k8s 笔记

k8s 容器出现大量 Evicted

1
2
3
4
5
6
7
8
9
10
11
$kubectl describe node/runner-e480

Normal NodeHasNoDiskPressure 6m19s (x8 over 6m19s) kubelet, runner-e480 Node runner-e480 status is now: NodeHasNoDiskPressure

df -h 系统盘使用85%

修改了docker 镜像存储路径
https://blog.csdn.net/glongljl/article/details/80158297

参考:
https://blog.csdn.net/qq_21816375/article/details/82905660

k8s 命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#命令行自动补全
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc

kubectl get sa --all-namespaces=true
kubectl get roles --all-namespaces=true
kubectl get RoleBinding --all-namespaces=true
kubectl get secrets --all-namespaces=true
kubectl describe ClusterRole/cluster-admin


#端口转发 本地2000端口映射到容器3000端口 &……& 目前只能用localhost访问
export POD_NAME=$(kubectl get pods --namespace default -l "app=grafana,release=willing-lamb" -o jsonpath="{.items[0].metadata.name}")
kubectl port-forward willing-lamb-grafana-75d49cb58c-7dn6d 2000:3000


kubectl get secrets -o json | kubectl update -f -

kubectl exec POD_NAME -c CONTAINER_NAME reboot
kubectl exec -it [POD_NAME] -c [CONTAINER_NAME] -- /bin/sh -c "kill 1"

kubectl explain namespace

kubectl get ns default --show-labels
kubectl completion -h

kubectl delete pod deviosow-1828 --namespace=kube-system --grace-period=0 --force

docker images | grep '<none>'| awk '{print $3}' | xargs docker rmi
kubectl -n kube-system get endpoints -o wide

#dns 验证
kubectl run curl --image=radial/busyboxplus:curl -it
nslookup docker-dind-svc.gitlab-managed-apps


#使用命令快速创建 deployment 和 service
kubectl run nginx --image=nginx --replicas=2
kubectl expose deployment nginx --port 80 --external-ip 172.17.8.201

node 上使用 k8s 的core-dns 服务
dig @10.152.183.10 grafana.istio-system.svc.cluster.local


#查看资源yaml
kubectl api-resources | grep pod
kubectl explain podtemplates.template.spec.containers

RBAC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: example-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: example-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: example-sa
namespace: default
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io

---
#管理员,角色配置可以参考 kubectl describe ClusterRole/cluster-admin
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: example-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'

serviceAccountName
serviceAccount #pod请求别的命名空间时的帐号

Error: release community-feature-haozhe-wei failed: namespaces "php-sht" is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot get resource "namespaces" in API group "" in the namespace "php-sht"

更新密钥要小心,因为帐号token会被其他服务关联,比如 tiller account

跨namespace授权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: gitlab
name: gitlab-view-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-view-php-sht-rolebinding
namespace: gitlab
subjects:
- kind: ServiceAccount
name: admin
namespace: php-sht
roleRef:
kind: Role
name: gitlab-view-role
apiGroup: rbac.authorization.k8s.io

角色

1
2
3
4
admin
maintainer
developer
guest/reporter

Pod

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
每个 pod 都以mount形式挂载这个 默认的Servcice Account,
如:mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"

单独的pod,恢复过程永远发生在当前节点,不会跑到别的节点上去。如果你想让Pod出现在其他的可用节点上,就必须使用 deployment 这样的控制器来管理 pod,哪怕你只需要一个 pod 副本。

可以通过restartPolicy,改变pod的恢复策略

selector 意味着后面这些追加的定义,只会作用于 selector 所定义的,带有"role:frontend"标签的Pod对象

command: ["sh","-c","mkdir /var/www/html ; ln -s /var/www/community/public /var/www/html/public ; nginx -g 'daemon off;'"]

