昨日内容回顾:
- 资源限制
- 名称空间
- 存储卷
- POD重启策略
- 容器镜像拉取策略
- 环境变量
资源清单:
kind: Pod
apiVersion: v1
metadata:
name:
labels:
namespace:
spec:
nodeName:
hostNetwork:
restartPolicy:
volume:
- name: data01
emptyDir: {}
- name: data02
hostPath:
path:
- name: data03
nfs:
server:
path:
containers:
- name:
image:
env:
- name:
value:
- name:
valueFrom:
imagePullPolicy:
stdin:
command:
args:
resources:
limit:
request:
volumeMounts:
- name: data01
mountPath:
- name: data02
mountPath:
configMap资源简介:
configmap数据会存储在etcd数据库,其应用场景主要在于应用程序配置。
configMap支持的数据类型:
(1)键值对;
(2)多行数据;
Pod使用configmap资源有两种常见的方式:
(1)变量注入;
(2)数据卷挂载
推荐阅读:
https://kubernetes.io/docs/concepts/storage/volumes/#configmap
https://kubernetes.io/docs/concepts/configuration/configmap/
参考案例:
[root@k8s151.oldboyedu.com cm]# cat 01-cm-demo.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
# 键值对,单行数据
player_initial_lives: "3"
ui_properties_file_name: "user-interface.properties"
# 键值对,多行数据
game.properties: |
enemy.types=aliens,monsters
player.maximum-lives=5
user-interface.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-pod-001
spec:
containers:
- name: demo01
image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1
stdin: true
volumeMounts:
- name: config-vol
mountPath: /oldboyedu/linux82
volumes:
- name: config-vol
# 指定存储卷的类型为cm资源
configMap:
# 指定cm的名称
name: game-demo
# 若不指定items,则引用cm的所有KEY哟
# 如果不需要使用全部的key,而需要单独使用某个KEY,
items:
# 指的是cm中的KEY
- key: game.properties
# 我们将key映射到容器的文件路径
path: oldboyedu-linux82-game.properties
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-pod-002
spec:
containers:
- name: demo01
image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1
stdin: true
env:
- name: OLDBOYEDU-LINUX82
value: test001
- name: OLDBOYEDU-LINUX82-GAME
valueFrom:
# 引用一个cm资源
configMapKeyRef:
# 指定引用cm的名称
name: game-demo
# 指定引用cm的某个KEY值
key: game.properties
- name: OLDBOYEDU-LINUX82-PLAYER_INITIAL_LIVES
valueFrom:
configMapKeyRef:
name: game-demo
key: player_initial_lives
[root@k8s151.oldboyedu.com cm]#
将游戏镜像的配置文件使用cm资源存储:
[root@k8s151.oldboyedu.com cm]# cat 02-cm-games.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: oldboyedu-games
data:
nginx.conf: |
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
root /usr/local/nginx/html/bird/;
server_name game01.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/pinshu/;
server_name game02.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/tanke/;
server_name game03.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/chengbao/;
server_name game04.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/motuo/;
server_name game05.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/liferestart/;
server_name game06.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/huangjinkuanggong/;
server_name game07.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/feijidazhan/;
server_name game08.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/zhiwudazhanjiangshi/;
server_name game09.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/xiaobawang/;
server_name game10.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/pingtai/;
server_name game11.oldboyedu.com;
}
}
---
apiVersion: v1
kind: Pod
metadata:
name: oldboyedu-game-005
spec:
containers:
- name: game
image: k8s151.oldboyedu.com:5000/oldboyedu-games/oldboyedu-games:v0.3
volumeMounts:
- name: games
# 载CM资源时,挂载点建议写绝对路径,若直接写目录,可能该目录下的所有资源都会被覆盖.
mountPath: /etc/nginx/nginx.conf
# 若mountPath写的是绝对路径,我们只需要将文件名的作为subPath的值,表示其会以一个文件的方式进行挂载而不会覆盖原有的数据。
# 值得注意的是,若不写subPath,则mountPath表示一个挂载点,对应的是一个目录
subPath: nginx.conf
volumes:
- name: games
configMap:
name: oldboyedu-games
items:
- key: nginx.conf
path: nginx.conf
[root@k8s151.oldboyedu.com cm]#
Q1:为什么要用cm资源持久化配置文件?
