Pod污点、容忍策略、精确匹配、模糊匹配、Pod优先级与抢占、容器安全

污点与容忍

污点策略

尽量不调度：PreferNoSchedule

不被调度：NoSchedule

驱逐节点：NoExecute

管理污点标签

# 查看污点策略

[root@master ~]# kubectl describe nodes|grep Taints

Taints:             node-role.kubernetes.io/master:NoSchedule

Taints:             <none>

Taints:             <none>

Taints:             <none>

Taints:             <none>

Taints:             <none>

# node-0001 设置污点策略 PreferNoSchedule

[root@master ~]# kubectl taint node node-0001 k=v1:PreferNoSchedule

node/node-0001 tainted

# node-0002 设置污点策略 NoSchedule

[root@master ~]# kubectl taint node node-0002 k=v2:NoSchedule

node/node-0002 tainted

[root@master ~]# kubectl describe nodes |grep Taints

Taints:             node-role.kubernetes.io/master:NoSchedule

Taints:             k=v1:PreferNoSchedule

Taints:             k=v2:NoSchedule

Taints:             <none>

Taints:             <none>

Taints:             <none>

Pod 资源文件

[root@master ~]# vim myphp.yaml

---

kind: Pod

apiVersion: v1

metadata:

  name: myphp

spec:

  containers:

  - name: php

    image: myos:php-fpm

    resources:

      requests:

        cpu: 1500m

验证污点策略

# 优先使用没有污点的节点

[root@master ~]# sed "s,myphp,php1," myphp.yaml |kubectl apply -f -

pod/php1 created

[root@master ~]# sed "s,myphp,php2," myphp.yaml |kubectl apply -f -

pod/php2 created

[root@master ~]# sed "s,myphp,php3," myphp.yaml |kubectl apply -f -

pod/php3 created

[root@master ~]# kubectl get pods -o wide

NAME   READY   STATUS    RESTARTS   AGE   IP            NODE

php1   1/1     Running   0          13s   10.244.3.35   node-0003

php2   1/1     Running   0          5s    10.244.4.32   node-0004

php3   1/1     Running   0          5s    10.244.5.34   node-0005

# 最后使用 PreferNoSchedule 节点

[root@master ~]# sed 's,myphp,php4,' myphp.yaml |kubectl apply -f -

pod/php4 created

[root@master ~]# kubectl get pods -o wide

NAME   READY   STATUS    RESTARTS   AGE   IP            NODE

php1   1/1     Running   0          13s   10.244.3.35   node-0003

php2   1/1     Running   0          5s    10.244.4.32   node-0004

php3   1/1     Running   0          5s    10.244.5.34   node-0005

php4   1/1     Running   0          80s   10.244.1.33   node-0001

# 不会使用 NoSchedule 节点

[root@master ~]# sed 's,myphp,php5,' myphp.yaml |kubectl apply -f -

pod/php5 created

[root@master ~]# kubectl get pods -o wide

NAME   READY   STATUS    RESTARTS   AGE   IP            NODE

php1   1/1     Running   0          53s   10.244.3.35   node-0003

php2   1/1     Running   0          65s   10.244.4.32   node-0004

php3   1/1     Running   0          75s   10.244.5.34   node-0005

php4   1/1     Running   0          80s   10.244.1.33   node-0001

php5   0/1     Pending   0          5s    <none>        <none>

验证污点策略

# NoSchedule 不会影响已经创建的 Pod

[root@master ~]# kubectl taint node node-0003 k=v3:NoSchedule

node/node-0003 tainted

[root@master ~]# kubectl describe nodes |grep Taints

Taints:             node-role.kubernetes.io/master:NoSchedule

Taints:             k=v1:PreferNoSchedule

Taints:             k=v2:NoSchedule

Taints:             k=v3:NoSchedule

[root@master ~]# kubectl get pods -o wide

NAME   READY   STATUS    RESTARTS   AGE   IP            NODE

php1   1/1     Running   0          53s   10.244.3.35   node-0003

php2   1/1     Running   0          65s   10.244.4.32   node-0004

php3   1/1     Running   0          75s   10.244.5.34   node-0005

php4   1/1     Running   0          80s   10.244.1.33   node-0001

php5   0/1     Pending   0          5s    <none>        <none>

# NoExecute 会删除节点上的 Pod

[root@master ~]# kubectl taint node node-0004 k=v4:NoExecute

node/node-0004 tainted

[root@master ~]# kubectl describe nodes |grep Taints

Taints:             node-role.kubernetes.io/master:NoSchedule

Taints:             k=v1:PreferNoSchedule

Taints:             k=v2:NoSchedule

Taints:             k=v3:NoSchedule

Taints:             k=v4:NoExecute