#多行配置
env:
- name: COMMAND_SCRIPT
value: |-
set -xeo pipefail
helm init --upgrade
for i in $(seq 1 30); do helm version && break; sleep 1s; echo "Retrying ($i)..."; done
helm repo add runner https://charts.gitlab.io
helm repo update
helm upgrade runner runner/gitlab-runner --install --reset-values --tls --tls-ca-cert /data/helm/runner/config/ca.pem --tls-cert /data/helm/runner/config/cert.pem --tls-key /data/helm/runner/config/key.pem --version 0.4.1 --set rbac.create\=true,rbac.enabled\=true --namespace gitlab-managed-apps -f /data/helm/runner/config/values.yaml


apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged
spec:
containers:
- name: nginx-privileged
image: nginx:1.14.2
securityContext:
privileged: true
runAsUser: 1000 #指定容器运行账户



pod 的操作只有创建删除

"hostAliases": [
{
"ip": "172.16.101.197",
"hostnames": [
"prometheus.local.com"
]
}
]

pod 的标签很很重要,loki用来建立索引,prometheus可以用来指定报警分组.

TLS

1
2
curl https://192.168.207.237:2376/info --cert ./cert.pm --key ./key.pem  --cacert ./ca.pem
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key

Namspace

1
2
pv 不属于 namespace 
pvc 属于

Label and Annotations 注释 可以用来检索

1
2
3
#标签一定要有 key 可以没有 value
kubectl label/annotate <resource> foo=bar
kubectl label/annotate <resource> foo-

健康检查

1
2
3
4
5
livenessProbe:
- initialDelaySeconds:5 #容器启动5s后开始执行
periodSeconds:5 #每5s执行一次

readlinessProbe: #健康检查结果决定这个pod是不是能被通过Service的方式访问到,而并不影响Pod的生命周期

ConfigMap Secret Downard Api

1
2
3
4
5
6
7
8
9

这三种Project Volume 定义的信息,还可以通过环境变量的方式出现在容器里。但环境变量不具备自动更新的能力。所以一般情况下,都建议你好似用 Volume 文件的方式获取这些信息。

projected volume可以映射很多volume源到相同的目录下

#从配置文件生成 configmap
<?php
$c=file_get_contents("conf.php");
echo json_encode($c,JSON_UNESCAPED_UNICODE)."\n";

k8s node 节点加入集群

1
2
3
4
5
6
7
8
9
10
11
12
13
kubeadm join 172.16.101.197:6443 --token vq0fs8.rzcw1lf6k3lz7986     --discovery-token-ca-cert-hash sha256:68c8228227ae029b091c8d6cdecde4c11ec5dbbbd43fa725060ffdd512fef3cd

节点需要关闭 swap 启动docker服务


还需要下载
k8s.gcr.io/pause:3.1 镜像
k8s.gcr.io/kube-proxy 镜像

在 master节点观察子节点pod创建情况

移除节点:
kubectl delete node node-1

PV

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: PersistentVolume
metadata:
name: es-local-pv0
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-storage
local:
path: /data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- php-cd-node

redis

1
2
3
kubectl run --namespace kube-public redis-client --rm --tty -i --restart='Never' \
--env REDIS_PASSWORD=$REDIS_PASSWORD \
--image docker.io/bitnami/redis:5.0.5-debian-9-r36 -- bash

映射外部服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
apiVersion: v1
kind: Service
metadata:
name: ldap-chang-password
namespace: kube-system
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP

---

apiVersion: v1
kind: Endpoints
metadata:
name: ldap-chang-password
namespace: kube-system
subsets:
- addresses:
- ip: 10.111.8.166
ports:
- port: 8080
protocol: TCP

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: uic
namespace: kube-system
spec:
rules:
- host: uic.t1.youhaodongxi.com
http:
paths:
- backend:
serviceName: ldap-chang-password
servicePort: 80
path: /

API权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/

APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
TOKEN=$(kubectl get secret $(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode )
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "10.0.1.149:443"
}
]
}

how-to-create-a-kubectl-config-file-for-serviceaccount

1
https://stackoverflow.com/questions/47770676/how-to-create-a-kubectl-config-file-for-serviceaccount

create-kubectl-by-user

1
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/

同一个service开2个端口

一般我们只有一个端口的时候,在service的yaml文件:

1
2
3
4
5
ports:
- nodePort: 8482
port: 8080
protocol: TCP
targetPort: 8080

而如果你想开两个端口,直接复制粘贴可不行,k8s会提示你必须要加上name。所以,如果要开多端口,要为每个port都指定一个name,如:

1
2
3
4
5
6
ports:
- name: http
nodePort: 8482
port: 8080
protocol: TCP
targetPort: 8080