污点容忍
1.污点策略
Taints and Tolerations | Kubernetes
尽量不调度:PreferNoSchedule
不被调度:NoSchedule
驱逐节点:NoExecute
1)管理污点标签
# 查看污点策略
[root@master ~]# kubectl describe nodes|grep Taints
# node-0001 设置污点策略 PreferNoSchedule
[root@master ~]# kubectl taint node node-0001 k=v1:PreferNoSchedule
# node-0002 设置污点策略 NoSchedule
[root@master ~]# kubectl taint node node-0002 k=v2:NoSchedule
[root@master ~]# kubectl describe nodes |grep Taints
2)Pod资源文件
[root@master ~]# vim myphp.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: myphp
spec:
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: 1500m
3)验证污点策略
# 优先使用没有污点的节点
[root@master ~]# sed "s,myphp,php1," myphp.yaml |kubectl apply -f -
[root@master ~]# sed "s,myphp,php2," myphp.yaml |kubectl apply -f -
[root@master ~]# sed "s,myphp,php3," myphp.yaml |kubectl apply -f -
[root@master ~]# kubectl get pods -o wide
# 最后使用 PreferNoSchedule 节点
[root@master ~]# sed 's,myphp,php4,' myphp.yaml |kubectl apply -f -
[root@master ~]# kubectl get pods -o wide
# 不会使用 NoSchedule 节点
[root@master ~]# sed 's,myphp,php5,' myphp.yaml |kubectl apply -f -
[root@master ~]# kubectl get pods -o wide
验证污点标签(二)
# NoSchedule 不会影响已经创建的 Pod
[root@master ~]# kubectl taint node node-0003 k=v3:NoSchedule
[root@master ~]# kubectl describe nodes |grep Taints
[root@master ~]# kubectl get pods -o wide
4)清理实验配置
[root@master ~]# kubectl delete pod --all
[root@master ~]# kubectl taint node node-000{1..4} k-
[root@master ~]# kubectl describe nodes |grep Taints
2.容忍策略
1)设置污点标签
# 节点 node-0001,node-0002 设置污点标签 k=v1:NoSchedule
[root@master ~]# kubectl taint node node-000{1..2} k=v1:NoSchedule
# 节点 node-0003,node-0004 设置污点标签 k=v2:NoSchedule
[root@master ~]# kubectl taint node node-000{3..4} k=v2:NoSchedule
# 节点 node-0005 设置污点标签 k=v1:NoExecute
[root@master ~]# kubectl taint node node-0005 k=v1:NoExecute
[root@master ~]# kubectl describe nodes |grep Taints
2)精确匹配策略
spec->tolerations->operator: Equal
# 容忍 k=v1:NoSchedule 污点
[root@master ~]# vim myphp.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: myphp
spec:
tolerations:
- operator: Equal # 完全匹配键值对
key: k # 键
value: v1 # 值
effect: NoSchedule # 污点标签
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: 1500m
[root@master ~]# for i in php{1..3};do sed "s,myphp,${i}," myphp.yaml ;done|kubectl apply -f -
[root@master ~]# kubectl get pods -o wide
[root@master ~]# kubectl delete pod --all
3)模糊匹配策略
spec->tolerations->operator: exists
# 容忍 k=*:NoSchedule 污点
[root@master ~]# vim myphp.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: myphp
spec:
tolerations:
- operator: Exists # 部分匹配,存在即可
key: k # 键
effect: NoSchedule # 污点标签
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: 1500m
[root@master ~]# for i in php{1..5};do sed "s,myphp,${i}," myphp.yaml ;done|kubectl apply -f -
[root@master ~]# kubectl get pods -o wide
[root@master ~]# kubectl delete pod --all
4)所有污点标签
spec->tolerations->operator: exists
spec->tolerations->effect: ""
# 容忍所有 node 上的污点
[root@master ~]# vim myphp.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: myphp
spec:
tolerations:
- operator: Exists # 模糊匹配
key: k # 键
effect: "" # 设置空或删除,代表所有污点标签
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: 1500m
[root@master ~]# for i in php{1..5};do sed "s,myphp,${i}," myphp.yaml ;done|kubectl apply -f -
[root@master ~]# kubectl get pods -o wide
5)清理实验配置
[root@master ~]# kubectl taint node node-000{1..5} k-
[root@master ~]# kubectl describe nodes |grep Taints
[root@master ~]# kubectl delete pod --all
3.优先级与抢占
1)非抢占优先级
# 定义优先级(队列优先)
[root@master ~]# vim mypriority.yaml
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: high-non
preemptionPolicy: Never
value: 1000
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: low-non
preemptionPolicy: Never
value: 500
[root@master ~]# kubectl apply -f mypriority.yaml
[root@master ~]# kubectl get priorityclasses.scheduling.k8s.io
2)Pod资源文件
kubectl get priorityclasses.scheduling.k8s.io 获取优先级class
priorityClassName: 从上述获取列表中找一个需要的
# 无优先级的 Pod
[root@master ~]# cat php1.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: php1
