Day03-Pod环境变量,容器重启策略,emptyDir,hostPath,nfs存储卷,资源限制及configMap,secret实战案例
0、昨日内容回顾:
- Pod资源清单
apiVersion: v1
kind: Pod
metadata:
name: ...
spec:
hostNetwork: true
nodeName: k8s233.oldboyedu.com
containers:
- name:
image:
stdin:
command:
args:
imagePullPolicy:
- name:
image:
...
- Pod的基础管理
创建:
kubectl create
kubectl apply
删除:
kubectl delete
查看:
kubectl get
修改:
kubectl apply
- 故障排查相关指令:
kubectl describe
kubectl exec
kubectl logs
kubectl cp
1、面试题预告
Q1: Pod的容器重启策略有哪些?请简要说明?
Q2: 如何向Pod的指定容器传递环境变量?有哪些方式,请简要说明?
Q3: 同一个Pod如何实现数据持久化?如何实现数据共享?跨节点的Pod如何实现数据共享呢?
Q4: 多个Pod如何实现使用同一个配置文件?
Q5: 如何下载habor的私有项目镜像?
Q6: Pod如何实现健康检查?
1.1 Q1:Pod的容器的三种重启策略:(注意, K8S所谓的容器指的是重新创建容器。)
[root@k8s231.oldboyedu.com pods]# cat 07-nginx-restartPolicy.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-web-restartpolicy-always
spec:
nodeName: k8s233.oldboyedu.com
# 当容器退出时,始终重启容器。
restartPolicy: Always
containers:
- name: nginx
image: harbor.oldboyedu.com/web/linux85-web:v0.1
imagePullPolicy: Always
command:
- "sleep"
- "10"
---
apiVersion: v1
kind: Pod
metadata:
name: linux85-web-restartpolicy-onfailure
spec:
nodeName: k8s233.oldboyedu.com
# 当容器正常退出时不会重启容器,异常退出时,会重启容器。
restartPolicy: OnFailure
containers:
- name: nginx
image: harbor.oldboyedu.com/web/linux85-web:v0.1
imagePullPolicy: Always
command:
- "sleep"
- "10"
---
apiVersion: v1
kind: Pod
metadata:
name: linux85-web-restartpolicy-never
spec:
nodeName: k8s233.oldboyedu.com
# 当容器退出时,始终不重启。
restartPolicy: Never
containers:
- name: nginx
image: harbor.oldboyedu.com/web/linux85-web:v0.1
imagePullPolicy: Always
command:
- "sleep"
- "10"
1.2 Q2:向容器传递环境变量的两种方式
[root@k8s231.oldboyedu.com pods]# cat 08-games-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-game-env
spec:
nodeName: k8s232.oldboyedu.com
containers:
- name: game
image: harbor.oldboyedu.com/oldboyedu-games/jasonyin2020/oldboyedu-games:v0.7
# 向容器传递环境变量
env:
# 指定的变量名称
- name: SCHOOL
# 指定变量的值
value: oldboyedu
- name: CLASS
value: linux85
- name: OLDBOYEDU_POD_NAME
# 不使用自定义的变量值,而是引用别处的值
valueFrom:
# 值引用自某个字段
fieldRef:
# 指定字段的路径
fieldPath: "metadata.name"
- name: OLDBOYEDU_NODENAME
valueFrom:
fieldRef:
fieldPath: "spec.nodeName"
- name: OLDBOYEDU_HOSTIP
valueFrom:
fieldRef:
fieldPath: "status.hostIP"
- name: OLDBOYEDU_PODIP
valueFrom:
fieldRef:
fieldPath: "status.podIP"
[root@k8s231 pods]# kubectl explain po.spec.containers.env
KIND: Pod
VERSION: v1
RESOURCE: env <[]Object>
........
