CKA认证考题+实操
说明
Cluster Architecture, Installation & Configuration 25%
Workloads & Scheduling 15%
Services & Networking 20%
Storage 10%
Troubleshooting 30%
第⼀题:权限控制RBAC
第⼆题:设置节点不可⽤
第三题:升级 kubeadm
第四题:备份还原 etcd
第五题:配置⽹络策略 NetworkPolicy
第六题:创建Service
第七题:按要求创建 Ingress 资源
第⼋题:扩容Deployment
第九题:调度 pod 到指定节点
第⼗题: 统计ready 状态节点数量
第⼗⼀题:创建多容器的pod
第⼗⼆题:按要求创建PV
第⼗三题:创建和使⽤PVC
第⼗四题:监控pod的⽇志
第⼗五题:添加 sidecar 容器并输出⽇志
第⼗六题:查看 cpu 使⽤率最⾼的 pod
第⼗七题:排查集群中故障节点
实操
1.RBAC 4%
kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets
kubectl describe clusterrole deployment-clusterrole
In Kubernetes, the verb that applies to the resources contained in the rule is a term used to define the type of action that can be performed on a particular resource. When defining Role or ClusterRole objects, you need to specify the actions that are allowed on the resources that are included in the rule.
The most commonly used verbs in Kubernetes are:
- get: Allows a user to retrieve information about a resource.
- list: Allows a user to list all resources of a certain type.
- create: Allows a user to create a new resource.
- update: Allows a user to modify an existing resource.
- delete: Allows a user to delete an existing resource.
- watch: Allows a user to watch for changes to a resource.
You can specify one or more verbs when defining a Role or ClusterRole object. Additionally, you can use wildcards to specify all verbs or all resources of a certain type. For example, the rule “verbs: [“get”, “list”], resources: [“pods”]” allows a user to retrieve information about and list all pods.
It’s important to carefully consider the verbs that you allow when defining roles and role bindings in Kubernetes, as they directly affect the security and access control of your cluster.
k create serviceaccount cicd-token -n app-team1
k describe serviceaccount cicd-token -n app-team1
k create rolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -napp-team1
k describe rolebinding cicd-token-binding -napp-team1
2.驱逐节点
该命令用于在维护前排空节点。
给定的节点将被标记为不可调度,以防止新的Pod到达。如果APIServer支持http://kubernetes.io/docs/admin/disruptions/,'drain’将驱逐Pod。否则,它将使用普通的DELETE命令删除Pod。'drain’将驱逐或删除除了镜像Pod之外的所有Pod(不能通过API服务器删除镜像Pod)。如果有由DaemonSet管理的Pod,'drain’将不会在没有–ignore-daemonsets的情况下继续,而且不管怎样,它都不会删除任何由DaemonSet管理的Pod,因为这些Pod将立即被DaemonSet控制器替换,该控制器忽略不可调度标记。如果有任何既不是镜像Pod也不是由ReplicationController、ReplicaSet、DaemonSet、StatefulSet或Job管理的Pod,则’drain’将不会删除任何Pod,除非你使用–force。–force还将允许删除继续进行,如果一个或多个Pod的管理资源丢失。
'drain’等待优雅的终止。在命令完成之前,请勿对机器进行操作。
当你准备好将节点放回服务中时,请使用kubectl uncordon,这将使节点再次可调度。
http://kubernetes.io/images/docs/kubectl_drain.svg
镜像Pod是指由kubelet自动创建的Pod,用于在节点上运行Kubernetes系统组件,如kube-proxy和kube-dns。这些Pod是由Kubernetes系统自动托管的,不能通过API服务器删除或修改。这是因为镜像Pod是Kubernetes系统的一部分,而不是用户部署的应用程序。
举个例子,如果您尝试使用kubectl delete命令删除镜像Pod,您将收到以下错误消息:
error: pods "kube-proxy-xxxxx" is forbidden: cannot delete pods in kube-system namespace (kube-proxy-xxxxx is a mirror pod)
这是因为Kubernetes系统组件的Pod属于kube-system命名空间,而且它们是由kubelet自动创建的镜像Pod,不能通过API服务器进行删除。如果您需要修改或删除镜像Pod,您需要手动登录到节点并使用Docker或其他容器运行时工具进行操作。
这个错误是因为您要删除的Pod具有本地存储。默认情况下,Kubernetes不允许删除具有本地存储的Pod,以防止意外数据丢失。
要删除具有本地存储的Pod,您可以使用--delete-local-data
标志。此标志将覆盖默认行为,允许您删除具有本地存储的Pod。
例如,要删除带有本地存储的Pod“qfusion/qfusion-cmdb00-0”和“qfusion/qfusion-installer-67f96dfcdb-c6f2z”,请运行以下命令:
kubectl delete pod qfusion/qfusion-cmdb00-0 qfusion/qfusion-installer-67f96dfcdb-c6f2z --delete-local-data
请注意,使用--delete-local-data
标志将删除存储在Pod本地存储中的所有数据,因此请谨慎使用。
k -h
Cluster Management Commands:
certificate Modify certificate resources.