1.复用配置文件,可以启动多个nginx的Pod,共同同一个cm资源;
2.便于修改,维护方便,若放在容器中,每次修改配置文件都需要重新编译镜像;
secret简介:
与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。
使用secret主要存储的是凭据信息。
参考链接:
https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types
参考案例:
[root@k8s151.oldboyedu.com secrets]# cat 01-secrets-demo.yaml
apiVersion: v1
kind: Secret
metadata:
name: oldboyedu-linux82
type: Opaque
data:
school: b2xkYm95ZWR1Cg==
USER_NAME: YWRtaW4=
PASSWORD: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
name: secrets-pod-001
spec:
containers:
- name: demo01
image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1
stdin: true
volumeMounts:
- name: config-vol
mountPath: /oldboyedu/linux82
volumes:
- name: config-vol
# 指定存储卷的类型为secret资源
secret:
# 指定secret的名称
secretName: oldboyedu-linux82
# 若不指定items,则引用cm的所有KEY哟
# 如果不需要使用全部的key,而需要单独使用某个KEY,
items:
# 指的是secret中的KEY
- key: school
# 我们将key映射到容器的文件路径
path: oldboyedu-linux82-school
- key: USER_NAME
path: oldboyedu-linux82-username
- key: PASSWORD
path: oldboyedu-linux82-password
---
apiVersion: v1
kind: Pod
metadata:
name: secret-pod-002
spec:
containers:
- name: demo01
image: k8s151.oldboyedu.com:5000/oldboyedu-linux/stress:v0.1
stdin: true
env:
- name: OLDBOYEDU-LINUX82-SCHOOL
valueFrom:
# 引用一个secret资源
secretKeyRef:
# 指定引用secret的名称
name: oldboyedu-linux82
# 指定引用cm的某个KEY值
key: school
- name: OLDBOYEDU-LINUX82-username
valueFrom:
secretKeyRef:
name: oldboyedu-linux82
key: USER_NAME
[root@k8s151.oldboyedu.com secrets]#
扩展:
echo b2xkYm95ZWR1Cg== | base64 -d
解码。
echo oldboyedu | base64
编码。
SHOW DATABASES;
查看数据库.
SHOW TABLES FROM wrodpress;
查看wordpress数据库下的表。
删除secret:
kubectl delete secrets oldboyedu-linux82
kubectl delete -f 01-secrets-demo.yaml
部署harbor:
1.安装docker环境
curl -o oldboyedu-docker-ce-20_10_17.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-ce-20_10_17.tar.gz
tar xf oldboyedu-docker-ce-20_10_17.tar.gz && cd docker-ce-20_10_17 && yum -y localinstall *.rpm
systemctl enable --now docker
2.安装docker-compose
curl -o oldboyedu-docker-compose.tar.gz http://192.168.17.253/Kubernetes/day03-/softwares/oldboyedu-docker-compose.tar.gz
tar xf oldboyedu-docker-compose.tar.gz && cd docker-compose && yum -y localinstall *.rpm
3.安装harbor
curl -o harbor-offline-installer-v1.10.10.tgz http://192.168.17.253/Kubernetes/day03-/softwares/harbor-offline-installer-v1.10.10.tgz
tar xf harbor-offline-installer-v1.10.10.tgz
cd harbor
vim harbor.yml
...
hostname: 10.0.0.250
http:
port: 80
...
# 记得注释https
...