[root@k8s231.oldboyedu.com pods]# kubectl apply -f 08-games-env.yaml
pod/linux85-game-env created
[root@k8s231.oldboyedu.com pods]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
linux85-game-env 1/1 Running 0 5s 10.100.1.15 k8s232.oldboyedu.com <none> <none>
[root@k8s231.oldboyedu.com pods]# kubectl exec linux85-game-env -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=linux85-game-env
SCHOOL=oldboyedu
CLASS=linux85
OLDBOYEDU_POD_NAME=linux85-game-env
OLDBOYEDU_NODENAME=k8s232.oldboyedu.com
OLDBOYEDU_HOSTIP=10.0.0.232
OLDBOYEDU_PODIP=10.100.1.15
KUBERNETES_PORT=tcp://10.200.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.200.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.200.0.1
KUBERNETES_SERVICE_HOST=10.200.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
HOME=/root
[root@k8s231.oldboyedu.com pods]#
1.3 Q3: 同一个Pod如何实现数据持久化?如何实现数据共享?跨节点的Pod如何实现数据共享呢?
1.3.1 数据持久化之emptyDir实战案例
[root@k8s231.oldboyedu.com pods]# cat 09-games-volumes-emptyDir.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-emptydir-001
spec:
# 定义存储卷
volumes:
# 指定存储卷的名称
- name: data01
# 指定存储卷类型为emptyDir类型
# 当Pod被删除时,数据会被随时删除,其有以下两个作用:
# - 对容器的数据进行持久化,当删除容器时数据不会丢失;
# - 可以实现同一个Pod内不同容器之间数据共享;
emptyDir: {}
containers:
- name: web
image: harbor.oldboyedu.com/web/nginx:1.20.1-alpine
# 指定挂载点
volumeMounts:
# 指定存储卷的名称
- name: data01
# 指定容器的挂载目录
mountPath: /usr/share/nginx/html
- name: linux
image: harbor.oldboyedu.com/linux/alpine:latest
stdin: true
volumeMounts:
- name: data01
mountPath: /oldboyedu-data
[root@k8s231 pods]# kubectl exec -it linux85-volume-emptydir-001 -- sh
/ # cd /usr/share/nginx/html/
/usr/share/nginx/html # ls
50x.html index.html
/usr/share/nginx/html # echo "<h1>v0.1</h1>" > index.html
/usr/share/nginx/html #
[root@k8s231 pods]# !curl
curl 10.100.2.13
<h1>v0.1</h1>
[root@k8s231 ~]# kubectl exec -it linux85-volume-emptydir-001 -c web -- sh
/ # cd /usr/share/nginx/html/
/usr/share/nginx/html # ls
/usr/share/nginx/html # echo "<h1>test</h1>" > index.html
/usr/share/nginx/html #
[root@k8s231 ~]# curl 10.100.1.6
<h1>test</h1>
[root@k8s231 ~]# kubectl exec -it linux85-volume-emptydir-001 -c linux -- sh
/ # ls
bin home mnt proc sbin tmp
dev lib oldboyedu-data root srv usr
etc media opt run sys var
/ # cd oldboyedu-data/
/oldboyedu-data # ll
sh: ll: not found
/oldboyedu-data # ls
index.html
/oldboyedu-data # cat index.html
<h1>test</h1>
/oldboyedu-data # echo 111111111> index.html
sh: 3: Bad file descriptor
/oldboyedu-data # echo 111111111 > index.html
/oldboyedu-data # cat index.html
111111111
/oldboyedu-data #
[root@k8s231 ~]# curl 10.100.1.6
111111111
1.3.2 数据持久化之hostPath实战案例
[root@k8s231.oldboyedu.com pods]# cat 10-games-volumes-hostPath.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-hostpath-001
spec:
nodeName: k8s232.oldboyedu.com
volumes:
- name: data01
emptyDir: {}
- name: data02
# 指定类型为宿主机存储卷,该存储卷只要用于容器访问宿主机路径的需求。
hostPath:
# 指定存储卷的路径
path: /oldboyedu-data
containers:
- name: web
image: harbor.oldboyedu.com/web/nginx:1.20.1-alpine
volumeMounts:
- name: data02
mountPath: /usr/share/nginx/html
---
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-hostpath-002
spec:
nodeName: k8s232.oldboyedu.com
volumes:
- name: linux85-data
hostPath:
path: /oldboyedu-data
