| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
apiVersion: v1 kind: ServiceAccount metadata: labels: app: elasticsearch name: elasticsearch namespace: elastic
創建 jenkins-namespace.yaml
apiVersion: v1 kind: Namespace metadata: name: jenkins-project
$ kubectl create -f jenkins-namespace.yaml namespace ”jenkins-project“ created
apiVersion: v1
kind: Pod
metadata:
name: counter
spec:
containers:
- name: count
image: busybox
args: [/bin/sh, -c, 'i=0; while true; do echo "$i: $(date)"; i=$((i+1)); sleep 1; done']
iMac:kubernetes neo$ kubectl create -f pod.yaml pod/counter created iMac:kubernetes neo$ kubectl logs counter 0: Sun Oct 4 12:32:44 UTC 2020 1: Sun Oct 4 12:32:45 UTC 2020 2: Sun Oct 4 12:32:46 UTC 2020 3: Sun Oct 4 12:32:47 UTC 2020 4: Sun Oct 4 12:32:48 UTC 2020 5: Sun Oct 4 12:32:49 UTC 2020 6: Sun Oct 4 12:32:50 UTC 2020 7: Sun Oct 4 12:32:51 UTC 2020 8: Sun Oct 4 12:32:52 UTC 2020 9: Sun Oct 4 12:32:53 UTC 2020
apiVersion: v1
kind: Pod
metadata:
name: hostaliases-pod
spec:
restartPolicy: Never
hostAliases:
- ip: "127.0.0.1"
hostnames:
- "foo.local"
- "bar.local"
- ip: "10.1.2.3"
hostnames:
- "foo.remote"
- "bar.remote"
containers:
- name: cat-hosts
image: busybox
command:
- cat
args:
- "/etc/hosts"
apiVersion: v1
kind: Pod
metadata:
name: envars-fieldref
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ "sh", "-c"]
args:
- while true; do
echo -en '\n';
printenv NODE_NAME POD_NAME POD_NAMESPACE;
printenv POD_IP POD_SERVICE_ACCOUNT;
sleep 10;
done;
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
restartPolicy: Never
apiVersion: v1
kind: Pod
metadata:
name: envars-resourcefieldref
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox:1.24
command: [ "sh", "-c"]
args:
- while true; do
echo -en '\n';
printenv CPU_REQUEST CPU_LIMIT;
printenv MEM_REQUEST MEM_LIMIT;
sleep 10;
done;
resources:
requests:
memory: "32Mi"
cpu: "125m"
limits:
memory: "64Mi"
cpu: "250m"
env:
- name: CPU_REQUEST
valueFrom:
resourceFieldRef:
containerName: test-container
resource: requests.cpu
- name: CPU_LIMIT
valueFrom:
resourceFieldRef:
containerName: test-container
resource: limits.cpu
- name: MEM_REQUEST
valueFrom:
resourceFieldRef:
containerName: test-container
resource: requests.memory
- name: MEM_LIMIT
valueFrom:
resourceFieldRef:
containerName: test-container
resource: limits.memory
restartPolicy: Never
就緒探針
readinessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 10 #10s之後開始第一次探測
periodSeconds: 5 #第一次探測之後每隔5s探測一次
kubelet --allowed-unsafe-sysctls \ 'kernel.msg*,net.core.somaxconn' ...
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.core.somaxconn
value: "1024"
- name: kernel.msgmax
value: "65536"
allowPrivilegeEscalation 表示是否繼承父進程權限,runAsUser 表示使用 UID 1000 的用戶運行
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo
image: busybox:latest
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000
runAsNonRoot: true
security.alpha.kubernetes.io/sysctls
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
annotations:
security.alpha.kubernetes.io/sysctls: kernel.shm_rmid_forced=1
spec:
unsafe-sysctls
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
annotations:
security.alpha.kubernetes.io/unsafe-sysctls: net.core.somaxconn=65535 #使用unsafe sysctl,設置最大連接數
spec:
securityContext:
privileged: true #開啟privileged權限
創建 service.yaml 檔案
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: https
protocol: TCP
port: 443
targetPort: 443
iMac:kubernetes neo$ kubectl create -f service.yaml service/my-service created
查看服務
iMac:kubernetes neo$ kubectl get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 113m my-service ClusterIP 10.106.157.143 <none> 80/TCP,443/TCP 64s
查看 service 後端代理的 pod 的 ip,這裡沒有掛載 pod 所以顯示 none
iMac:kubernetes neo$ kubectl get endpoints my-service NAME ENDPOINTS AGE my-service <none> 2m20s
報漏 80.11.12.10:80 地址
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.12.10
apiVersion: v1 kind: Service metadata: name: my-service namespace: prod spec: type: ExternalName externalName: my.database.example.com
apiVersion: v1
kind: Service
metadata:
name: spring-cloud-config-server
namespace: default
labels:
app: springboot
spec:
#type: NodePort
ports: web
- port: 8888
targetPort: web
clusterIP: 10.10.0.1
selector:
app: spring-cloud-config-server
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: NodePort
selector:
app: MyApp
ports:
