Kubernetes 之 Pod 容忍度与节点污点

Kubernetes 之 Pod 容忍度与节点污点

Pod 的容忍度与节点污点的定义

节点污点taints和 Pod 容忍度terlerations是结合使用的。它给了节点选择 Pod 的权利，污点设置了effect参数来选择 Pod，如果 Pod 的容忍度级别不够，那么 Pod 将不会出现在该节点上，反之，则有可能被分配这个节点上。控制节点默认设置的污点如下：

root@k8s-master1:~# kubectl describe nodes k8s-master1 | grep Taints
Taints:             node-role.kubernetes.io/control-plane:NoSchedule

污点 effect 级别

级别	定义
NoExecute	最高级别，驱逐不能容忍该污点的 已经在运行的 Pod，不允许不容忍该污点 Pod 被调度上该节点
NoSchedule	不允许不容忍该污点 Pod 被调度器调度上该节点，但已运行的 Pod 不受干扰，不通过调度器调度的 Pod 也不受干扰
PreferNoSchedule	尽可能不调度不容忍该污点的 Pod 到此节点上

节点污点与 Pod 容忍度使用

1. 先将两个工作节点打上运维污点

   kubectl taint nodes k8s-worker1 maintenance:NoExecute
   kubectl taint nodes k8s-worker2 maintenance:NoExecute
   

2. 尝试创建一个 Pod 在工作节点上

   root@k8s-master1:~# kubectl apply -f test-pod.yaml
   pod/k8s-test created
   root@k8s-master1:~# kubectl get pods -ntest
   NAME       READY   STATUS    RESTARTS   AGE
   k8s-test   0/1     Pending   0          12s
   root@k8s-master1:~# kubectl describe pods k8s-test -ntest
   Events:
     Type     Reason            Age   From               Message
     ----     ------            ----  ----               -------
     Warning  FailedScheduling  55s   default-scheduler  0/3 nodes are available: 1 node(s) had untolerated taint {node-role.kubernetes.io/control-plane: }, 2 node(s) had untolerated taint {maintenance: }. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling.
   

3. 编写一个可以在控制节点上运行的 Pod

   apiVersion: v1
   kind: Pod
   metadata:
     name: pod-taint-pod
     namespace: default
     labels:
       app: taint
   spec:
     tolerations:
     - key: node-role.kubernetes.io/control-plane
       operator: Exists
     containers:
     - name: k8s-test
       image: k8s-test:v1.0
       imagePullPolicy: IfNotPresent
       ports:
       - containerPort: 80
   

4. 运行结果如下

   root@k8s-master1:~# kubectl apply -f pod-taint-pod.yaml
   pod/pod-taint-pod created
   root@k8s-master1:~# kubectl get pods -owide
   NAME            READY   STATUS    RESTARTS   AGE   IP               NODE          NOMINATED NODE   READINESS GATES
   pod-taint-pod   1/1     Running   0          13s   10.244.159.152   k8s-master1   <none>           <none>
   

5. 删除 maintenance节点污点，并将 k8s-worker1设置env=production污点，旨在不要轻易让 Pod 进入生产环境

   root@k8s-master1:~# kubectl taint nodes k8s-worker1 maintenance-
   node/k8s-worker1 untainted
   root@k8s-master1:~# kubectl taint nodes k8s-worker2 maintenance-
   node/k8s-worker2 untainted
   root@k8s-master1:~# kubectl taint nodes k8s-worker1 env=production:NoSchedule
   node/k8s-worker1 tainted
   root@k8s-master1:~# kubectl taint nodes k8s-worker2 env=dev:NoExecute
   node/k8s-worker2 tainted
   

6. 删除之前测试的 Pod，修改配置使其进入生产环境

   apiVersion: v1
   kind: Pod
   metadata:
     name: pod-taint-pod
     namespace: default
     labels:
       app: taint
   spec:
     tolerations:
     - key: env
       operator: Equal
       value: production
       effect: NoSchedule
     containers:
     - name: k8s-test
       image: k8s-test:v1.0
       imagePullPolicy: IfNotPresent
       ports:
       - containerPort: 80
   

   root@k8s-master1:~# kubectl get pods -owide
   NAME            READY   STATUS    RESTARTS   AGE   IP              NODE          NOMINATED NODE   READINESS GATES
   pod-taint-pod   1/1     Running   0          6s    10.244.194.89   k8s-worker1   <none>           <none>