containers:
- name: linux
image: harbor.oldboyedu.com/linux/alpine:latest
stdin: true
volumeMounts:
- name: linux85-data
mountPath: /oldboyedu-data-linux85
[root@k8s231.oldboyedu.com pods]#
1.3.3 跨节点的Pod实现数据共享
1.3.3.1 部署nfs server
(1)所有节点安装nfs相关软件包
yum -y install nfs-utils
(2)k8s231节点设置共享目录
mkdir -pv /oldboyedu/data/kubernetes
cat > /etc/exports <<'EOF'
/oldboyedu/data/kubernetes *(rw,no_root_squash)
EOF
(3)配置nfs服务开机自启动
systemctl enable --now nfs
(4)服务端检查NFS挂载信息
exportfs
(5)客户端节点手动挂载测试
mount -t nfs k8s231.oldboyedu.com:/oldboyedu/data/kubernetes /mnt/
umount /mnt
1.3.3.2 数据持久化之nfs实战案例
[root@k8s231.oldboyedu.com pods]# cat 11-nginx-alpine-volumes-nfs.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-nfs-web
spec:
nodeName: k8s232.oldboyedu.com
volumes:
- name: data
# 指定存储卷类型是nfs
nfs:
# 指定nfs服务器的地址
server: 10.0.0.231
# 指定nfs对外暴露的挂载路径
path: /oldboyedu/data/kubernetes/volume-nfs
containers:
- name: web
image: harbor.oldboyedu.com/web/nginx:1.20.1-alpine
volumeMounts:
- name: data
mountPath: /usr/share/nginx/html
---
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-nfs-linux
spec:
nodeName: k8s233.oldboyedu.com
volumes:
- name: data
nfs:
server: 10.0.0.231
path: /oldboyedu/data/kubernetes/volume-nfs
containers:
- name: linux
image: harbor.oldboyedu.com/linux/alpine:latest
stdin: true
volumeMounts:
- name: data
mountPath: /oldboyedu-data-linux85
[root@k8s231 pods]# kubectl apply -f 11-nginx-alpine-volumes-nfs.yaml
pod/linux85-volume-nfs-web created
pod/linux85-volume-nfs-linux created
[root@k8s231 pods]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
linux85-volume-nfs-linux 1/1 Running 0 21s 10.100.2.15 k8s233.oldboyedu.com <none> <none>
linux85-volume-nfs-web 1/1 Running 0 21s 10.100.1.9 k8s232.oldboyedu.com <none> <none>
[root@k8s231 pods]# curl 10.100.1.9
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@k8s231 pods]# echo "<h1>www.oldboyedu.com</h1>" > /oldboyedu/data/kubernetes/volume-nfs/index.html
[root@k8s231 pods]# curl 10.100.1.9
<h1>www.oldboyedu.com</h1>
[root@k8s231 pods]#
2、容器的资源限制实战案例
[root@k8s231 pods]# kubectl explain po.spec.containers.resources
KIND: Pod
VERSION: v1
RESOURCE: resources <Object>
DESCRIPTION:
Compute Resources required by this container. Cannot be updated. More info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
ResourceRequirements describes the compute resource requirements.
FIELDS:
limits <map[string]string>
Limits describes the maximum amount of compute resources allowed. More
info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
requests <map[string]string>
Requests describes the minimum amount of compute resources required. If
Requests is omitted for a container, it defaults to Limits if that is
explicitly specified, otherwise to an implementation-defined value. More
info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
[root@k8s231.oldboyedu.com pods]# cat 12-stress.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-stress-003
spec:
nodeName: k8s233.oldboyedu.com
containers:
- name: stress
image: jasonyin2020/oldboyedu-linux-tools:v0.1
args:
- "tail"
- "-f"
- "/etc/hosts"
# 对容器进行资源限制
resources:
# 期望目标节点有的资源大小,若不满足,则无法调度,Pod处于Pedding状态。
# 若满足调度需求,调度到节点后也不会立刻使用requests字段的定义的资源。
requests:
# 要求目标节点有10G的可用内存.
# memory: 10G
memory: 256M
# 指定CPU的核心数,固定单位: 1core=1000m
cpu: 500m
# 配置资源的使用上限
limits:
memory: 500M
cpu: 1.5
[root@k8s231.oldboyedu.com pods]#
[root@k8s231 pods]# kubectl apply -f 12-stress.yaml
# 对容器进行压测
[root@k8s231 pods]# kubectl exec -it linux85-stress-001 -- sh
(1).CPU压力测试 ----> 产生4个cpu进程1分钟后停止运行(注意观察CPU的使用率,尽管我指定了4颗CPU,但应该不会超过200%)
/usr/local/stress # stress -c 4 --verbose --timeout 1m
(2).Memory压力测试 ---> 产生5个work工作经常,并且每个工作经常占用200000000 Bytes(即200MB),且不释放内存,但不会超过1G的使用空间。
/usr/local/stress # stress -m 5 --vm-bytes 200000000 --vm-keep --verbose
# 查看容器压测结果
[root@k8s233 ~]# docker stats d94975678c05
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
d94975678c05 k8s_stress_linux85-stress-001_default_81fbd533-9440-4c34-8f66-7d1357985182_0 0.00% 56KiB / 3.839GiB 0.00% 0B / 0B 156kB / 0B 1
3、configMap概述
configmap数据会存储在etcd数据库,其应用场景主要在于应用程序配置。
configMap支持的数据类型:
(1)键值对;
(2)多行数据;
Pod使用configmap资源有两种常见的方式:
(1)变量注入;
(2)数据卷挂载
推荐阅读:
https://kubernetes.io/docs/concepts/storage/volumes/#configmap
https://kubernetes.io/docs/concepts/configuration/configmap/
3.1 定义configMap(简称"cm")资源
[root@k8s231.oldboyedu.com configMap]# cat 01-config-demo.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: linux85-config
# 定义cm资源的数据
data:
# 定义单行数据
school: oldboyedu
class: linux85
# 定义多行数据
my.cfg: |
datadir: "/var/lib/mysql"
basedir: "/usr/share/mysql"
socket: "/tmp/mysql.sock"
student.info: |
pengbing: "大长腿,熬夜,六味地黄丸"
wumingkun: "彭斌,Linux"
qinhongbin: "欧美,日韩,国产"
liwenxuan: "拍小电影,小皮鞭"
wanglei: "演小电影,大皮鞭"
[root@k8s231.oldboyedu.com configMap]# kubectl apply -f 01-config-demo.yaml
configmap/linux85-config created
3.2 pod基于env环境变量引入cm资源
[root@k8s231.oldboyedu.com configMap]# cat 02-cm-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-game-cm-env
spec:
nodeName: k8s232.oldboyedu.com
containers:
- name: game
image: harbor.oldboyedu.com/oldboyedu-games/jasonyin2020/oldboyedu-games:v0.7
env:
- name: OLDBOYEDU_LINUX85_SCHOOL
valueFrom:
# 指定引用的configMap资源
configMapKeyRef:
# 指定configMap的名称
name: linux85-config
# 指定configMap的KEY
key: school
- name: OLDBOYEDU_LINUX85_CLASS
valueFrom:
configMapKeyRef:
name: linux85-config
key: class
- name: OLDBOYEDU_LINUX85_mycfg
valueFrom:
configMapKeyRef:
name: linux85-config
key: my.cfg
- name: OLDBOYEDU_LINUX85_studentinfo
valueFrom:
configMapKeyRef:
name: linux85-config
key: student.info
[root@k8s231.oldboyedu.com configMap]#
[root@k8s231.oldboyedu.com configMap]# kubectl apply -f 02-cm-env.yaml
[root@k8s231.oldboyedu.com configMap]#
[root@k8s231.oldboyedu.com configMap]# kubectl exec linux85-game-cm-env -- env
3.3 pod基于存储卷的方式引入cm资源
[root@k8s231.oldboyedu.com configMap]# cat 03-cm-volumes.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-cm-008
spec:
nodeName: k8s232.oldboyedu.com
volumes:
- name: data
# 指定存储卷的类型为configMap
configMap:
# 指定configMap的名称
name: linux85-config
# 引用configMap的key
items:
# 指定key的名称
- key: student.info
# 可以暂时理解为指定文件的名称
path: oldboyedu-linux85-student.info
containers:
- name: web
image: harbor.oldboyedu.com/web/nginx:1.20.1-alpine
command: ["tail","-f","/etc/hosts"]
volumeMounts:
- name: data
mountPath: /etc/nginx/nginx.conf
# 当subPath的值和configMap.items.path相同时,mountPath的挂载点是一个文件而非目录!
subPath: oldboyedu-linux85-student.info
[root@k8s231.oldboyedu.com configMap]#
[root@k8s231.oldboyedu.com configMap]# kubectl apply -f 03-cm-volumes.yaml
课堂练习:
请将"harbor.oldboyedu.com/oldboyedu-games/jasonyin2020/oldboyedu-games:v0.1"的nginx的配置文件使用cm资源创建并挂载!
3.4 课堂练习及prots的端口映射案例
[root@k8s231.oldboyedu.com configMap]# cat 04-cm-ketanglianxi.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-games-ketanglianxi-002
spec:
# hostNetwork: true
nodeName: k8s232.oldboyedu.com
volumes:
- name: data
configMap:
name: oldboyedu-linux85-games
items:
- key: nginx.conf
path: nginx.conf
containers:
- name: game
image: harbor.oldboyedu.com/oldboyedu-games/jasonyin2020/oldboyedu-games:v0.1
volumeMounts:
- name: data
mountPath: /usr/local/nginx/conf/nginx.conf
subPath: nginx.conf
# 指定容器的端口映射相关字段
ports:
# 指定容器的端口号
- containerPort: 80
# 绑定主机的IP地址
hostIP: "0.0.0.0"
# 指定绑定的端口号
hostPort: 88
# 给该端口起一个别名,要求唯一
name: game
# 指定容器的协议
protocol: TCP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oldboyedu-linux85-games
data:
nginx.conf: |
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
root /usr/local/nginx/html/bird/;
server_name game01.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/pinshu/;
server_name game03.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/tanke/;
server_name game05.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/pingtai/;
server_name game02.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/chengbao/;
server_name game04.oldboyedu.com;
}
}
[root@k8s231 configMap]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
linux85-game-cm-env 1/1 Running 1 (14m ago) 3d 10.100.1.14 k8s232.oldboyedu.com <none> <none>
linux85-games-ketanglianxi-002 1/1 Running 0 11s 10.100.1.15 k8s232.oldboyedu.com <none> <none>
linux85-volume-cm-008 1/1 Running 1 (14m ago) 2d23h 10.100.1.13 k8s232.oldboyedu.com <none> <none>
[root@k8s232 ~]# iptables-save |grep 88
-A CNI-DN-d3271470de13d7612fb59 -s 10.100.1.0/24 -p tcp -m tcp --dport 88 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-d3271470de13d7612fb59 -s 127.0.0.1/32 -p tcp -m tcp --dport 88 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-d3271470de13d7612fb59 -p tcp -m tcp --dport 88 -j DNAT --to-destination 10.100.1.15:80
-A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cbr0\" id: \"13446eea55742ce95f7e3228c024946a01a5d3d54ccd4bc0a9fd91a2a824f01c\"" -m multiport --dports 88 -j CNI-DN-d3271470de13d7612fb59
4. secret资源的增删改查实战
[root@k8s231 ~]# echo elastic | base64
ZWxhc3RpYwo=
[root@k8s231 ~]# echo oldboyedu | base64
b2xkYm95ZWR1Cg==
[root@k8s231 ~]# echo oldboyedu | base64 |base64 -d
oldboyedu
[root@k8s231.oldboyedu.com secret]# kubectl get secrets es-https
NAME TYPE DATA AGE
es-https Opaque 2 44s
[root@k8s231.oldboyedu.com secret]# kubectl apply -f 01-secret-demo.yaml
secret/es-https configured
[root@k8s231.oldboyedu.com secret]# kubectl get secrets es-https
NAME TYPE DATA AGE
es-https Opaque 3 49s
[root@k8s231.oldboyedu.com secret]# cat 01-secret-demo.yaml