# By default and for convenience, the `targetPort` is set to the same value as the `port` field.
- port: 80
targetPort: 80
# Optional field
# By default and for convenience, the Kubernetes control plane will allocate a port from a range (default: 30000-32767)
nodePort: 30007
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
clusterIP: 10.0.171.239
type: LoadBalancer
status:
loadBalancer:
ingress:
- ip: 192.0.2.127
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: default
labels:
app: registry
spec:
type: NodePort
selector:
app: registry
ports:
- name: registry
port: 5000
nodePort: 30050
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: default
labels:
app: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
containers:
- name: registry
image: registry:latest
resources:
limits:
cpu: 100m
memory: 100Mi
env:
- name: REGISTRY_HTTP_ADDR
value: :5000
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: /var/lib/registry
ports:
- containerPort: 5000
name: registry
protocol: TCP
apiVersion: v1 kind: ConfigMap metadata: name: db-config namespace: default data: db.host: 172.16.0.10 db.port: '3306' db.user: neo db.pass: chen
創建配置
neo@MacBook-Pro-Neo ~/tmp/kubernetes % kubectl create -f key-value.yaml configmap/db-config created
將配置項保存到檔案
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test-container
image: gcr.io/google_containers/busybox
command: [ "/bin/sh", "-c", "cat /usr/local/etc/config/db.host" ]
volumeMounts:
- name: config-volume
mountPath: /usr/local/etc/config
volumes:
- name: config-volume
configMap:
name: db-config
restartPolicy: Never
定義多組配置項
apiVersion: v1
kind: ConfigMap
metadata:
name: spring-cloud-config
namespace: default
data:
config: |
spring.security.user=config
spring.security.user=passw0rd
euerka: |
spring.security.user=eureka
spring.security.user=passw0rd
gateway: |
spring.security.user=gateway
spring.security.user=passw0rd
envFrom 可將 ConfigMap 中的配置項定義為容器環境變數
apiVersion: v1
kind: Pod
metadata:
name: neo-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- configMapRef:
name: special-config
restartPolicy: Never
引用單個配置項使用 valueFrom
neo@MacBook-Pro-Neo ~/tmp/kubernetes % cat key-value.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: db-config
namespace: default
data:
db.host: 172.16.0.10
db.port: '3306'
db.user: neo
db.pass: chen
---
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: DBHOST
valueFrom:
configMapKeyRef:
name: db-config
key: db.host
- name: DBPORT
valueFrom:
configMapKeyRef:
name: db-config
key: db.port
restartPolicy: Never
neo@MacBook-Pro-Neo ~/tmp/kubernetes % kubectl create -f key-value.yaml
configmap/db-config created
pod/test-pod created
定義配置
apiVersion: v1
kind: ConfigMap
metadata:
name: redis-config
labels:
app: redis
data:
redis.conf: |-
pidfile /var/lib/redis/redis.pid
dir /var/lib/redis
port 6379
bind 0.0.0.0
appendonly yes
protected-mode no
requirepass 123456
引用配置
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:5.0.8
command:
- "sh"
- "-c"
- "redis-server /usr/local/etc/redis/redis.conf"
ports:
- containerPort: 6379
resources:
limits:
cpu: 1000m
memory: 1024Mi
requests:
cpu: 1000m
memory: 1024Mi
livenessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 300
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
tcpSocket:
port: 6379
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /usr/local/etc/redis/redis.conf
subPath: redis.conf
volumes:
- name: data
persistentVolumeClaim:
claimName: redis
- name: config
configMap:
name: redis-config
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test-container
image: gcr.io/google_containers/busybox
command: [ "/bin/sh","-c","find /etc/config/" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
items:
- key: special.how
path: path/to/special-key
restartPolicy: Never
apiVersion: v1
kind: PersistentVolume
metadata:
name: example-pv
spec:
capacity:
storage: 100Gi
# volumeMode field requires BlockVolume Alpha feature gate to be enabled.
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Delete
storageClassName: local-storage
local:
path: /mnt/disks/ssd1
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- example-node
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-volume
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: netkiller-local-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-volume
local:
path: /tmp/neo
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- minikube
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: netkiller-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: local-volume
---
kind: Pod
apiVersion: v1
metadata:
name: busybox
namespace: default
spec:
containers:
- name: busybox
image: busybox:latest
# image: registry.netkiller.cn:5000/netkiller/welcome:latest
imagePullPolicy: IfNotPresent
command:
- sleep
- "3600"
volumeMounts:
- mountPath: "/srv"
name: mypd
restartPolicy: Always
volumes:
- name: mypd
persistentVolumeClaim:
claimName: netkiller-pvc
部署 POD
iMac:kubernetes neo$ kubectl create -f example/volume/local.yaml storageclass.storage.k8s.io/local-volume created persistentvolume/netkiller-local-pv created persistentvolumeclaim/netkiller-pvc created pod/busybox created
查看POD狀態
iMac:kubernetes neo$ kubectl get pod NAME READY STATUS RESTARTS AGE busybox 1/1 Running 0 2m28s
進入POD查看local卷的掛載情況,同時創建一個測試檔案。
iMac:kubernetes neo$ kubectl exec -it busybox sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # mount | grep /srv tmpfs on /srv type tmpfs (rw) / # echo helloworld > /srv/netkiller / # cat /srv/netkiller helloworld
進入宿主主機查看掛載目錄
$ cat /tmp/neo/netkiller helloworld
.spec.completions 標誌Job結束需要成功運行的Pod個數,預設為1
.spec.parallelism 標誌並行運行的Pod的個數,預設為1
.spec.activeDeadlineSeconds 標誌失敗Pod的重試最大時間,超過這個時間不會繼續重試
apiVersion: batch/v1
kind: Job
metadata:
name: busybox
spec:
completions: 1
parallelism: 1
template:
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
command: ["echo", "hello"]
restartPolicy: Never
$ kubectl create -f job.yaml
job "busybox" created
$ pods=$(kubectl get pods --selector=job-name=busybox --output=jsonpath={.items..metadata.name})
$ kubectl logs $pods
.spec.schedule 指定任務運行周期,格式同Cron
.spec.startingDeadlineSeconds 指定任務開始的截止期限
.spec.concurrencyPolicy 指定任務的並發策略,支持Allow、Forbid和Replace三個選項
apiVersion: batch/v2alpha1
kind: CronJob
metadata:
name: hello
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
正常情況 Service 只是暴露了連接埠,這個連接埠是可以對外訪問的,但是80連接埠只有一個,很多 Service 都要使用 80連接埠,這時就需要使用虛擬主機技術。
多個 Service 共同使用一個 80 連接埠,通過域名區分業務。這就是 Ingress 存在的意義。
+----------+ Ingress +---------+ Pod +----------+ | internet | ---------> | Service | --------> | Pod Node | +----------+ +---------+ +----------+
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: springboot
spec:
backend:
service:
name: springboot
port:
number: 80
Ingress / ---> /api --> api-service:8080
www.netkiller.cn ---------> | ---> /usr --> usr-service:8080
\ ---> /img --> img-service:8080
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: uri-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: www.netkiller.cn
http:
paths:
- path: /api
backend:
serviceName: api-service
servicePort: 8080
- path: /usr
backend:
serviceName: usr-service
servicePort: 8080
- path: /img
backend:
serviceName: img-service
servicePort: 8080
www.netkiller.cn --| Ingress |-> www.netkiller.cn www:80
| --------------> |
img.netkiller.cn --| |-> img.netkiller.cn img:80
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: vhost-ingress
spec:
rules:
- host: www.netkiller.cn
http:
paths:
- backend:
serviceName: www
servicePort: 80
- host: img.netkiller.cn
http:
paths:
- backend:
serviceName: img
servicePort: 80
http://www.netkiller.cn/1100 => /article/1100
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: rewrite-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /article/$1
spec:
rules:
- host: www.netkiller.cn
http:
paths:
# 可以有多個(可以正則)
- path: /($/.*)
backend:
serviceName: article
servicePort: 80
# 該註解只在配置了HTTPS之後才會生效進行跳轉 nginx.ingress.kubernetes.io/ssl-redirect: "true" # 強制跳轉到https,不論是否配置了https證書 nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
三種annotation按匹配優先順序順序:
canary-by-header > canary-by-cookie > canary-weight
# Release Version
apiVersion: v1
kind: Service
metadata:
name: hello-service
labels:
app: hello-service
spec:
ports:
- port: 80
protocol: TCP
selector:
app: hello-service
---
# canary Version
apiVersion: v1
kind: Service
metadata:
name: canary-hello-service
labels:
app: canary-hello-service
spec:
ports:
- port: 80
protocol: TCP
selector:
app: canary-hello-service
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: canary
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "30"
spec:
rules:
- host: canary.netkiller.cn
http:
paths:
- backend:
serviceName: canary-hello-service
$ for i in $(seq 1 10); do curl http://canary.netkiller.cn; echo '\n'; done
annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-by-header: "canary"
$ for i in $(seq 1 5); do curl -H 'canary:always' http://canary.netkiller.cn; echo '\n'; done
annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-by-header: "canary" nginx.ingress.kubernetes.io/canary-by-header-value: "true"
$ for i in $(seq 1 5); do curl -H 'canary:true' http://canary.netkiller.cn; echo '\n'; done