pod
什么是Pod
Pod是Kubernetes中最小的单元,它由一组、一个或多个容器组成,每个Pod还包含了一个Pause容器,Pause容器是Pod的父容器,主要负责僵尸进程的回收管理,通过Pause容器可以使同一个Pod里面的多个容器共享存储、网络、PID、IPC
创建一个Pod
vi pod.yaml
apiVersion: v1 # 必选,API的版本号
kind: Pod # 必选,类型Pod
metadata: # 必选,元数据
name: nginx # 必选,符合RFC 1035规范的Pod名称
# namespace: default # 可选,Pod所在的命名空间,不指定默认为default,一般启动时使用-n 指定namespace
labels: # 可选,标签选择器,一般用于过滤和区分Pod
app: nginx
role: frontend # 可以写多个
annotations: # 可选,注释列表,可以写多个 app名称、版本,备注等
app: nginx
spec: # 必选,用于定义容器的详细信息
# initContainers: # 初始化容器,在容器启动之前执行的一些初始化操作 ,可配置多个
# - command:
# - sh
# - -c
# - echo "I am InitContainer for init some configuration"
# image: busybox
# imagePullPolicy: IfNotPresent
# name: init-container
# terminationGracePeriodSeconds: 40 # 一定大于sleep的时间
containers: # 必选,容器列表 可配置多个
- name: nginx # 必选,符合RFC 1035规范的容器名称
image: nginx:1.15.2 # 必选,容器所用的镜像的地址
imagePullPolicy: IfNotPresent # 可选,镜像拉取策略, IfNotPresent: 如果宿主机有这个镜像,那就不需要拉取了. Always: 总是拉取, Never: 不管是否存储都不拉取
command: # 可选,容器启动执行的命令 command 相当于 ENTRYPOINT, arg 相当于 cmd
- nginx
- -g
- "daemon off;"
workingDir: /usr/share/nginx/html # 可选,容器的工作目录
volumeMounts: # 可选,存储卷配置,可以配置多个
# - name: webroot # 存储卷名称
# mountPath: /usr/share/nginx/html # 挂载目录
# readOnly: true # 只读
ports: # 可选,容器需要暴露的端口号列表
- name: http # 端口名称
containerPort: 80 # 端口号
protocol: TCP # 端口协议,默认TCP
env: # 可选,环境变量配置列表
- name: TZ # 变量名 修改时区和编码
value: Asia/Shanghai # 变量的值
- name: LANG
value: en_US.utf8
# resources: # 可选,资源限制和资源请求限制
# limits: # 最大限制设置
# cpu: 1000m
# memory: 1024Mi
# requests: # 启动所需的资源
# cpu: 100m
# memory: 512Mi
startupProbe: # 可选,检测容器内进程是否完成启动。注意三种检查方式同时只能使用一种。
# httpGet: # httpGet检测方式,生产环境建议使用httpGet实现接口级健康检查,健康检查由应用程序提供。
# path: /api/successStart # 检查路径
# port: 80
tcpSocket:
port: 80
# readinessProbe: # 可选,健康检查。
# httpGet: # httpGet检测方式,生产环境建议使用httpGet实现接口级健康检查,健康检查由应用程序提供。
# path: / # 检查路径
# port: 80 # 监控端口
# livenessProbe: # 可选,健康检查
#exec: # 执行容器命令检测方式
#command:
#- cat
#- /health
#httpGet: # httpGet检测方式
# path: /_health # 检查路径
# port: 8080
# httpHeaders: # 检查的请求头
# - name: end-user
# value: Jason
# tcpSocket: # 端口检测方式
# port: 80
# initialDelaySeconds: 60 # 初始化时间
# timeoutSeconds: 2 # 超时时间
# periodSeconds: 5 # 检测间隔
# successThreshold: 1 # 检查成功为1次表示就绪
# failureThreshold: 2 # 检测失败2次表示未就绪
# lifecycle:
# postStart: # 容器创建完成后执行的指令, 可以是exec httpGet TCPSocket
# exec:
# command:
# - sh
# - -c
# - 'mkdir /data/ '
# preStop:
# httpGet:
# path: /
# port: 80
# exec:
# command:
# - sh
# - -c
# - sleep 9 #需配合terminationGracePeriodSeconds使用
restartPolicy: Always # 可选,默认为Always,容器故障或者没有启动成功,那就自动重启该容器,Onfailure: 容器以不为0的状态终止,自动重启该容器(异常退出重启), Never:无论何种状态,都不会重启
#nodeSelector: # 可选,指定Node节点
# region: subnet7
# imagePullSecrets: # 可选,拉取镜像使用的secret,可以配置多个
# - name: default-dockercfg-86258
# hostNetwork: false # 可选,是否为主机模式,如是,会占用主机端口
# volumes: # 共享存储卷列表
# - name: webroot # 名称,与上述对应
# emptyDir: {} # 挂载目录
# #hostPath: # 挂载本机目录
# # path: /etc/hosts
#
-- create 创建资源 -f 资源文件