cluster-info Display cluster info
top Display Resource (CPU/Memory/Storage) usage.
cordon Mark node as unschedulable
uncordon Mark node as schedulable
drain Drain node in preparation for maintenance
taint Update the taints on one or more nodes
k8s cordon 和 drain 都是用于维护集群节点的工具。
- cordon:用于标记一个节点,使得该节点上的 pod 不能被调度到该节点上。该节点上已经运行的 pod 不会被删除,仍然可以正常运行。一般用于维护节点、升级节点等场景,避免新的 pod 被调度到该节点上。
- drain:用于维护节点,将该节点上的 pod 从该节点上删除,并将其调度到其他节点上。一般用于节点需要下线、维护或升级的情况下,确保该节点上的 pod 不会被中断,而是顺利地迁移到其他节点上。
总结:cordon 是将节点标记为不可调度,drain 是将节点上的 pod 迁移至其他节点。
k drain -h
Drain node in preparation for maintenance.
The given node will be marked unschedulable to prevent new pods from arriving. 'drain' evicts the pods if the APIServer
supportshttp://kubernetes.io/docs/admin/disruptions/ . Otherwise, it will use normal DELETE to delete the pods. The
'drain' evicts or deletes all pods except mirror pods (which cannot be deleted through the API server). If there are
DaemonSet-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any
DaemonSet-managed pods, because those pods would be immediately replaced by the DaemonSet controller, which ignores
unschedulable markings. If there are any pods that are neither mirror pods nor managed by ReplicationController,
ReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete any pods unless you use --force. --force will
also allow deletion to proceed if the managing resource of one or more pods is missing.
'drain' waits for graceful termination. You should not operate on the machine until the command completes.
When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.
http://kubernetes.io/images/docs/kubectl_drain.svg
Examples:
# Drain node "foo", even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or
StatefulSet on it.
$ kubectl drain foo --force
# As above, but abort if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or
StatefulSet, and use a grace period of 15 minutes.
$ kubectl drain foo --grace-period=900
Options:
--delete-local-data=false: Continue even if there are pods using emptyDir (local data that will be deleted when
the node is drained).
--disable-eviction=false: Force drain to use delete, even if eviction is supported. This will bypass checking
PodDisruptionBudgets, use with caution.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--force=false: Continue even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet
or StatefulSet.
--grace-period=-1: Period of time in seconds given to each pod to terminate gracefully. If negative, the default
value specified in the pod will be used.
--ignore-daemonsets=false: Ignore DaemonSet-managed pods.
--pod-selector='': Label selector to filter pods on the node
-l, --selector='': Selector (label query) to filter on
--skip-wait-for-delete-timeout=0: If pod DeletionTimestamp older than N seconds, skip waiting for the pod.
Seconds must be greater than 0 to skip.
