一.常用命令
1. 安装
在dokcer 及基础环境配置成的情况下:
- A.创建master 节点:
kubeadm init
- 将一个Node 节点加入到当前集群
设置基础环境
# systemctl stop firewalld.service
# sed -i 's/enforcing/disabled/' /etc/selinux/config
# systemctl disable firewalld
# sed -ri 's/.*swap.*/#&/' /etc/fstab
cat > /etc/sysctl.d/k8s.conf << EOF
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
# sysctl --system
# yum install ntpdate -y
# ntpdate time.windows.com
安装docker及K8S 软件
# yum -y install docker-ce
# systemctl enable docker && systemctl start docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
# yum install -y kubelet kubeadm kubectl
# systemctl enable kubelet
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
# systemctl restart docker
# systemctl restart containerd
将节点加入集群
[root@k8s-node2 ~]# kubeadm reset -f #如果有失败的情况,利用该命令重置
[root@k8s-node2 ~]# kubeadm join --token ov20vr.ldihh4yvm7u8yg34 192.168.200.203:6443 --discovery-token-ca-cert-hash sha256:1f01301d8af193f15eb74cc83e709bce0a0a68d5d03712e65ad72c19ad74fc44
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
2. K8S 集群常用命令
A.查询类命令
kubectl describe node master # 查看master 详细信息
kubectl get pods -n kube-system # 检查K8S 集群容器运行状态
kubectl get pods --all-namespaces # 查看所有容器的的运行状态
kubectl describe node master |grep Taint # 查看污点状态
B.管理类命令
kubectl taint nodes all node-role.kubernetes.io/master- # 去掉污点 master 上才能运行POD
kubectl apply -f xxx.yaml 创建/更新容器配置
二. 编排文件说明
1. 示例密钥链接harbor及基本用法
# 指定api版本和定义使用的API对象
apiVersion: apps/v1
kind: Deployment
metadata:
name: ngin
spec:
selector:
matchLabels:
app: nginx
replicas: 2
# 定义本应用的标签
template:
metadata:
labels:
app: nginx
# 定义应用的容器的具体的配置
spec:
volumes: # 定义挂在磁盘信息
- name: shared-data
hostPath:
path: /test-data
imagePullSecrets: # 使用密钥
- name: harbor-secret
containers:
- name: nginx
image: rison.harbor.com/test/nginx:v1.18.0
ports:
- containerPort: 80
volumeMounts:
- name: shared-data
mountPath: /usr/share/nginx/html
- name: debian-container
image: rison.harbor.com/test/debian:v12.7
volumeMounts:
- name: shared-data
mountPath: /pod-data
command: ["/bin/sh"]
args: ["-c", "echo Hello from the debain container > /pod-data/index.html"]
---
# service 相关的配置
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 31111
selector:
app: nginx
2.关于共享Linux Namespace配置和说明
apiVersion: v1
kind: Pod
metadata:
name: nginxshare
spec:
shareProcessNamespace: true
imagePullSecrets:
- name: harbor-secret
containers:
- name: nginxshare
image: rison.harbor.com/test/nginx:v1.18.0
- name: shell
image: rison.harbor.com/test/busybox:V1.0
stdin: true
tty: true
如上yaml配置文件,定义了 shareProcessNamespace: true 这意味着这个POD 将共享PIDNamespace。
在上述yaml文件中,还定义了两个容器,一个Nginx容器,另一个开启tty和stdin的shell容器。
可以简单地把tty 看作linux给用户提供的一个常住地小程序,用于接收用户的标准输出。
我们可以使用如下命令链接到shell容器的tty上:
# kubectl attach -it nginxshare -c shell
If you don't see a command prompt, try pressing enter.
/ # ps ax
PID USER TIME COMMAND
1 65535 0:00 /pause
6 root 0:00 nginx: master process nginx -g daemon off;
34 101 0:00 nginx: worker process
35 root 0:00 sh
41 root 0:00 ps ax
/ # ls
bin dev etc home lib lib64 proc root sys tmp usr var
/ # cd etc/
/etc # ls
group hostname hosts localtime network nsswitch.conf passwd resolv.conf shadow
/etc # exit
2.通过projected volume 将secret 挂载到容器
apiVersion: v1
kind: Pod
metadata:
name: test-projected-volume
spec:
imagePullSecrets:
- name: harbor-secret
containers:
- name: test-secret-volume
image: rison.harbor.com/test/busybox:V1.0
args:
- sleep
- "86400"
volumeMounts:
- name: mysql-cred
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: mysql-cred
projected:
sources:
- secret:
name: user
- secret:
name: pass
如上述容器yaml 配置可以将名user和pass的secret中的数据挂载/projected-volume目录下。
创建secret 命令如下:
# kubectl create secret generic user --from-file=./user
# kubectl create secret generic pass --from-file=./pass