$ kubectl create -f pod.yaml
$ kubectl get po
NAME READY STATUS RESTARTS AGE
nginx 0/1 ContainerCreating 0 5s
-- 正在启动
$ kubectl get po --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx 1/1 Running 0 23m app=nginx,role=frontend
-- 查看启动过程
$ kubectl describe po nginx
-- 启动成功
$ kubectl get po -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 0/1 Running 0 2s 10.1.0.23 docker-desktop <none> <none>
如果修改文件,可以使用 kubectl apply -f pod.yaml
-- 删除pod
$ kubectl delete po nginx
pod "nginx" deleted
$ kubectl get po --show-labels
No resources found in default namespace.
Pod探针
-
StartupProbe:k8s1.16版本后新加的探测方式,用于判断容器内应用程序是否已经启动。如果配置了startupProbe,就会先禁止其他的探测,直到它成功为止,成功后将不在进行探测。
-
LivenessProbe:用于探测容器是否运行,如果探测失败,kubelet会根据配置的重启策略进行相应的处理。若没有配置该探针,默认就是success。(可能导致启动慢,程序异常后需要很久(超时时间 * 检测间隔 * 检测失败次数)才会重启)
-
ReadinessProbe:一般用于探测容器内的程序是否健康,它的返回值如果为success,那么就代表这个容器已经完成启动,并且程序已经是可以接受流量的状态。
Pod探针的检测方式
-
ExecAction:在容器内执行一个命令,如果返回值为0,则认为容器健康。
-
TCPSocketAction:通过TCP连接检查容器内的端口是否是通的,如果是通的就认为容器健康。
-
HTTPGetAction:通过应用程序暴露的API地址来检查程序是否是正常的,如果状态码为200~400之间,则认为容器健康。
探针检查参数配置
initialDelaySeconds: 60 # 初始化时间 timeoutSeconds: 2 # 超时时间 periodSeconds: 5 # 检测间隔 successThreshold: 1 # 检查成功为1次表示就绪 failureThreshold: 2 # 检测失败2次表示未就绪
Deployment
用于部署无状态的服务,这个是最常用的控制器。一般用于管理维护企业内部无状态的微服务,比如configServer,springboot。可以管理多个副本的Pod实现无缝迁移、自动扩容缩容、自动灾难恢复、一键回滚等。
手动创建
$ kubectl create deployment nginx --image=nginx:1.15.2
deployment.apps/nginx created
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-76446799f9-6ck7t 1/1 Running 0 26s
$ kubectl get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 1/1 1 1 32s
查看配置文件
# kubectl get deployment nginx -o yaml > nginx-deploy.yaml
# cat nginx-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2023-04-22T08:14:31Z"
generation: 1
labels:
app: nginx
name: nginx
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 2 #副本数
revisionHistoryLimit: 10 # 设置保留RS旧的revision的个数
selector:
matchLabels:
app: nginx
strategy: #滚动更新策略 默认是RollingUpdate(先创建一个新的,在删除一个旧的,交替更新) Recreate:重建,先删除旧的Pod,在创建新的Pod
rollingUpdate:
maxSurge: 25% # 可以超过期望值的最大Pod数 可以设置成数字或百分比
maxUnavailable: 25% #指定在回滚或更新时最大不可用的Pod的数量 可以设置成数字或百分比
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: nginx
spec:
containers:
- image: nginx:1.15.2
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
Deployment更新
-- 更改deployment的镜像并记录
$ kubectl edit deploy nginx
-- 将nginx版本改为1.15.3 副本数改为2
- image: nginx:1.15.3
replicas: 2
-- 查看更新过程
kubectl rollout status deploy nginx
deployment "nginx" successfully rolled out
# kubectl rollout status deploy nginx
Waiting for deployment "nginx" rollout to finish: 1 out of 2 new replicas have been updated...
