kubernetes
service管理
clusterIP
![](https://img-blog.csdnimg.cn/5555ba09d34d45d691bd5b21223d9cb9.png)
创建服务
# 资源对象模板
[root@master ~]# kubectl create service clusterip mysvc --tcp=80:80 --dry-run=client -o yaml
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc
spec:
type: ClusterIP
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master ~]# kubectl apply -f mysvc.yaml
service/mysvc created
[root@master ~]# kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.245.0.1 <none> 443/TCP 2d18h
mysvc ClusterIP 10.245.5.18 <none> 80/TCP 8s
解析域名
[root@master ~]# kubectl -n kube-system get service kube-dns
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.245.0.10 <none> 53/UDP,53/TCP,9153/TCP 3d10h
[root@master ~]# dnf install -y bind-utils
[root@master ~]# host mysvc.default.svc.cluster.local 10.245.0.10
Using domain server:
Name: 10.245.0.10
Address: 10.245.0.10#53
Aliases:
mysvc.default.svc.cluster.local has address 10.245.5.18
创建后端服务
[root@master ~]# vim myweb.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: web1
labels:
app: web # 服务靠标签寻找后端
spec:
terminationGracePeriodSeconds: 0
restartPolicy: Always
containers:
- name: apache
image: myos:httpd
[root@master ~]# kubectl apply -f myweb.yaml
pod/web1 created
[root@master ~]# curl http://10.245.5.18
Welcome to The Apache.
关联标签
# service 靠标签寻找 Pod
[root@master ~]# kubectl label pod web1 app-
pod/web1 labeled
[root@master ~]# curl http://10.245.5.18
curl: (7) Failed connect to 10.245.5.18:80; Connection refused
[root@master ~]# kubectl label pod web1 app=web
pod/web1 labeled
[root@master ~]# curl http://10.245.5.18
Welcome to The Apache.
负载均衡
[root@master ~]# sed 's,web1,web2,' myweb.yaml |kubectl apply -f -
pod/web2 created
[root@master ~]# sed 's,web1,web3,' myweb.yaml |kubectl apply -f -
pod/web3 created
[root@master ~]# curl -s http://10.245.5.18/info.php |grep php_host
php_host: web1
[root@master ~]# curl -s http://10.245.5.18/info.php |grep php_host
php_host: web2
[root@master ~]# curl -s http://10.245.5.18/info.php |grep php_host
php_host: web3
服务固定IP
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc
spec:
type: ClusterIP
clusterIP: 10.245.1.80 # 可以设置 ClusterIP
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master ~]# kubectl delete service mysvc
service "mysvc" deleted
[root@master ~]# kubectl apply -f mysvc.yaml
service/mysvc created
[root@master ~]# kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.245.0.1 <none> 443/TCP 2d18h
mysvc ClusterIP 10.245.1.80 <none> 80/TCP 65s
端口别名
[root@master ~]# kubectl delete pod --all
pod "web1" deleted
pod "web2" deleted
pod "web3" deleted
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc
spec:
type: ClusterIP
clusterIP: 10.245.1.80
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: myhttp # 使用别名查找后端服务端口
[root@master ~]# kubectl apply -f mysvc.yaml
service/mysvc configured
[root@master ~]# vim myweb.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: web1
labels:
app: web
spec:
terminationGracePeriodSeconds: 0
restartPolicy: Always
containers:
- name: apache
image: myos:httpd
ports: # 配置端口规范
- name: myhttp # 端口别名
protocol: TCP # 协议
containerPort: 80 # 端口号
[root@master ~]# kubectl apply -f myweb.yaml
pod/web1 created
[root@master ~]# curl http://10.245.1.80
Welcome to The Apache.
服务排错
---
kind: Service
apiVersion: v1
metadata:
name: web123
spec:
type: ClusterIP
clusterIP: 192.168.1.88
selector:
app: apache
ports:
- protocol: TCP
port: 80
targetPort: web
nodePort
![](https://img-blog.csdnimg.cn/4928713767b94270bc849f440c938957.png)
对外发布服务
[root@master ~]# cp -a mysvc.yaml mysvc1.yaml
[root@master ~]# vim mysvc1.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc1
spec:
type: NodePort # 服务类型
selector:
app: web
ports:
- protocol: TCP
port: 80
nodePort: 30080 # 映射端口号
targetPort: myhttp
[root@master ~]# kubectl apply -f mysvc1.yaml
service/mysvc configured
[root@master ~]# kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.245.0.1 <none> 443/TCP 5d18h
mysvc ClusterIP 10.245.1.80 <none> 80/TCP 17m
mysvc1 NodePort 10.245.1.88 <none> 80:30080/TCP 7s
[root@master ~]# curl http://node-0001:30080
Welcome to The Apache.