harbor_admin_password: 1
./install.sh
基于命令行的方式创建harbor认证信息: --> 响应式方式创建。
kubectl create secret docker-registry oldboyedu-harbor --docker-username=jasonyin2020 --docker-password=Oldboyedu@2022 --docker-email=jasonyin@oldboyedu.com --docker-server=10.0.0.250
各字段含义说明:
--docker-username
指定用户名称。
--docker-password
指定密码。
--docker-email
指定邮箱地址。
--docker-server
私有仓库地址。
参考案例: ----> 声明式方式创建secret,游戏镜像案例。
[root@k8s151.oldboyedu.com secrets]# cat 02-secrets-harbor-games.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: oldboyedu-games
data:
nginx.conf: |
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
root /usr/local/nginx/html/bird/;
server_name game01.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/pinshu/;
server_name game02.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/tanke/;
server_name game03.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/chengbao/;
server_name game04.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/motuo/;
server_name game05.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/liferestart/;
server_name game06.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/huangjinkuanggong/;
server_name game07.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/feijidazhan/;
server_name game08.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/zhiwudazhanjiangshi/;
server_name game09.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/xiaobawang/;
server_name game10.oldboyedu.com;
}
server {
listen 80;
root /usr/local/nginx/html/pingtai/;
server_name game11.oldboyedu.com;
}
}
---
apiVersion: v1
kind: Pod
metadata:
name: oldboyedu-game-secret
spec:
# 指定拉取镜像的secrets秘钥
imagePullSecrets:
# 指定secret秘钥的名称
- name: oldboyedu-harbor
containers:
- name: game
image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3
volumeMounts:
- name: games
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: games
configMap:
name: oldboyedu-games
items:
- key: nginx.conf
path: nginx.conf
---
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19
kind: Secret
metadata:
name: oldboyedu-harbor
type: kubernetes.io/dockerconfigjson
[root@k8s151.oldboyedu.com secrets]#
挂载secret文件内容实战:
1.将文件内容转换为base64编码
cat > /student.info <
"WangJianPing": {
"name": "王建平",
"gender": "boy",
"hobby": ["欧美","日韩","国产"]
},
"GaoYunFei": {
"name": "高云飞",
"gender": "boy",
"hobby": ["动漫","刘东"]
}
}
EOF
cat /student.info | base64
2.将编码后的内容写入到secret自定义类型中
apiVersion: v1
kind: Secret
metadata:
name: oldboyedu-linux82-student
type: Opaque
data:
# 注意,KEY对应的值不能换行哟,否则会报错!!!
student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K
3.参考案例:
[root@k8s151.oldboyedu.com secrets]# cat 03-secrets-subPath.yaml
apiVersion: v1
kind: Pod
metadata:
name: oldboyedu-game-secret-subpath-002
spec:
imagePullSecrets:
- name: oldboyedu-harbor
containers:
- name: game
image: 10.0.0.250/oldboyedu-games/oldboyedu-games:v0.3
volumeMounts:
- name: games
mountPath: /etc/nginx/oldboyedu-linux82-student.json
# 特别注意,此处的subPath名称需要和"volues"的"path"值保持一致。否则mountPath表示的是一个目录.
subPath: oldboyedu-student.json
volumes:
- name: games
secret:
secretName: oldboyedu-linux82-student
items:
- key: student.info
path: oldboyedu-student.json
---
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMjUwIjp7InVzZXJuYW1lIjoiamFzb255aW4yMDIwIiwicGFzc3dvcmQiOiJPbGRib3llZHVAMjAyMiIsImVtYWlsIjoiamFzb255aW5Ab2xkYm95ZWR1LmNvbSIsImF1dGgiOiJhbUZ6YjI1NWFXNHlNREl3T2s5c1pHSnZlV1ZrZFVBeU1ESXkifX19
kind: Secret
metadata:
name: oldboyedu-harbor
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
kind: Secret
metadata:
name: oldboyedu-linux82-student
type: Opaque
data:
# 注意,KEY对应的值不能换行哟,否则会报错!!!
student.info: ewogICAiV2FuZ0ppYW5QaW5nIjogewogICAgICAgIm5hbWUiOiAi546L5bu65bmzIiwKICAgICAgICJnZW5kZXIiOiAiYm95IiwKICAgICAgICJob2JieSI6IFsi5qyn576OIiwi5pel6Z+pIiwi5Zu95LqnIl0KICAgfSwKCiAgICJHYW9ZdW5GZWkiOiB7CiAgICAgICAibmFtZSI6ICLpq5jkupHpo54iLAogICAgICAgImdlbmRlciI6ICJib3kiLAogICAgICAgImhvYmJ5IjogWyLliqjmvKsiLCLliJjkuJwiXQogICB9Cn0K
[root@k8s151.oldboyedu.com secrets]#
comannd: --->
- command:
- "/bin/bash"
- "-c"
- "touch /tmp/oldboyedu-linux82-health && sleep 5 && rm -f /tmp/oldboyedu-linux82-health && sleep 300"
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 18s default-scheduler Successfully assigned default/oldboyedu-linux82-livenessprobe-005 to k8s152.oldboyedu.com
Normal Pulled 17s kubelet, k8s152.oldboyedu.com Container image "k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1" already present on machine
Normal Created 17s kubelet, k8s152.oldboyedu.com Created container linux82-web
Normal Started 17s kubelet, k8s152.oldboyedu.com Started container linux82-web
Warning Unhealthy 0s (x3 over 2s) kubelet, k8s152.oldboyedu.com Liveness probe failed: cat: /tmp/oldboyedu-linux82-health: No such file or directory
Normal Killing 0s kubelet, k8s152.oldboyedu.com Container linux82-web failed liveness probe, will be restarted
Pod总启动时间是: 18S
(x3 over 2s) : 检测了3次失败,举例第一次超时时间是2秒 ---> 18 - 2 ---> 16 ---> 第一次检测失败!