Waiting for deployment "nginx" rollout to finish: 1 out of 2 new replicas have been updated...
Waiting for deployment "nginx" rollout to finish: 1 out of 2 new replicas have been updated...
Waiting for deployment "nginx" rollout to finish: 1 old replicas are pending termination...
Waiting for deployment "nginx" rollout to finish: 1 old replicas are pending termination...
deployment "nginx" successfully rolled out
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-76446799f9-6ck7t 1/1 Running 0 5m26s
nginx-66bbc9fdc5-svxwh 1/1 Running 0 45s
$ kubectl get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/2 2 2 5m32s
Deployment回滚
-- 再次更新
$ kubectl set image deploy nginx nginx=1.15.4
-- 查看历史版本
$ kubectl rollout history deploy nginx
deployment.apps/nginx
REVISION CHANGE-CAUSE
1 <none>
2 <none>
3 kubectl set image deploy nginx nginx=1.15.4 --record=true
1924 Desktop/k8s »
-- 查看指定版本信息
$ kubectl rollout history deploy nginx --revision=1
-- 回滚指定版本
$ kubectl rollout undo deploy nginx --to-revision=1
deployment.apps/nginx rolled back
扩容和缩容
» kubectl scale --replicas=3 deploy nginx
deployment.apps/nginx scaled
» kubectl get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 3/3 3 3 17m
» kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-76446799f9-j2v2s 1/1 Running 0 4m42s
nginx-76446799f9-pxg8g 1/1 Running 0 4m43s
nginx-76446799f9-vvfvk 1/1 Running 0 35s
更新暂停和恢复
» kubectl rollout pause deployment nginx
deployment.apps/nginx paused
» kubectl set image deploy nginx nginx=nginx:1.15.3
deployment.apps/nginx image updated
» kubectl set resources deploy nginx -c nginx --limits=cpu=200m,memory=128Mi --requests=cpu=10m,memory=16Mi
deployment.apps/nginx resource requirements updated
-- 查看配置文件 版本号和资源调整已修改(见下图)
» kubectl get deploy nginx -oyaml
-- 通过AGE可以看出来,并没有更新
» kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-76446799f9-j2v2s 1/1 Running 0 15m
nginx-76446799f9-pxg8g 1/1 Running 0 15m
nginx-76446799f9-vvfvk 1/1 Running 0 11m
-- 更新
» kubectl rollout resume deploy nginx
deployment.apps/nginx resumed
» kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-7b7c775868-26brv 1/1 Running 0 3s
nginx-7b7c775868-594f6 1/1 Running 0 2s
nginx-7b7c775868-g2qdp 1/1 Running 0 5s
» kubectl get rs
NAME DESIRED CURRENT READY AGE
nginx-5cfd47cfc5 0 0 0 22m
nginx-76446799f9 0 0 0 30m
nginx-7b7c775868 3 3 3 8s
nginx-d45498588 0 0 0 29m
StatefulSet
用于部署有状态且需要有序启动的应用程序。主要用于管路有状态应用程序的工作负载API对象。比如生产环境中部署ElasticSearch集群、MongoDB集群或者需要持久化的RabbitMQ集群、Redis集群、kafka集群和zookeeper集群等。
创建
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
spec:
ports:
- port: 80
name: web
clusterIP: None
selector:
app: nginx
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
serviceName: "nginx"
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:nginx:1.15.2
ports:
- containerPort: 80
name: web
» kubectl create -f statefulset-nginx.yaml
service/nginx created
statefulset.apps/web created
» kubectl get pods
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 0 10s
web-1 1/1 Running 0 8s
扩容缩容
» kubectl scale --replicas=3 sts web
statefulset.apps/web scaled
» kubectl get sts
NAME READY AGE
web 3/3 2m33s
» kubectl get pods
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 0 2m38s