[root@master ~]# curl http://node-0002:30080
Welcome to The Apache.
[root@master ~]# curl http://node-0003:30080
Welcome to The Apache.
[root@master ~]# curl http://node-0004:30080
Welcome to The Apache.
[root@master ~]# curl http://node-0005:30080
Welcome to The Apache.
Ingress
![](https://img-blog.csdnimg.cn/a57e88d0069d45fb92797ee438d7c699.png)
安装控制器
[root@master ~]# cd plugins/ingress
[root@master ingress]# docker load -i ingress.tar.xz
[root@master ingress]# docker images|while read i t _;do
[[ "${t}" == "TAG" ]] && continue
[[ "${i}" =~ ^"harbor:443/".+ ]] && continue
docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}
docker push harbor:443/plugins/${i##*/}:${t}
docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master ingress]# sed -ri 's,^(\s*image: )(.*/)?(.+)@.*,\1harbor:443/plugins/\3,' deploy.yaml
458: image: harbor:443/plugins/controller:v1.5.1
565: image: harbor:443/plugins/kube-webhook-certgen:v20220916-gd32f8c343
614: image: harbor:443/plugins/kube-webhook-certgen:v20220916-gd32f8c343
[root@master ingress]# kubectl apply -f deploy.yaml
# 通过标签指定在那台机器上发布应用
[root@master ingress]# kubectl label nodes node-0001 ingress-ready="true"
node/node-0001 labeled
[root@master ingress]# kubectl -n ingress-nginx get pods
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create--1-lm52c 0/1 Completed 0 29s
ingress-nginx-admission-patch--1-sj2lz 0/1 Completed 0 29s
ingress-nginx-controller-5664857866-tql24 1/1 Running 0 29s
验证后端服务
[root@master ~]# kubectl get pods,services
NAME READY STATUS RESTARTS AGE
pod/web1 1/1 Running 0 35m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.245.0.1 <none> 443/TCP 31h
service/mysvc ClusterIP 10.245.1.80 <none> 80/TCP 34m
service/mysvc1 NodePort 10.245.1.88 <none> 80:30080/TCP 8s
[root@master ~]# curl http://10.245.1.80
Welcome to The Apache.
对外发布服务
[root@master ~]# kubectl get ingressclasses.networking.k8s.io
NAME CONTROLLER PARAMETERS AGE
nginx k8s.io/ingress-nginx <none> 5m7s
# 资源对象模板
[root@master ~]# kubectl create ingress mying --class=nginx --rule=nsd.tedu.cn/*=mysvc:80 --dry-run=client -o yaml
[root@master ~]# vim mying.yaml
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: mying
spec:
ingressClassName: nginx
rules:
- host: nsd.tedu.cn
http:
paths:
- backend:
service:
name: mysvc
port:
number: 80
path: /
pathType: Prefix
[root@master ~]# kubectl apply -f mying.yaml
ingress.networking.k8s.io/mying created
[root@master ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
mying nginx nsd.tedu.cn 192.168.1.51 80 70s
[root@master ~]# curl -H "Host: nsd.tedu.cn" http://192.168.1.51
Welcome to The Apache.
对外发布服务,访问不同的后端web服务器
[root@master ~]# vim mysvc1.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc1
spec:
type: NodePort
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master ~]# cat > mying3.yaml <<EOF
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: mying
spec:
ingressClassName: nginx
rules:
- host: nsd.tedu.cn
http:
paths:
- backend:
service:
name: mysvc
port:
number: 80
path: /info.php
pathType: Exact
- host: nsd.tedu.cn
http:
paths:
- backend:
service:
name: mysvc1
port:
number: 80
path: /
pathType: Prefix
EOF
#关闭service服务重新创建mying3
[root@master ~]# kubectl delete service mying
[root@master ~]# kubectl apply -f mying3.yaml
ingress.networking.k8s.io/mying created
[root@master ~]#
[root@master ~]# vim web2.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: web2
labels:
app: nginx
spec:
containers:
- name: nginx
image: myos:nginx
[root@master ~]# kubectl apply -f web2.yaml
#验证访问
[root@master ~]# curl -H "Host: nsd.tedu.cn" http://192.168.1.51
Nginx is running !
