前言

>>>前情回顾:k8s安装

一篇博客写一周多,泪目,k8s从入门到放弃 能用。
最近的项目用到了k8s,疯狂补充这方面知识,这一篇是总结操作,之后有时间再出一篇原理向的。

下文中的ns代表namespace,sa代表service account,svc代表service

命令中 -n 后面跟的是 namespace名

config文件

config文件地址:

config文件里包含了k8s的各种基础配置:

可以使用 --kubeconfig 或者环境变量 KUBECONFIG 来传递配置文件


kubectl 的各种查看操作


查看集群信息

kubectl cluster-info


查看集群内node信息

kubectl get node


查看集群内指定node的详细信息

kubectl describe node vm-0-11-ubuntu

查看namespace

kubectl get ns

ns是namespace的简写


查看namespace的全况

kubectl get all [-n xxxxnamespace]

下面这种不加-n的就是使用默认ns: default


查看指定ns的service

kubectl get svc -n ok


查看service的详细信息

kubectl describe svc xxxx

在这里插入图片描述


查看指定ns的pod

kubectl get po -n nuonuo

用 po 、pod 、pods都是可以的

列出pod时显示IP

kubectl get po -o wide -o ok

查看指定ns的service account

查看某ns下全部sa:

kubectl get sa -n ok

如果自己不去创建sa的话,会默认给一个default。
创建pod时可以指定已经有的sa。

查看sa的详情:

kubectl describe sa nuo -n ok

获取sa的token:

kubectl describe secret nuo-token-xvfvv -n ok

可以通过token和url(服务器ip:8443)访问到我们的ns、svs、pod。
但是sa需要授权,后面会说。


查看所有命名空间的Pod

kubectl get pods --all-namespaces


K8S修改pod的端口

k8s kubectl edit 方式修改 nodeport 的端口

kubectl edit svc/service名 -n namespace名



打开之后找对应的改就行了。


K8S使用yaml部署

k8s部署nginx


使用yaml文件创建一个pod:

kubectl create -f nginx-rc.yaml



这里STATUS是ErrImageNeverPulls是没起成功

获取service:

在这里插入图片描述


K8S 生成serviceAccount

创建sa

kubectl create sa xxx


查看token名

kubectl describe sa xxxsa名 -n 命名空间名

获取token

kubectl describe secret xxxtoken名 -n 命名空间名


yaml操作

创建service account
创建角色
并且授权
创建deployment
创建service

注意:sa必须要授权,这样才能使用https://ip:8443+token访问到对应的service和pod ,否则用token也没用
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dfsa
  namespace: dftest
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: common-user
  namespace: dftest
rules:
  - apiGroups:
      - apps
      - ''
    resources:
      - deployments
      - services
      - replicasets
      - statefulsets
      - daemonsets
      - pods
      - pods/log
      - pods/exec
      - namespaces
    verbs:
      - list
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: common-user
  namespace: dftest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: common-user
subjects:
- kind: ServiceAccount
  name: dfsa
  namespace: dftest

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-df
  namespace: dftest
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        ports:
        - containerPort: 80
      serviceAccount: dfsa
      serviceAccountName: dfsa
        
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service-df
  namespace: dftest
spec:
  selector:
    app: nginx
  type: NodePort
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30087



删除操作


删除deployment的pod

先获取:

kubectl get deployments --all-namespaces



直接删除deployment来删除pod。


为什么删不掉controller

controller为什么删不掉
为什么这玩意永远删不掉,删一个又生一个出来。

删除pod nginx-,发现该pod被删除的同时k8s自动新增一个pod nginx-**,这也印证了之前简介中讲的"ReplicationController会持续监控正在运行的pod列表,确保pod的数量始终与其标签选择器匹配"

删除ReplicationController
[root@master ~]# kubectl delete rc nginx


deployment只是controller的一种,查询deployment是查不到的。
这里查找rc就查到了。所以真正该删的是rc。


创建namespace

使用命令行创建

使用yaml文件

  #test.yaml:

   kind: Namespace
   apiVersion: v1
   metadata:
    name: test
   labels:
    name: test

然后,执行kubectl apply -f test.yaml

在默认namespace里起一个有redis的pod:

kubectl run redis --image='redis:alpine'

使用yaml操作


指定ns创建pod

kubectl apply -f nginx2.yaml -n nuonuo

其实yaml文件可以指定ns,下面的文件没指定,所以命令行指定。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment1-1
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service1
spec:
  selector:
    app: nginx
  type: NodePort
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30083



创建sa 创建Role 绑定sa

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: ok
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: common-user
  namespace: ok
rules:
  - apiGroups:
      - apps
      - ''
    resources:
      - deployments
      - services
      - replicasets
      - statefulsets
      - daemonsets
      - pods
      - pods/log
      - pods/exec
      - namespaces
    verbs:
      - list
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: common-user
  namespace: ok
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: common-user
subjects:
- kind: ServiceAccount
  name: default
  namespace: ok

执行yaml文件:

kubectl create -f auth.yaml -n ok

创建deployment 创建service

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment1-2
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        ports:
        - containerPort: 80
      serviceAccount: nuo
      serviceAccountName: nuo
        
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service1
spec:
  selector:
    app: nginx
  type: NodePort
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30085

获取pod的yaml文件

kubectl get pod xxxxpod名 -o yaml -n 命名空间名


打印结果如下:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2021-08-11T07:45:50Z"
  generateName: nginx-deployment1-2-6699b99878-
  labels:
    app: nginx
    pod-template-hash: 6699b99878
  name: nginx-deployment1-2-6699b99878-jsdt7
  namespace: ok
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: nginx-deployment1-2-6699b99878
    uid: c126461a-798d-4734-a45a-36b2749ef537
  resourceVersion: "519366"
  uid: 6b7f1aa2-1e41-4f4e-99a5-13a109f779ca
spec:
  containers:
  - image: nginx:alpine
    imagePullPolicy: IfNotPresent
    name: nginx
    ports:
    - containerPort: 80
      protocol: TCP
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-77lxj
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: vm-0-11-ubuntu
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: nuo
  serviceAccountName: nuo
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: kube-api-access-77lxj
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2021-08-11T07:45:50Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2021-08-11T07:45:53Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2021-08-11T07:45:53Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2021-08-11T07:45:50Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://b7daf9b99b8946259d0f28202439992b553ebef708e3a2ee9527c3b7ff392437
    image: nginx:alpine
    imageID: docker-pullable://nginx@sha256:bead42240255ae1485653a956ef41c9e458eb077fcb6dc664cbc3aa9701a05ce
    lastState: {}
    name: nginx
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2021-08-11T07:45:51Z"
  hostIP: 172.17.0.11
  phase: Running
  podIP: 172.18.0.13
  podIPs:
  - ip: 172.18.0.13
  qosClass: BestEffort
  startTime: "2021-08-11T07:45:50Z"

杂七杂八


查询DNS的记录

查看域名解析是否正常

root@VM-0-11-ubuntu:/dbroot/kube/yamldir# nslookup nginx-service1.ok
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find nginx-service1.ok: NXDOMAIN

root@VM-0-11-ubuntu:/dbroot/kube/yamldir# nslookup nginx-service1
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find nginx-service1: SERVFAIL

防火墙

防火墙相关

iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 6443 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 6443 -j ACCEPT


minikube

查看访问服务IP和端口:

可以直接访问:


403 问题

在这里插入图片描述
anonymous cannot get path

添加链接描述


fhzmWJ
21 声望0 粉丝