一、service管理
1.clusterIP
1)创建服务
# 资源对象模板
[root@master ~]# kubectl create service clusterip mysvc --tcp=80:80 --dry-run=client -o yaml
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc
spec:
type: ClusterIP
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master ~]# kubectl apply -f mysvc.yaml
[root@master ~]# kubectl get service
2)解析域名
# 安装工具软件包
[root@master ~]# dnf install -y bind-utils
# 查看 DNS 服务地址
[root@master ~]# kubectl -n kube-system get service kube-dns
可以获取CLUSTER-IP的值
# 域名解析测试
[root@master ~]# host mysvc.default.svc.cluster.local <CLUSTER-IP字段的值>
3)创建后端应用
[root@master ~]# vim myweb.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: web1
labels:
app: web # 服务靠标签寻找后端
spec:
containers:
- name: apache
image: myos:httpd
[root@master ~]# kubectl apply -f myweb.yaml
[root@master ~]# curl http://<host命令解析域名后获取的ip地址>
4)负载均衡
[root@master ~]# sed 's,web1,web2,' myweb.yaml |kubectl apply -f -
[root@master ~]# sed 's,web1,web3,' myweb.yaml |kubectl apply -f -
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host: web1
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host: web2
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host: web3
5)固定IP服务
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc
spec:
type: ClusterIP
clusterIP: 10.245.1.80 # 可以设置 ClusterIP
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master ~]# kubectl delete service mysvc
[root@master ~]# kubectl apply -f mysvc.yaml
[root@master ~]# kubectl get service
6)端口别名
[root@master ~]# kubectl delete pod --all
pod "web1" deleted
pod "web2" deleted
pod "web3" deleted
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc
spec:
type: ClusterIP
clusterIP: 10.245.1.80
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: myhttp # 使用别名查找后端服务端口
[root@master ~]# kubectl apply -f mysvc.yaml
[root@master ~]# vim myweb.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: web1
labels:
app: web
spec:
containers:
- name: apache
image: myos:httpd
ports: # 配置端口规范
- name: myhttp # 端口别名
protocol: TCP # 协议
containerPort: 80 # 端口号
[root@master ~]# kubectl apply -f myweb.yaml
[root@master ~]# curl http://10.245.1.80
2.nodePort
kind ->Service
spec->type: NodePort
使用kubectl create service nodeport --help查看帮助
1)对外发布服务
[root@master ~]# cp -a mysvc.yaml mysvc1.yaml
[root@master ~]# vim mysvc1.yaml
---
kind: Service
apiVersion: v1
metadata:
name: mysvc1
spec:
type: NodePort # 服务类型
selector:
app: web
ports:
- protocol: TCP
port: 80
nodePort: 30080 # 映射端口号
targetPort: myhttp
[root@master ~]# kubectl apply -f mysvc1.yaml
service/mysvc configured
[root@master ~]# kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
kubernetes ClusterIP 10.245.0.1 <none> 443/TCP
mysvc ClusterIP 10.245.1.80 <none> 80/TCP
mysvc1 NodePort 10.245.1.88 <none> 80:30080/TCP
[root@master ~]# curl http://node-0001:30080
[root@master ~]# curl http://node-0002:30080
[root@master ~]# curl http://node-0003:30080
[root@master ~]# curl http://node-0004:30080
[root@master ~]# curl http://node-0005:30080
3.Ingress
1)安装控制器
[root@master ~]# cd plugins/ingress
[root@master ingress]# docker load -i ingress.tar.xz
[root@master ingress]# docker images|while read i t _;do
[[ "${t}" == "TAG" ]] && continue
[[ "${i}" =~ ^"harbor:443/".+ ]] && continue
docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}
docker push harbor:443/plugins/${i##*/}:${t}
docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master ingress]# sed -ri 's,^(\s*image: )(.*/)?(.+)@.*,\1harbor:443/plugins/\3,' deploy.yaml
[root@master ingress]# kubectl apply -f deploy.yaml
# 通过标签指定在那台机器上发布应用
[root@master ingress]# kubectl label nodes node-0001 ingress-ready="true"
[root@master ingress]# kubectl -n ingress-nginx get pods
2)验证后端服务
[[root@master ~]# kubectl get pods,services
[root@master ~]# curl http://<CLUSTER-IP字段的ip地址>
3)对外发布服务
[root@master ~]# kubectl get ingressclasses.networking.k8s.io
# 资源对象模板
[root@master ~]# kubectl create ingress mying --class=nginx --rule=nsd.tedu.cn/*=mysvc:80 --dry-run=client -o yaml