web-1 1/1 Running 0 2m36s
web-2 1/1 Running 0 14s
创建过程
顺序创建 先创建web-0成功继续创建web-1,失败则停止创建。
从后往前删除 先删web-2,再web-1,最后web-0。
- 删除或创建时若发生异常(某个节点挂掉) 则停止创建或删除
查看创建过程
$ kubectl get pods -w
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 0 9m38s
web-1 1/1 Running 0 9m36s
web-2 1/1 Running 0 7m14s
-- 新开窗口执行命令
» kubectl scale --replicas=5 sts web
statefulset.apps/web scaled
-- 查看变化过程
» kubectl get pods -w
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 0 9m38s
web-1 1/1 Running 0 9m36s
web-2 1/1 Running 0 7m14s
web-3 0/1 Pending 0 0s
web-3 0/1 Pending 0 0s
web-3 0/1 ContainerCreating 0 0s
web-3 1/1 Running 0 2s
web-4 0/1 Pending 0 0s
web-4 0/1 Pending 0 0s
web-4 0/1 ContainerCreating 0 0s
web-4 1/1 Running 0 1s
更新策略
» kubectl get sts web -o yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
creationTimestamp: "2023-04-22T09:14:31Z"
generation: 3
name: web
namespace: default
resourceVersion: "56239"
uid: 2fdc1f52-3858-49c0-9ecc-4250a63e69ce
spec:
podManagementPolicy: OrderedReady
replicas: 5
revisionHistoryLimit: 10
selector:
matchLabels:
app: nginx
serviceName: nginx
template:
metadata:
creationTimestamp: null
labels:
app: nginx
spec:
containers:
- image: nginx:1.15.2
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
name: web
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
updateStrategy: #更新策略
rollingUpdate:
partition: 0 # 更新大于等于partition的容器 (详解见下面)
type: RollingUpdate #滚动更新,从后往前更新 OnDelete:只有手动删除才会更新镜像
status:
availableReplicas: 5
collisionCount: 0
currentReplicas: 5
currentRevision: web-6949d64dc8
observedGeneration: 3
readyReplicas: 5
replicas: 5
updateRevision: web-6949d64dc8
updatedReplicas: 5
灰度发布
利用StatefulSet 更新策略我们可以实现灰度发布
假设有5个副本 web-0,web-1,web-2,web-3,web-4
设置 partition: 2,则滚动更新只会更新web-2,web-3,web-4
-- 修改滚动更新策略
» kubectl edit sts web
updateStrategy:
rollingUpdate:
partition: 2
type: RollingUpdate
-- 修改镜像版本
» kubectl edit sts web
image: nginx:1.15.3
-- 由创建时间可以看到web-2,web-3,web-4更新了,并且从web-4开始往上更新
» kubectl get po
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 0 32m
web-1 1/1 Running 0 32m
web-2 1/1 Running 0 4s
web-3 1/1 Running 0 6s
web-4 1/1 Running 0 45s
-- 查看pods镜像
» kubectl get po -oyaml | grep image
- image: nginx:1.15.2
imagePullPolicy: IfNotPresent
image: nginx:1.15.2
imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
- image: nginx:1.15.2
imagePullPolicy: IfNotPresent
image: nginx:1.15.2
imageID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
- image: nginx:1.15.3
imagePullPolicy: IfNotPresent
image: nginx:1.15.3
imageID: docker-pullable://nginx@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
- image: nginx:1.15.3
imagePullPolicy: IfNotPresent
image: nginx:1.15.3
imageID: docker-pullable://nginx@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
- image: nginx:1.15.3
imagePullPolicy: IfNotPresent
image: nginx:1.15.3
imageID: docker-pullable://nginx@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
级联删除和非级联删除
- 级联删除:删除sts时,同时删除Pod (默认)
- 非级联删除:删除sts时,不删除Pod
-- 非级联删除 --cascade=false
» kubectl delete sts web --cascade=false
warning: --cascade=false is deprecated (boolean value) and can be replaced with --cascade=orphan.
