端口
kubectl get service
# 查看指定的
kubectl get service 你的service名字
# 删除指定的service
kubectl delete service 你的service名字

9.1.2 带type

9.1.2.1 ClusterIP

方式一:

# 暴露deploy --port pod对外暴露的端口,--target-port=80 pod内部的端口 my-dep:pod名 my-dep-service:service名字
kubectl expose deployment my-dep --name=my-dep-service --prot=8000 --target-port=80 --type=ClusterIP

方式二:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: my-dep
  name: my-dep-service
spec:
  selector:
    app: my-dep
  type: ClusterIP
  ports:
  - port: 8000
    protocol: TCP
    targetPort: 80

9.1.2.2 NodePort

方式一:

# 暴露deploy --port pod对外暴露的端口,--target-port=80 pod内部的端口 my-dep:pod名 my-dep-service:service名字
kubectl expose deployment my-dep --name=my-dep-service --prot=8000 --target-port=80 --type=NodePort

方式二:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: my-dep
  name: my-dep-service
spec:
  selector:
    app: my-dep
  type: NodePort
  ports:
  - port: 8000
    protocol: TCP
    targetPort: 80

NodePort范围在 30000-32767 之间

9 Ingress

9.1.1 安装

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml

#修改镜像
vi deploy.yaml
#1、将image k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a的值改为如下值:
registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
#2、在修改了image的上一层增加 hostNetwork: true,如下图1

#3、找到secretName将ingress-nginx-admission改为ingress-nginx-admission-token

# 安装
kubectl apply -f deploy.yaml

# 检查安装的结果
kubectl get pod,svc -n ingress-nginx

图1:

如果下载不到这个文件或者不想修改,就用下面的文件(当前文件已经修改了image的值和其他内容)

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - configmaps
    resourceNames:
      - ingress-controller-leader-nginx
    verbs:
      - get
      - update
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10
  minReadySeconds: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirst
      containers:
        - name: controller
          image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --election-id=ingress-controller-leader
            - --ingress-class=nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 101
            allowPrivilegeEscalation: true
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: webhook
              containerPort: 8443
              protocol: TCP
          volumeMounts:
            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission-token
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
      - v1beta1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1beta1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-create
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
spec:
  template:
    metadata:
      name: ingress-nginx-admission-create
      labels:
        helm.sh/chart: ingress-nginx-3.33.0
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 0.47.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: create
          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
          imagePullPolicy: IfNotPresent
          args:
            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-patch
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
spec:
  template:
    metadata:
      name: ingress-nginx-admission-patch
      labels:
        helm.sh/chart: ingress-nginx-3.33.0
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 0.47.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: patch
          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
          imagePullPolicy: IfNotPresent
          args:
            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000


kubectl apply -f deploy.yaml

9.1.2 查看状态

kubectl get pod -n ingress-nginx

我们看到ingress-nginx-controller-78965bffd5-qp6k8容器处于ContainerCreating,我们需要修改

也看参考这个issues:https://github.com/kubernetes/ingress-nginx/issues/5932

kubectl get secret -A | grep ingress-nginx

9.1.2.1 命令行修改方式:

# 复制 (自己的)-mh7zg ,将下图对应的位置,加上-mh7zg
kubectl edit deployment ingress-nginx-controller -n ingress-nginx

完成修改后

查看状态已经可以了

kubectl get pod -n ingress-nginx

9.1.2.2 界面修改修改方式:

找到Deployments

编辑

更新

9.1.3 验证

kubectl get svc -A

分别可以使用以下网址,如果能展示下图,就成功了

http://k8s集群任意ip:31483

https://k8s集群任意ip:30893

ingress的一些高价功能:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

9.2.1 测试环境准备

应用如下yaml,准备好测试环境

vi test.yaml


apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-server
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hello-server
  template:
    metadata:
      labels:
        app: hello-server
    spec:
      containers:
      - name: hello-server
        image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/hello-server
        ports:
        - containerPort: 9000
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-demo
  name: nginx-demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-demo
  template:
    metadata:
      labels:
        app: nginx-demo
    spec:
      containers:
      - image: nginx
        name: nginx
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx-demo
  name: nginx-demo
spec:
  selector:
    app: nginx-demo
  ports:
  - port: 8000
    protocol: TCP
    targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hello-server
  name: hello-server
spec:
  selector:
    app: hello-server
  ports:
  - port: 8000
    protocol: TCP
    targetPort: 9000