#验证访问info.php
[root@master ~]# curl -H "Host: nsd.tedu.cn" http://192.168.1.51/info.php
<pre>
Array
(
[REMOTE_ADDR] => 10.244.21.156
[REQUEST_METHOD] => GET
[HTTP_USER_AGENT] => curl/7.61.1
[REQUEST_URI] => /info.php
)
php_host: web1
1229
web管理插件
安装Dashboard
[root@master ~]# cd plugins/dashboard
[root@master dashboard]# docker load -i dashboard.tar.xz
[root@master dashboard]# docker images|while read i t _;do
[[ "${t}" == "TAG" ]] && continue
[[ "${i}" =~ ^"harbor:443/".+ ]] && continue
docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}
docker push harbor:443/plugins/${i##*/}:${t}
docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master dashboard]# sed -ri 's,^(\s*image: )(.*/)?(.+),\1harbor:443/plugins/\3,' recommended.yaml
193: image: harbor:443/plugins/dashboard:v2.7.0
278: image: harbor:443/plugins/metrics-scraper:v1.0.8
[root@master dashboard]# kubectl apply -f recommended.yaml
[root@master dashboard]# kubectl -n kubernetes-dashboard get pods,services
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-66f6f56b59-b42ng 1/1 Running 0 67s
pod/kubernetes-dashboard-65ff57f4cf-lwtsk 1/1 Running 0 67s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.245.101.66 <none> 8000/TCP 67s
service/kubernetes-dashboard ClusterIP 10.245.224.203 <none> 443/TCP 67s
发布Dashboard服务
[root@master dashboard]# sed -n '30,45p' recommended.yaml >dashboard-svc.yaml
[root@master dashboard]# vim dashboard-svc.yaml
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
nodePort: 30443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
[root@master dashboard]# kubectl apply -f dashboard-svc.yaml
service/kubernetes-dashboard configured
[root@master dashboard]# kubectl -n kubernetes-dashboard get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.245.205.236 <none> 8000/TCP 5m50s
kubernetes-dashboard NodePort 10.245.215.40 <none> 443:30443/TCP 5m51s
服务账号与权限
创建服务账号
# 资源对象模板
[root@master ~]# kubectl -n kubernetes-dashboard create serviceaccount kube-admin --dry-run=client -o yaml
[root@master ~]# vim admin-user.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: kube-admin
namespace: kubernetes-dashboard
[root@master ~]# kubectl apply -f admin-user.yaml
serviceaccount/kube-admin created
[root@master ~]# kubectl -n kubernetes-dashboard get serviceaccounts
NAME SECRETS AGE
default 0 16m
kube-admin 0 11s
kubernetes-dashboard 0 16m
获取用户token
[root@master ~]# kubectl -n kubernetes-dashboard create token kube-admin
<Base64 编码的令牌数据>
角色与鉴权
Role:用来在某一个名称空间内创建授权角色,创建 Role 时,必须指定所属的名字空间的名字。 ClusterRole:可以和 Role 相同完成授权。但属于集群范围,对所有名称空间有效。 RoleBinding:是将角色中定义的权限赋予一个或者一组用户,可以使用 Role 或 ClusterRole 完成授权。 ClusterRoleBinding 在集群范围执行授权,对所有名称空间有效,只能使用 ClusterRole 完成授权。
普通角色授权
[root@master ~]# kubectl cluster-info dump |grep authorization-mode
"--authorization-mode=Node,RBAC",
# 资源对象模板
[root@master ~]# kubectl -n default create role myrole --resource=pods --verb=get,list --dry-run=client -o yaml
[root@master ~]# kubectl -n default create rolebinding kube-admin-role --role=myrole --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml
[root@master ~]# vim myrole.yaml
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myrole
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-admin-role
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myrole
subjects:
- kind: ServiceAccount
name: kube-admin
namespace: kubernetes-dashboard
[root@master ~]# kubectl apply -f myrole.yaml
role.rbac.authorization.k8s.io/myrole created
rolebinding.rbac.authorization.k8s.io/kube-admin-role created
[root@master ~]# kubectl delete -f myrole.yaml
role.rbac.authorization.k8s.io "myrole" deleted
rolebinding.rbac.authorization.k8s.io "kube-admin-role" deleted
集群管理员权限
[root@master ~]# kubectl get clusterrole
NAME CREATED AT
admin 2022-06-24T08:11:17Z
cluster-admin 2022-06-24T08:11:17Z
... ...
# 资源对象模板
[root@master ~]# kubectl create clusterrolebinding kube-admin-role --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml
[root@master ~]# vim admin-user.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: kube-admin
namespace: kubernetes-dashboard
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-admin-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kube-admin
namespace: kubernetes-dashboard
[root@master ~]# kubectl apply -f admin-user.yaml
serviceaccount/kube-admin unchanged
clusterrolebinding.rbac.authorization.k8s.io/kube-admin-role created