statefulset.apps "web" deleted
» kubectl get sts
No resources found in default namespace.
» kubectl get po
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 0 62s
web-1 1/1 Running 0 60s
-- 此时删除pod不会新建,因为sts已经不存在了
» kubectl delete po web-0 web-1
pod "web-0" deleted
pod "web-1" deleted
» kubectl get po
No resources found in default namespace.
Service
可以简单理解为逻辑上的一组Pod。一种可以访问Pod的策略,而且其他Pod可以通过这个Service访问到这个Service代理的Pod。相对于Pod而言,它会有一个固定的名称,一旦创建就固定不变。
创建一个Service
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- name: http
port: 80 #Service自己的端口
targetPort: 80 #后端应用的端口
protocol: TCP #UDP TCP SCTP default:TCP
- name: https
port: 443 #Service自己的端口
targetPort: 443 #后端应用的端口
protocol: TCP #UDP TCP SCTP default:TCP
selector:
app: nginx
sessionAffinity: None
type: ClusterIP
» kubectl create -f service.yaml
» kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 28h
my-web-0 NodePort 10.105.106.72 <none> 80:32445/TCP 24m
nginx ClusterIP None <none> 80/TCP 3h
nginx-svc ClusterIP 10.100.224.240 <none> 80/TCP,443/TCP 160m
使用Service代理k8s外部应用
例如:
希望在生产环境中使用某个固定的名称而非IP地址进行访问外部的中间件服务(mysql、rabbitmq等。 可以在测试环境、开发环境、生产环境配置同一个名称,代理的ip指向不同环境的地址).
某个项目正在迁移至K8s集群,但是一部分服务仍然在集群外部,此时可以使用service代理至k8s集群外部的服务。
# vi svc-nginx-external.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-svc-external
name: nginx-svc-external
spec:
ports:
- name: http
port: 80 #Service自己的端口
targetPort: 80 #后端应用的端口
protocol: TCP #UDP TCP SCTP default:TCP
sessionAffinity: None
type: ClusterIP
» kubectl create -f svc-nginx-external.yaml
service/nginx-svc-external created
» kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 28h
my-web-0 NodePort 10.105.106.72 <none> 80:32445/TCP 35m
nginx ClusterIP None <none> 80/TCP 3h11m
nginx-svc ClusterIP 10.100.224.240 <none> 80/TCP,443/TCP 171m
nginx-svc-external ClusterIP 10.97.68.85 <none> 80/TCP 9s
-- 并没有创建同名的ENDPOINTS
» kubectl get ep
NAME ENDPOINTS AGE
kubernetes 192.168.65.4:6443 28h
my-web-0 10.1.0.60:80 36m
nginx 10.1.0.60:80,10.1.0.61:80 3h13m
nginx-svc 10.1.0.60:443,10.1.0.61:443,10.1.0.60:80 + 1 more... 173m
--复制一个
» kubectl get ep nginx-svc -oyaml > nginx-ep-external.yaml
--修改
» vi nginx-ep-external.yaml
» cat nginx-ep-external.yaml
apiVersion: v1
kind: Endpoints
metadata:
labels:
app: nginx-svc-external
name: nginx-svc-external
namespace: default
subsets:
- addresses:
- ip: 220.181.38.148 #外部服务ip地址 ,这里是百度
ports:
- name: http
port: 80 # 外部服务端口号
protocol: TCP
» kubectl create -f nginx-ep-external.yaml
-- 以后需要变更地址,只需要kubectl edit ep nginx-svc-external 就行了
使用Service代理k8s外部域名
➜ cp svc-nginx-external.yaml svc-nginx-externalname.yaml
➜ vi svc-nginx-externalname.yaml
➜ cat svc-nginx-externalname.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-externalname
name: nginx-externalname
spec:
type: ExternalName
externalName: www.baidu.com
➜ kubectl apply -f svc-nginx-externalname.yaml
service/nginx-externalname created
➜ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 40h
my-web-0 NodePort 10.105.106.72 <none> 80:32445/TCP 12h
nginx ClusterIP None <none> 80/TCP 15h
nginx-externalname ExternalName <none> www.baidu.com <none> 66s