部署

kubectl apply -f test.yaml

查看是否已经部署完成

kubectl get pod

kubectl get svc

访问

9.2.2 域名访问

vi ingress-rule.yaml


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-bar
spec:
  ingressClassName: nginx
  rules:
  - host: "hello.hg.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: hello-server
            port:
              number: 8000
  - host: "demo.hg.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"  # 把请求会转给下面的服务,下面的服务一定要能处理这个路径,不能处理就是404
        backend:
          service:
            name: nginx-demo  ## java,比如使用路径重写,去掉前缀nginx
            port:
              number: 8000


kubectl apply -f ingress-rule.yaml

如果执行有报错

查看

kubectl get validatingwebhookconfigurations

删除

kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission-token

重新部署

kubectl apply -f ingress-rule.yaml

查看ingress状态

kubectl get ingress

访问机器增加hosts域名配置

浏览器访问

修改对应的ingress

kubectl edit ingress ingress名称
kubectl edit ingress ingress-host-bar

9.2.3 路径重写

vi ingress-rule.yaml


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: ingress-host-bar
spec:
  ingressClassName: nginx
  rules:
  - host: "hello.hg.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: hello-server
            port:
              number: 8000
  - host: "demo.hg.com"
    http:
      paths:
      - pathType: Prefix
        path: "/nginx(/|$)(.*)"  # 把请求会转给下面的服务,下面的服务一定要能处理这个路径,不能处理就是404
        backend:
          service:
            name: nginx-demo  ## java,比如使用路径重写,去掉前缀nginx
            port:
              number: 8000

部署

kubectl apply -f ingress-rule.yaml

查看

kubectl get ingress

使用浏览器访问

效果:和之前不加/nginx一致,相当于在ingress处理的时候,将/nginx去掉了

9.2.4 流量限制

vi ingress-limit-rate.yaml


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-limit-rate
  annotations:
    nginx.ingress.kubernetes.io/limit-rps: "1"
spec:
  ingressClassName: nginx
  rules:
  - host: "haha.hg.com"
    http:
      paths:
      - pathType: Exact
        path: "/"
        backend:
          service:
            name: nginx-demo
            port:
              number: 8000

部署

kubectl apply -f ingree-limit-rate.yaml

查看状态

kubectl get ingress

使用浏览器查看,当快速访问时:

10 存储抽象

10.1.1 所有节点

yum install -y nfs-utils

10.1.2 主节点

#nfs主节点
echo "/nfs/data/ *(insecure,rw,sync,no_root_squash)" > /etc/exports

mkdir -p /nfs/data
systemctl enable rpcbind --now
systemctl enable nfs-server --now
#配置生效
exportfs -r

10.1.3 从节点

# 查看nfs服务能挂载的信息
showmount -e nfs服务所在ip

#执行以下命令挂载 nfs 服务器上的共享目录到本机路径 /nfs/data
mkdir -p /nfs/data

mount -t nfs nfs服务所在ip:/nfs/data /nfs/data
# 写入一个测试文件
echo "hello nfs server" > /nfs/data/test.txt

永久挂载方式

vi /etc/fstab


# 新增一行
192.168.68.210:/nfs/data /nfs/data nfs defaults        0 0

nfs服务器端,也能看到新增的文件

10.1.4 原生方式数据挂载

vi mount.yaml
  • 修改对应nfs服务的ip

    server: 192.168.68.204

  • 创建路径

    path: /nfs/data/nginx-pv

    apiVersion: apps/v1
    kind: Deployment
    metadata:
    labels:
    app: nginx-pv-demo
    name: nginx-pv-demo
    spec:
    replicas: 2
    selector:
    matchLabels:
    app: nginx-pv-demo
    template:
    metadata:
    labels:
    app: nginx-pv-demo
    spec:
    containers:
    - image: nginx
    name: nginx
    volumeMounts:
    - name: html
    mountPath: /usr/share/nginx/html
    volumes:
    - name: html
    nfs:
    server: 192.168.68.204
    path: /nfs/data/nginx-pv

    kubectl get pod

注意,如果一直在创建中,请使用 kubectl describe pod 对应的pod名字,一般是没有创建对应的文件夹

验证

# 进入pod容器内部
kubectl exec -it nginx-pv-demo-5b74676b65-cb9mh -- /bin/bash

# 查看nginx存放页面的信息
ls /usr/share/nginx/html/

发现对应的文件夹下,并没有数据

新建一个连接,在nfs宿主机服务的 /nfs/data/nginx-pv下,或者挂载的服务器下,新建一个index.html文件,并填充内容

echo 111 > /nfs/data/nginx-pv/index.html

然后,在之前的容器中再查看是否有新的文件

ls /usr/share/nginx/html/

cat /usr/share/nginx/html/index.html

更换另一个pod,结果也是一样

PV:持久卷(Persistent Volume),将应用需要持久化的数据保存到指定位置

PVC:持久卷申明(Persistent Volume Claim),申明需要使用的持久卷规格

10.2.1 创建PV池

静态供应

mkdir -p /nfs/data/{01,02,03}

创建PV

vi pv.yaml
  • 修改nfs服务ip

    server: 自己的nfs服务ip

    apiVersion: v1
    kind: PersistentVolume
    metadata:
    name: pv01-10m
    spec:
    capacity:
    storage: 10M
    accessModes:
    - ReadWriteMany
    storageClassName: nfs
    nfs:
    path: /nfs/data/01

    server: 192.168.68.204

    apiVersion: v1
    kind: PersistentVolume
    metadata:
    name: pv02-1gi
    spec:
    capacity:
    storage: 1Gi
    accessModes:
    - ReadWriteMany
    storageClassName: nfs
    nfs:
    path: /nfs/data/02

    server: 192.168.68.204

    apiVersion: v1
    kind: PersistentVolume
    metadata:
    name: pv03-3gi
    spec:
    capacity:
    storage: 3Gi
    accessModes:
    - ReadWriteMany
    storageClassName: nfs
    nfs:
    path: /nfs/data/03
    server: 192.168.68.204