apiVersion: v1
kind: Secret
metadata:
name: es-https
data:
username: ZWxhc3RpYwo=
password: b2xkYm95ZWR1Cg==
hostip: MTAuMC4wLjI1MAo=
[root@k8s231 secret]# kubectl get secrets es-https -o yaml
apiVersion: v1
data:
password: b2xkYm95ZWR1Cg==
username: ZWxhc3RpYwo=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"b2xkYm95ZWR1Cg==","username":"ZWxhc3RpYwo="},"kind":"Secret","metadata":{"annotations":{},"name":"es-https","namespace":"default"}}
creationTimestamp: "2024-06-17T07:25:27Z"
name: es-https
namespace: default
resourceVersion: "127717"
uid: 0c1619a6-2511-46d2-9f17-a709483ea16f
type: Opaque
[root@k8s231.oldboyedu.com secret]# kubectl delete -f 01-secret-demo.yaml
secret "es-https" deleted
[root@k8s231.oldboyedu.com secret]#
与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。
使用secret主要存储的是凭据信息。
参考链接:
https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types
4.1 Pod基于env引用secret资源案例
[root@k8s231.oldboyedu.com secret]# cat 02-secret-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-game-secret-001
spec:
nodeName: k8s232.oldboyedu.com
containers:
- name: game
image: harbor.oldboyedu.com/oldboyedu-games/jasonyin2020/oldboyedu-games:v0.7
env:
- name: OLDBOYEDU_LINUX85_USERNAME
valueFrom:
# 指定引用的secret资源
secretKeyRef:
# 指定secret的名称
name: es-https
# 指定secret的KEY
key: username
- name: OLDBOYEDU_LINUX85_PASSWORD
valueFrom:
secretKeyRef:
name: es-https
key: password
- name: OLDBOYEDU_LINUX85_HOSTIP
valueFrom:
secretKeyRef:
name: es-https
key: hostip
[root@k8s231.oldboyedu.com secret]# kubectl apply -f 02-secret-env.yaml
pod/linux85-game-secret-001 created
[root@k8s231.oldboyedu.com secret]# kubectl get pods
NAME READY STATUS RESTARTS AGE
linux85-game-secret-001 1/1 Running 0 2s
[root@k8s231.oldboyedu.com secret]# kubectl exec linux85-game-secret-001 -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=linux85-game-secret-001
OLDBOYEDU_LINUX85_HOSTIP=10.0.0.250
OLDBOYEDU_LINUX85_USERNAME=elastic
OLDBOYEDU_LINUX85_PASSWORD=oldboyedu
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.200.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.200.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.200.0.1
KUBERNETES_SERVICE_HOST=10.200.0.1
HOME=/root
4.2 Pod基于存储卷引用secret资源案例
[root@k8s231.oldboyedu.com secret]# cat 03-secret-volumes.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-volume-secret-003
spec:
nodeName: k8s232.oldboyedu.com
volumes:
- name: data
# 指定存储卷的类型为secret
secret:
# 指定secret的名称
secretName: es-https
items:
- key: username
path: username.info
- key: password
path: password.info
- key: hostip
path: hostip.info
containers:
- name: web
image: harbor.oldboyedu.com/web/nginx:1.20.1-alpine
command: ["tail","-f","/etc/hosts"]
volumeMounts:
- name: data
# mountPath: /oldboyedu-data
mountPath: /etc/nginx/nginx.conf
subPath: username.info
- name: data
mountPath: /etc/nginx/password.conf
subPath: password.info
- name: data
mountPath: /etc/nginx/hostip.conf
subPath: hostip.info
[root@k8s231.oldboyedu.com secret]#
[root@k8s231.oldboyedu.com secret]# kubectl apply -f 03-secret-volumes.yaml
pod/linux85-volume-secret-003 configured