nginx-svc ClusterIP 10.100.224.240 <none> 80/TCP,443/TCP 14h
nginx-svc-external ClusterIP 10.97.68.85 <none> 80/TCP 12h
➜ kubectl get po
NAME READY STATUS RESTARTS AGE
web-0 1/1 Running 1 (13m ago) 15h
web-1 1/1 Running 1 (13m ago) 15h
➜ kubectl exec -it web-0 bash
root@web-0:/# apt-get update && apt-get install wget
-- 跨域导致 403了,但是请求通了,110.242.68.4也是百度的ip
root@web-0:/# wget nginx-externalname
--2023-04-22 22:30:19-- http://nginx-externalname/
Resolving nginx-externalname (nginx-externalname)... 110.242.68.4, 110.242.68.3
Connecting to nginx-externalname (nginx-externalname)|110.242.68.4|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-22 22:30:19 ERROR 403: Forbidden.
-- 直接请求ip地址
root@web-0:/# wget 110.242.68.4
--2023-04-22 22:30:46-- http://110.242.68.4/
Connecting to 110.242.68.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2381 (2.3K) [text/html]
Saving to: 'index.html'
index.html 100%[===============================================================================>] 2.33K --.-KB/s in 0s
2023-04-22 22:30:46 (14.7 MB/s) - 'index.html' saved [2381/2381]
root@web-0:/# cat index.html
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a> 京ICP证030173号 <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
Service常用类型
spec.type
- ClusterIP:在集群内部使用的,默认类型
- ExternalName:反代到指定的域名上。
- LoadBalancer:使用云服务商提供的IP地址。成本太高。
- NodePort:在每个宿主机上暴露一个随机端口,30000-32767,–service-node-port-range,集群外部可访问。
Ingress概念
用于实现用域名的方式访问K8s内部。它是Kubernetes集群中服务的入口,可以提供负载均衡、SSL终止和基于域名的虚拟主机。
- 官方文档:https://kubernetes.io/docs/concepts/services-networking/ingress/
- Ingress-Nginx安装文档:https://kubernetes.github.io/ingress-nginx/deploy/
安装ingress
➜ brew install helm
➜ helm version
version.BuildInfo{Version:"v3.9.0", GitCommit:"7ceeda6c585217a19a1131663d8cd1f7d641b2a7", GitTreeState:"clean", GoVersion:"go1.18.2"}
--试了很久v1.2.1版本镜像拉取错误,改为1.2.0启动成功
--只需在一台机器上启动,因此可以利用标签来选择在哪台机器上启动
➜ helm install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace \
--set controller.dnsPolicy=ClusterFirstWithHostNet \
--set controller.hostNetwork=true \
--set controller.kind=DaemonSet \
--set controller.service.type=NodePort \
--set controller.image.tag="v1.2.0" \
--set controller.image.digest= \
--set controller.image.digestChroot=
% kubectl get po -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-mmzpv 1/1 Running 0 42s
% kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.105.16.145 <none> 80:32169/TCP,443:31839/TCP 15m
ingress-nginx-controller-admission ClusterIP 10.105.37.15 <none> 443/TCP 15m
创建ingress
先创建服务
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
spec:
ports:
- port: 80
name: web
clusterIP: None
selector:
app: nginx
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
serviceName: "nginx"
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.15.2
ports:
- containerPort: 80
name: web
% kubectl create -f statefulset-nginx.yaml -n ingress-nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
# annotations:
# nginx.ingress.kubernetes.io/rewrite-target: /
name: example
namespace: ingress-nginx
spec:
ingressClassName: nginx
rules:
- host: foo.bar.com