部署

kubectl apply -f pv.yaml

查看

kubectl get pv

10.2.2 PVC创建与绑定

10.2.2.1 创建PVC

vi pvc.yaml


apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nginx-pvc
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 200Mi
  storageClassName: nfs

部署

kubectl apply -f pvc.yaml

查看

kubectl get pvc

测试删除

kubectl delete -f pvc.yaml

查看

kubectl get pvc

再次部署

kubectl apply -f pvc.yaml

查看

kubectl get pvc

结论:会选用大于200M的pv,正在使用的pv会被 Bound,之前使用的,后面删除了,就会释放

10.2.2.2 创建Pod绑定PVC

vi pod-pvc.yaml


apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-deploy-pvc
  name: nginx-deploy-pvc
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-deploy-pvc
  template:
    metadata:
      labels:
        app: nginx-deploy-pvc
    spec:
      containers:
      - image: nginx
        name: nginx
        volumeMounts:
        - name: html
          mountPath: /usr/share/nginx/html
      volumes:
        - name: html
          persistentVolumeClaim:
            claimName: nginx-pvc

部署

kubectl apply -f pod-pvc.yaml

查看pod

kubectl get pod

查看pvc和pv绑定关系

kubectl get pvc,pv

验证

进入启动一个pod容器内

# 进入容器,对应的pod名字修改为自己的
kubectl exec -it nginx-deploy-pvc-79fc8558c7-c8mh7 -- /bin/bash

## 展示容器内文件夹下的内容
ls /usr/share/nginx/html/

我们发现,文件夹下,还没有文件

从绑定关系中得知,使用的pv03-3gi在nfs服务对应的 /nfs/data/03文件夹或者挂载了nfs的服务器上,我们这03文件夹中创建文件 index.html文件

echo 333 > /nfs/data/03/index.html

再次查看,已经有了index.html文件

查看另外一个pod,也是如此

抽取应用配置,并且可以自动更新

10.3.1 redis示例

10.3.1.1 创建redis.conf配置文件

vi redis.conf

内容

appendonly yes

10.3.1.2 把配置文件创建为配置集

方式一:命令行方式

# 创建配置,redis保存到k8s的etcd;
kubectl create cm redis-conf --from-file=redis.conf

删除cm配置

# kubectl delete cm cm名称
kubectl delete cm redis-conf

方式二:yaml方式

vi cm.yaml


apiVersion: v1
data:    #data是所有真正的数据,key:默认是文件名   value:配置文件的内容
  redis.conf: |
    appendonly yes
kind: ConfigMap
metadata:
  name: redis-conf
  namespace: default

部署

kubectl apply -f cm.yaml

10.3.1.3 创建pod

vi redis-pod.yaml


apiVersion: v1
kind: Pod
metadata:
  name: redis
spec:
  containers:
  - name: redis
    image: redis
    command:
      - redis-server
      - "/redis-master/redis.conf"  #指的是redis容器内部的位置
    ports:
    - containerPort: 6379
    volumeMounts:
    - mountPath: /data
      name: data
    - mountPath: /redis-master
      name: config
  volumes:
    - name: data
      emptyDir: {}
    - name: config
      configMap:
        name: redis-conf
        items:
        - key: redis.conf
          path: redis.conf

查看

kubectl get pod

10.3.1.3 检查默认配置

kubectl exec -it redis -- redis-cli

10.3.1.4 修改ConfigMap

kubectl edit cm redis-conf


    maxmemory 2mb
    maxmemory-policy allkeys-lru

10.3.1.5 检查配置是否更新

kubectl exec -it redis -- redis-cli

检查指定文件内容是否已经更新

修改了CM。Pod里面的配置文件会跟着变

配置值未更改,因为需要重新启动 Pod 才能从关联的 ConfigMap 中获取更新的值。

原因:我们的Pod部署的中间件自己本身没有热更新能力

重启pod

kubectl replace --force -f redis-pod.yaml

检查配置是否更新

kubectl exec -it redis -- redis-cli

Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和 SSH 密钥。 将这些信息放在 secret 中比放在 Pod 的定义或者 容器镜像 中来说更加安全和灵活。

10.4.1 命令方式

kubectl create secret docker-registry 密钥名 \
  --docker-server=<你的镜像仓库服务器> \
  --docker-username=<你的用户名> \
  --docker-password=<你的密码> \
  --docker-email=<你的邮箱地址>

10.4.2 创建容器

apiVersion: v1
kind: Pod
metadata:
  name: private-nginx
spec:
  containers:
  - name: private-nginx
    image: xx/xx:v1.0
  imagePullSecrets:
  - name: 密钥名