--timeout=0s: The length of time to wait before giving up, zero means infinite
Usage:
kubectl drain NODE [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
3.集群升级 7%
4.ETCD备份恢复 7%
alias ec=“etcdctl --endpoints=https://127.0.0.1:2379 --cacert /etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key”
--cacert="" verify certificates of TLS-enabled secure servers using this CA bundle
--cert="" identify secure client using this TLS certificate file
--key="" identify secure client using this TLS key file
ec snapshot save /var/lib/backup/etcd-snapshot.db
ec snapshot status /var/lib/backup/etcd-snapshot.db -wtable
ec snapshot restore /var/lib/bakup/etcd-snapshot-previous.db
5.网络策略 4%
cat allow-port-from-namespace.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: foobar
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: corp-bar
ports:
- protocol: TCP
port: 9200
6.SVC 4%
ports:
- name: http
protocol: TCP
containerPort: 80
–port是svc的端口号,–target-port是deployment里pod的容器的端口号
查看标签
kubectl get deployment front-end --show-labels
kubectl get svc front-end-svc --show-labels
7.Ingress 7%
8.扩容 4%
k scale deployment/xxx --replicas=
9.通过node标签调度pod 4%
k run nginx-bpx --image=nginx --dry-run=client -oyaml > nginx-bpx.yaml
cat nginx-bpx.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-bpx
name: nginx-bpx
spec:
containers:
- image: nginx
name: nginx-bpx
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
nodeSelector:
disk: ssd
status: {}
10.节点数量 4%
k describe node | grep Taint
11.创建多容器pod 4%
12.pv 4%
cat app-config.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: app-config
spec:
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadOnlyMany
persistentVolumeReclaimPolicy: Recycle
storageClassName: csi-localpv
hostPath:
path: /srv/app-config
kubectl apply -f app-config.yaml
kubectl get pv
13.pvc 7%
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pv-volume
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 10Mi
storageClassName: csi-hostpath-sc
cat test.yaml
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: pv-volume
volumes:
- name: pv-volume
persistentVolumeClaim:
claimName: pv-volume
14.输出日志 5%
15.sidecar 13%
cat sidecar.yaml
apiVersion: v1
kind: Pod
metadata:
name: big-corp-app
spec:
containers:
- name: nginx
image: nginx
args: [/bin/sh, -c, "tail -n+1 -f /var/log/legacy-app.log"]
volumeMounts:
- mountPath: "/var/log/"
name: logs
- name: busybox
image: busybox
args: [/bin/sh, -c, "tail -n+1 -f /var/log/legacy-app.log"]
volumeMounts:
- mountPath: "/var/log/"
name: logs
volumes:
- name: logs
emptyDir: {}
16.top 5%
kubectl top pod -A -l name=cpu-loader --sort-by='cpu'
17.kubelet 13%
18. pod 的滚动更新与回滚
set image
rollout status
rollout undo
Kubernetes中的"kubectl rollout status"命令用于检查正在进行的部署的状态。使用此命令可以查看部署的当前状态和进度。
以下是使用"kubectl rollout status"命令检查部署状态的示例过程:
- 首先,使用以下命令检查当前正在运行的部署:
kubectl get deployments
- 选择要检查的部署,并使用以下命令检查其状态:
kubectl rollout status deploy/<deployment-name>
- 此命令将显示部署的当前状态和进度。例如,可能会看到以下输出:
Waiting for rollout to finish: 2 out of 3 new replicas have been updated...
Waiting for rollout to finish: 1 out of 3 new replicas have been updated...
deployment "my-deployment" successfully rolled out
- 如果部署正在进行中,则可以使用以下命令来查看更详细的信息:
kubectl describe deployments/<deployment-name>
此命令将显示有关部署的详细信息,包括正在进行的更新的状态和进度。
- 一旦部署完成,可以再次运行"kubectl get deployments"命令来确认部署已成功完成。
以上就是使用"kubectl rollout status"命令检查Kubernetes部署状态的示例过程。