http:
paths: #相当于nginx的location ,可以配置多个
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc #自己的svc名称及端口
port:
number: 80
% kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
example nginx foo.bar.com 10.101.114.133 80 81s
% kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.105.16.145 <none> 80:32169/TCP,443:31839/TCP 21m
ingress-nginx-controller-admission ClusterIP 10.105.37.15 <none> 443/TCP 21m
nginx ClusterIP None <none> 80/TCP 69m
% kubectl get po -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-mdst4 1/1 Running 0 22m
web-0 1/1 Running 0 69m
web-1 1/1 Running 0 69m
vi ingress-example.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# nginx.ingress.kubernetes.io/rewrite-target: /
# nginx.ingress.kubernetes.io/enable-cors: "true"
# nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
# nginx.ingress.kubernetes.io/cors-allow-origin: "*"
# nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: "nginx"
name: example
namespace: ingress-nginx
spec:
# ingressClassName: nginx
rules:
- host: "foo.bar.com"
http:
paths: #相当于nginx的location ,可以配置多个
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
% kubectl create -f ingress-example.yaml
% kubectl get ingress -n ingress-nginx
NAME CLASS HOSTS ADDRESS PORTS AGE
example <none> foo.bar.com 10.105.16.145 80 12m
% vi /etc/hosts
加入 127.0.0.1 foo.bar.com
访问foo.bar.com:32169 (ingress-nginx-controller暴露出来的接口)
ConfigMap
ConfigMap概念
一般用ConfigMap去管理一些配置文件,或者一些大量的环境变量信息。
ConfigMap将配置和Pod分开,更易于配置文件的更改和管理。
ConfigMap 将你的环境配置信息和 容器镜像 解耦,便于应用配置的修改。\
官方文档:https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/
安装metrics-server
官网地址:https://github.com/kubernetes-sigs/metrics-server
```
# 创建本地目录
mkdir -p configure-pod-container/configmap/
# 将示例文件下载到 `configure-pod-container/configmap/` 目录
wget https://kubernetes.io/examples/configmap/game.properties -O configure-pod-container/configmap/game.properties
wget https://kubernetes.io/examples/configmap/ui.properties -O configure-pod-container/configmap/ui.properties
# 创建 configmap
kubectl create configmap game-config --from-file=configure-pod-container/configmap/
kubectl get configmaps game-config -o yaml
apiVersion: v1
data:
game.properties: |-
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
kind: ConfigMap
metadata:
creationTimestamp: "2023-04-22T11:07:31Z"
name: game-config
namespace: default
resourceVersion: "170759"
uid: f511b525-3057-4670-b59f-0a35405a0e80
官方文档很详细,建议直接看官方文档。
Secret
Secret概念
和ConfigMap一样管理配置文件,但是Secret更倾向于存储和共享敏感、加密的配置信息。比如redis、mysql密码登。
官方文档:https://kubernetes.io/zh-cn/docs/concepts/configuration/secret/
kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password='S!B*123'
kubectl get secret dev-db-secret -oyaml
apiVersion: v1
data:
password: UyFCKjEyMw==
username: ZGV2dXNlcg==
kind: Secret
metadata:
creationTimestamp: "2023-04-22T11:16:31Z"
name: dev-db-secret
namespace: default
resourceVersion: "206931"
uid: f8dd6804-73b8-4eb3-8777-a4a9b4b3ff27
type: Opaque
❯ echo "UyFCKjEyMw==" | base64 --decode
S!B*123
配置文件管理
https://kubernetes.io/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/