[root@master ~]# vim mying.yaml
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: mying
spec:
ingressClassName: nginx
rules:
- host: nsd.tedu.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mysvc
port:
number: 80
[root@master ~]# kubectl apply -f mying.yaml
[root@master ~]# kubectl get ingress
[root@master ~]# curl -H "Host: nsd.tedu.cn" http://<ADDRESS字段的ip地址>
二、web管理插件
1.安装Dashboard
[root@master ~]# cd plugins/dashboard
[root@master dashboard]# docker load -i dashboard.tar.xz
[root@master dashboard]# docker images|while read i t _;do
[[ "${t}" == "TAG" ]] && continue
[[ "${i}" =~ ^"harbor:443/".+ ]] && continue
docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}
docker push harbor:443/plugins/${i##*/}:${t}
docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master dashboard]# sed -ri 's,^(\s*image: )(.*/)?(.+),\1harbor:443/plugins/\3,' recommended.yaml
[root@master dashboard]# kubectl apply -f recommended.yaml
[root@master dashboard]# kubectl -n kubernetes-dashboard get pods
2.发布服务
# 查看服务状态
[root@master dashboard]# kubectl -n kubernetes-dashboard get service
# 获取服务资源对象文件
[root@master dashboard]# sed -n '30,45p' recommended.yaml >dashboard-svc.yaml
[root@master dashboard]# vim dashboard-svc.yaml
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
nodePort: 30443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
[root@master dashboard]# kubectl apply -f dashboard-svc.yaml
[root@master dashboard]# kubectl -n kubernetes-dashboard get service
三、服务账号与权限
1.创建服务账号
查看yaml对象文件
kubectl -n namespece1 create serviceaccount user1 --dry-run=client -o yaml
验证:kubectl -n namespce1 get serviceaccounts
# 资源对象模板
[root@master ~]# kubectl -n kubernetes-dashboard create serviceaccount kube-admin --dry-run=client -o yaml
[root@master ~]# vim admin-user.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: kube-admin
namespace: kubernetes-dashboard
[root@master ~]# kubectl apply -f admin-user.yaml
[root@master ~]# kubectl -n kubernetes-dashboard get serviceaccounts
2.获取用户token
[root@master ~]# kubectl -n kubernetes-dashboard create token kube-admin
3.角色与鉴权
资源对象 | 描述 | 作用域 |
---|---|---|
ServiceAccount | 服务账号,为 Pod 中运行的进程提供了一个身份 | 单一名称空间 |
Role | 角色,包含一组代表相关权限的规则 | 单一名称空间 |
ClusterRole | 角色,包含一组代表相关权限的规则 | 全集群 |
RoleBinding | 将权限赋予用户,Role、ClusterRole 均可使用 | 单一名称空间 |
ClusterRoleBinding | 将权限赋予用户,只可以使用 ClusterRole | 全集群 |
资源对象权限
create | delete | deletecollection | get | list | patch | update | watch |
---|---|---|---|---|---|---|---|
创建 | 删除 | 删除集合 | 获取属性 | 获取列表 | 补丁 | 更新 | 监控 |
1)普通角色
查看帮助:
kubectl create role --help
kubectl create rolebinding --help
[root@master ~]# kubectl cluster-info dump |grep authorization-mode
# 资源对象模板
[root@master ~]# kubectl -n default create role myrole --resource=pods --verb=get,list --dry-run=client -o yaml
[root@master ~]# kubectl -n default create rolebinding kube-admin-role --role=myrole --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml
[root@master ~]# vim myrole.yaml
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myrole
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-admin-role
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myrole
subjects:
- kind: ServiceAccount
name: kube-admin
namespace: kubernetes-dashboard
[root@master ~]# kubectl apply -f myrole.yaml
[root@master ~]# kubectl delete -f myrole.yaml
2)集群管理员
kubectl create clusterrolebinding --help
Usage:
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
[root@master ~]# kubectl get clusterrole
# 资源对象模板
[root@master ~]# kubectl create clusterrolebinding kube-admin-role --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml
[root@master ~]# vim admin-user.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: kube-admin
namespace: kubernetes-dashboard
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-admin-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kube-admin
namespace: kubernetes-dashboard
[root@master ~]# kubectl apply -f admin-user.yaml