前言
一篇博客写一周多,泪目,k8s从入门到放弃 能用。
最近的项目用到了k8s,疯狂补充这方面知识,这一篇是总结操作,之后有时间再出一篇原理向的。
下文中的ns代表namespace,sa代表service account,svc代表service
命令中 -n 后面跟的是 namespace名
config文件
config文件地址:
config文件里包含了k8s的各种基础配置:
可以使用 --kubeconfig 或者环境变量 KUBECONFIG 来传递配置文件
kubectl 的各种查看操作
查看集群信息
kubectl cluster-info
查看集群内node信息
kubectl get node
查看集群内指定node的详细信息
kubectl describe node vm-0-11-ubuntu
查看namespace
kubectl get ns
ns是namespace的简写
查看namespace的全况
kubectl get all [-n xxxxnamespace]
下面这种不加-n的就是使用默认ns: default
查看指定ns的service
kubectl get svc -n ok
查看service的详细信息
kubectl describe svc xxxx
查看指定ns的pod
kubectl get po -n nuonuo
用 po 、pod 、pods都是可以的
列出pod时显示IP
kubectl get po -o wide -o ok
查看指定ns的service account
查看某ns下全部sa:
kubectl get sa -n ok
如果自己不去创建sa的话,会默认给一个default。
创建pod时可以指定已经有的sa。
查看sa的详情:
kubectl describe sa nuo -n ok
获取sa的token:
kubectl describe secret nuo-token-xvfvv -n ok
可以通过token和url(服务器ip:8443)访问到我们的ns、svs、pod。
但是sa需要授权,后面会说。
查看所有命名空间的Pod
kubectl get pods --all-namespaces
K8S修改pod的端口
k8s kubectl edit 方式修改 nodeport 的端口
kubectl edit svc/service名 -n namespace名
打开之后找对应的改就行了。
K8S使用yaml部署
使用yaml文件创建一个pod:
kubectl create -f nginx-rc.yaml
这里STATUS是ErrImageNeverPulls是没起成功
获取service:
K8S 生成serviceAccount
创建sa
kubectl create sa xxx
查看token名
kubectl describe sa xxxsa名 -n 命名空间名
获取token
kubectl describe secret xxxtoken名 -n 命名空间名
yaml操作
创建service account
创建角色
并且授权
创建deployment
创建service
注意:sa必须要授权,这样才能使用https://ip:8443+token访问到对应的service和pod ,否则用token也没用
apiVersion: v1
kind: ServiceAccount
metadata:
name: dfsa
namespace: dftest
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: common-user
namespace: dftest
rules:
- apiGroups:
- apps
- ''
resources:
- deployments
- services
- replicasets
- statefulsets
- daemonsets
- pods
- pods/log
- pods/exec
- namespaces
verbs:
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: common-user
namespace: dftest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: common-user
subjects:
- kind: ServiceAccount
name: dfsa
namespace: dftest
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-df
namespace: dftest
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
serviceAccount: dfsa
serviceAccountName: dfsa
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service-df
namespace: dftest
spec:
selector:
app: nginx
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30087
删除操作
删除deployment的pod
先获取:
kubectl get deployments --all-namespaces
直接删除deployment来删除pod。
为什么删不掉controller
controller为什么删不掉
为什么这玩意永远删不掉,删一个又生一个出来。
删除pod nginx-,发现该pod被删除的同时k8s自动新增一个pod nginx-**,这也印证了之前简介中讲的"ReplicationController会持续监控正在运行的pod列表,确保pod的数量始终与其标签选择器匹配"
删除ReplicationController
[root@master ~]# kubectl delete rc nginx
deployment只是controller的一种,查询deployment是查不到的。
这里查找rc就查到了。所以真正该删的是rc。
创建namespace
使用命令行创建
使用yaml文件
#test.yaml:
kind: Namespace
apiVersion: v1
metadata:
name: test
labels:
name: test
然后,执行kubectl apply -f test.yaml
在默认namespace里起一个有redis的pod:
kubectl run redis --image='redis:alpine'
使用yaml操作
指定ns创建pod
kubectl apply -f nginx2.yaml -n nuonuo
其实yaml文件可以指定ns,下面的文件没指定,所以命令行指定。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment1-1
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service1
spec:
selector:
app: nginx
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30083
创建sa 创建Role 绑定sa
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: ok
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: common-user
namespace: ok
rules:
- apiGroups:
- apps
- ''
resources:
- deployments
- services
- replicasets
- statefulsets
- daemonsets
- pods
- pods/log
- pods/exec
- namespaces
verbs:
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: common-user
namespace: ok
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: common-user
subjects:
- kind: ServiceAccount
name: default
namespace: ok
执行yaml文件:
kubectl create -f auth.yaml -n ok
创建deployment 创建service
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment1-2
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
serviceAccount: nuo
serviceAccountName: nuo
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service1
spec:
selector:
app: nginx
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30085
获取pod的yaml文件
kubectl get pod xxxxpod名 -o yaml -n 命名空间名
打印结果如下:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-08-11T07:45:50Z"
generateName: nginx-deployment1-2-6699b99878-
labels:
app: nginx
pod-template-hash: 6699b99878
name: nginx-deployment1-2-6699b99878-jsdt7
namespace: ok
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: nginx-deployment1-2-6699b99878
uid: c126461a-798d-4734-a45a-36b2749ef537
resourceVersion: "519366"
uid: 6b7f1aa2-1e41-4f4e-99a5-13a109f779ca
spec:
containers:
- image: nginx:alpine
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-77lxj
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: vm-0-11-ubuntu
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: nuo
serviceAccountName: nuo
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: kube-api-access-77lxj
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2021-08-11T07:45:50Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2021-08-11T07:45:53Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2021-08-11T07:45:53Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2021-08-11T07:45:50Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: docker://b7daf9b99b8946259d0f28202439992b553ebef708e3a2ee9527c3b7ff392437
image: nginx:alpine
imageID: docker-pullable://nginx@sha256:bead42240255ae1485653a956ef41c9e458eb077fcb6dc664cbc3aa9701a05ce
lastState: {}
name: nginx
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2021-08-11T07:45:51Z"
hostIP: 172.17.0.11
phase: Running
podIP: 172.18.0.13
podIPs:
- ip: 172.18.0.13
qosClass: BestEffort
startTime: "2021-08-11T07:45:50Z"
杂七杂八
查询DNS的记录
查看域名解析是否正常
root@VM-0-11-ubuntu:/dbroot/kube/yamldir# nslookup nginx-service1.ok
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find nginx-service1.ok: NXDOMAIN
root@VM-0-11-ubuntu:/dbroot/kube/yamldir# nslookup nginx-service1
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find nginx-service1: SERVFAIL
防火墙
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 6443 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 6443 -j ACCEPT
minikube
查看访问服务IP和端口:
可以直接访问:
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。