[root@k8s231 secret]# kubectl exec -it linux85-volume-secret-003 -- sh
/ # ls
bin home proc sys
dev lib root tmp
docker-entrypoint.d media run usr
docker-entrypoint.sh mnt sbin var
etc opt srv
/ # cd /etc/nginx/
/etc/nginx # ll
sh: ll: not found
/etc/nginx # ls
conf.d fastcgi_params mime.types nginx.conf scgi_params
fastcgi.conf hostip.conf modules password.conf uwsgi_params
/etc/nginx # cat nginx.conf
elastic
/etc/nginx # cat password.conf
oldboyedu
/etc/nginx # cat hostip.conf
10.0.0.250
/etc/nginx #
harbor用户信息:
username: linux85
password: Linux85@2023
基于命令行的方式创建harbor认证信息:
kubectl create secret docker-registry linux85 --docker-username=linux85 --docker-password=Linux85@2023 --docker-email=linux85@oldboyedu.com --docker-server=harbor.oldboyedu.com
[root@k8s231 ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-2m5sn kubernetes.io/service-account-token 3 5d6h
es-https Opaque 3 47m
linux85 kubernetes.io/dockerconfigjson 1 16s
获取habor认证信息的资源清单
kubectl get secrets linux85 -o yaml
[root@k8s231 ~]# kubectl get secrets linux85 -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iub2xkYm95ZWR1LmNvbSI6eyJ1c2VybmFtZSI6ImxpbnV4ODUiLCJwYXNzd29yZCI6IkxpbnV4ODVAMjAyMyIsImVtYWlsIjoibGludXg4NUBvbGRib3llZHUuY29tIiwiYXV0aCI6ImJHbHVkWGc0TlRwTWFXNTFlRGcxUURJd01qTT0ifX19
kind: Secret
metadata:
creationTimestamp: "2024-06-17T08:18:32Z"
name: linux85
namespace: default
resourceVersion: "132322"
uid: e685a3df-2439-4ffc-85af-5def618d46bd
type: kubernetes.io/dockerconfigjson
[root@k8s231 secret]# kubectl get secrets linux85 -o yaml >> 04-imagePullSecret.yaml
4.3 编写资源清单拉取私有项目镜像案例:(温馨提示,不要直接复制,小心你的环境跟我不一样哟~)
[root@k8s231.oldboyedu.com secret]# cat 04-imagePullSecret.yaml
apiVersion: v1
kind: Pod
metadata:
name: linux85-imagepullsecret-002
spec:
nodeName: k8s232.oldboyedu.com
# 指定拉取镜像的secret验证信息
imagePullSecrets:
- name: linux85
containers:
- name: linux
image: harbor.oldboyedu.com/linux85/jasonyin2020/oldboyedu-linux-tools:v0.1
stdin: true
---
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iub2xkYm95ZWR1LmNvbSI6eyJ1c2VybmFtZSI6ImxpbnV4ODUiLCJwYXNzd29yZCI6IkxpbnV4ODVAMjAyMyIsImVtYWlsIjoibGludXg4NUBvbGRib3llZHUuY29tIiwiYXV0aCI6ImJHbHVkWGc0TlRwTWFXNTFlRGcxUURJd01qTT0ifX19
kind: Secret
metadata:
name: linux85
type: kubernetes.io/dockerconfigjson
周末作业:
(1)完成课堂的所有练习并完善思维导图;
(2)将"harbor.oldboyedu.com/oldboyedu-games/jasonyin2020/oldboyedu-games:v0.1"镜像拆分成5个游戏镜像,要求如下:
- 创建habor私有仓库:
仓库名称: homework
用户名: linux85-homework
密码: Linux85@2023 - 镜像名称:
harbor.oldboyedu.com/homework/oldboyedu-games:bird
harbor.oldboyedu.com/homework/oldboyedu-games:pinshu
harbor.oldboyedu.com/homework/oldboyedu-games:tanke
harbor.oldboyedu.com/homework/oldboyedu-games:pingtai
harbor.oldboyedu.com/homework/oldboyedu-games:chengbao - 将镜像批量推送到harbor仓库,如果可以的话请使用docker-compose实现批量编译并批量推送。
- 将上述5个镜像使用同一个文件实现5个Pod的部署,要求对每个容器的内存资源限制为200M,CPU为0.5核心。
作业提示: 本案例会使用到Pod,secret,configMap等资源。
扩展作业:
(1)各组用以下方式部署K8S集群;
kind:
一组。
minikube:
二组。
KubeSphere:
三组。
rancher:
四组。
kuboard:
五组。
kubeasz:
六组。
(2)将上面的基础作业使用各组自己搭建的K8S环境在实现一次。
(3)使用kubeadm部署K8S 1.27版本。在将上面的基础作业使用各组自己搭建的K8S环境在实现一次。