httpGet实战案例:
[root@k8s151.oldboyedu.com po]# cat 17-pods-livenessProbe-httpGet.yaml
apiVersion: v1
kind: Pod
metadata:
name: oldboyedu-linux82-livenessprobe-httpget-002
spec:
containers:
# - command:
# - "/bin/bash"
# - "-c"
# - "touch /tmp/oldboyedu-linux82-health && sleep 5 && rm -f /tmp/oldboyedu-linux82-health && sleep 300"
- name: linux82-web
image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1
# 配置健康检查,若检查成功则不做任何处理,若检查失败,则重启容器(重新创建容器),重启次数加1.
livenessProbe:
# 执行命令,根据命令的执行结果判断是否支持成功,类似于shell中的"echo $?"
# exec:
# # 定义具体的命令
# command:
# - cat
# - /tmp/oldboyedu-linux82-health
#
# 发送http请求,根据请求的状态码,判断服务是否健康
httpGet:
# 指定服务的端口
port: 80
# 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html
path: /
# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!
failureThreshold: 3
# 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。
initialDelaySeconds: 15
# 指定探针检测的频率,默认是10s,最小值为1.
periodSeconds: 1
# 检测服务成功次数的累加值,默认值为1次,最小值1.
successThreshold: 1
# 一次检测周期超时的秒数,默认值是1秒,最小值为1.
timeoutSeconds: 1
[root@k8s151.oldboyedu.com po]#
tcpSocket案例:
[root@k8s151.oldboyedu.com po]# cat 18-pods-livenessProbe-tcpSocket.yaml
apiVersion: v1
kind: Pod
metadata:
name: oldboyedu-linux82-livenessprobe-tcpsocket-001
spec:
containers:
- name: linux82-web
image: k8s151.oldboyedu.com:5000/oldboyedu-web/nginx:1.20.1
# 配置健康检查,若检查成功则不做任何处理,若检查失败,则重启容器(重新创建容器),重启次数加1.
livenessProbe:
# 执行命令,根据命令的执行结果判断是否支持成功,类似于shell中的"echo $?"
# exec:
# # 定义具体的命令
# command:
# - cat
# - /tmp/oldboyedu-linux82-health
#
# 发送http请求,根据请求的状态码,判断服务是否健康
# httpGet:
# # 指定服务的端口
# port: 80
# # 指定访问http的path路径。https://10.0.0.101:80/oldboyedu/2022/09/08/index.html
# path: /
#
# 检测端口号,相当于telnet命令。
tcpSocket:
port: 88
# 检测服务失败次数的累加值,默认值是3次,最小值是1。当检测服务成功后,该值会被重置!
failureThreshold: 3
# 指定多久之后进行健康状态检查,即此时间段内检测服务失败并不会对failureThreshold进行计数。
initialDelaySeconds: 15
# 指定探针检测的频率,默认是10s,最小值为1.
periodSeconds: 1
# 检测服务成功次数的累加值,默认值为1次,最小值1.
successThreshold: 1
# 一次检测周期超时的秒数,默认值是1秒,最小值为1.
timeoutSeconds: 1
[root@k8s151.oldboyedu.com po]#
今日内容回顾:
- ConfigMap ---> cm
应用场景: 程序配置文件。
数据存储: etcd数据库。
- secrets
应用场景: 敏感数据存储,例如: docker仓库的认证信息,自定义的用户名,密码,....
secret的数据并不是加密处理的,而是基于base64编码格式进行编码,Pod引用时会自动解码。
- 探针:
- livenessProbe
应用场景: 检查服务是否启动,若检查失败,则重启容器。
- readinessProbe
应用场景: 检查服务是否可用,若检查失败,则标记为未就绪状态,并在svc的ep资源中无法自动发现。
- 使用env引用secret和cm资源。
明日内容预告:
- 静态Pod,Pod状态,...
- RC,RS,DEPLOYMENT,SERVICE,ENDPOINTS,...