spec:
nodeSelector:
kubernetes.io/hostname: node-0004
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: "1500m"
# 低优先级 Pod
[root@master ~]# cat php2.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: php2
spec:
nodeSelector:
kubernetes.io/hostname: node-0004
priorityClassName: low-non # 优先级名称
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: "1500m"
# 高优先级 Pod
[root@master ~]# cat php3.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: php3
spec:
nodeSelector:
kubernetes.io/hostname: node-0004
priorityClassName: high-non # 优先级名称
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: "1500m"
3)验证非抢占优先
[root@master ~]# kubectl apply -f php1.yaml
[root@master ~]# kubectl apply -f php2.yaml
[root@master ~]# kubectl apply -f php3.yaml
[root@master ~]# kubectl get pods
[root@master ~]# kubectl delete pod php1
[root@master ~]# kubectl get pods
# 清理实验 Pod
[root@master ~]# kubectl delete pod php2 php3
4)抢占策略
[root@master ~]# vim mypriority.yaml
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: high-non
preemptionPolicy: Never
value: 1000
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: low-non
preemptionPolicy: Never
value: 500
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: high
preemptionPolicy: PreemptLowerPriority
value: 1000
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: low
preemptionPolicy: PreemptLowerPriority
value: 500
[root@master ~]# kubectl apply -f mypriority.yaml
[root@master ~]# kubectl get priorityclasses.scheduling.k8s.io
5)验证抢占优先级
# 替换优先级策略
[root@master ~]# sed 's,-non,,' -i php?.yaml
# 默认优先级 Pod
[root@master ~]# kubectl apply -f php1.yaml
[root@master ~]# kubectl get pods
# 高优先级 Pod
[root@master ~]# kubectl apply -f php3.yaml
[root@master ~]# kubectl get pods
# 低优先级 Pod
[root@master ~]# kubectl apply -f php2.yaml
[root@master ~]# kubectl get pods
# 清理实验 Pod
[root@master ~]# kubectl delete pod --all
[root@master ~]# kubectl delete -f mypriority.yaml
4.Pod安全
1)特权容器
[root@master ~]# vim root.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: root
spec:
hostname: myhost # 修改主机名
hostAliases: # 修改 /etc/hosts
- ip: 192.168.1.30 # IP 地址
hostnames: # 名称键值对
- harbor # 主机名
containers:
- name: apache
image: myos:httpd
[root@master ~]# kubectl apply -f root.yaml
[root@master ~]# kubectl exec -it root -- /bin/bash
[root@myhost html]# hostname
[root@myhost html]# cat /etc/hosts
[root@master ~]# kubectl delete pod root
root特权容器
[root@master ~]# vim root.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: root
spec:
hostPID: true # 特权,共享系统进程
hostNetwork: true # 特权,共享主机网络
containers:
- name: apache
image: myos:httpd
securityContext: # 安全上下文值
privileged: true # root特权容器
[root@master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
[root@master ~]# kubectl exec -it root -- /bin/bash
[root@node-0001 /]#
# 系统进程特权
[root@node-0001 /]# pstree -p
# 网络特权
[root@node-0001 /]# ifconfig eth0
# root用户特权
[root@node-0001 /]# mkdir /sysroot
[root@node-0001 /]# mount /dev/vda1 /sysroot
[root@node-0001 /]# mount -t proc proc /sysroot/proc
[root@node-0001 /]# chroot /sysroot
# 删除特权容器
[root@master ~]# kubectl delete pod root
2)Pod安全策略
# 生产环境设置严格的准入控制
[root@master ~]# kubectl create namespace myprod
[root@master ~]# kubectl label namespaces myprod pod-
# 测试环境测试警告提示
[root@master ~]# kubectl create namespace mytest
[root@master ~]# kubectl label namespaces mytest pod-security.kubernetes.io/warn=baseline
# 创建特权容器
[root@master ~]# kubectl -n myprod apply -f root.yaml
[root@master ~]# kubectl -n myprod get pods
[root@master ~]# kubectl -n mytest apply -f root.yaml
[root@master ~]# kubectl -n mytest get pods
3)安全的Pod
[root@master ~]# vim nonroot.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: nonroot
spec:
restartPolicy: Always
containers:
- name: php
image: myos:php-fpm
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop: ["ALL"]
[root@master ~]# kubectl -n myprod apply -f nonroot.yaml
[root@master ~]# kubectl -n myprod get pods
[root@master ~]# kubectl -n myprod exec -it nonroot -- id