前言:
etcd基本背景介绍:
etcd是kubernetes集群内的一个基础组件,同时也是比较多的其它集群的官方推荐组件,主要特点如下:
由coreos团队开发并开源的分布式键值存储系统,具备以下特点:
这里要着重强调一哈 :开源@!!!!!!!!!!!!可靠!!!!
同类型的键值对存储系统还有zookeeper,console(go语言编写的,其实也适合kubernetes的,但没有进入官方推荐,重要提示:Consul 所在的 HashiCorp 公司宣布,不允许中国境内使用该公司旗下的产品和软件。 不过也幸好没进入过kubernetes官方推荐)等等。
一,
etcd数据库的环境变量配置:
为了简化etcd的增删改查操作,需要配置一哈环境变量,本例以配置了ssl的etcd集群为例。
etcd集群的配置文件:
可以看到,该etcd集群是三个节点的集群,这个是其中一个节点的配置文件,因此,其它节点name是etcd-2,etcd-3
- [root@master ~]# cat /opt/etcd/cfg/etcd.conf
-
-
- #[Member]
- ETCD_NAME="etcd-1"
- ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
- ETCD_LISTEN_PEER_URLS="https://192.168.217.16:2380"
- ETCD_LISTEN_CLIENT_URLS="https://192.168.217.16:2379"
-
- #[Clustering]
- ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.217.16:2380"
- ETCD_ADVERTISE_CLIENT_URLS="https://192.168.217.16:2379"
- ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.217.16:2380,etcd-2=https://192.168.217.17:2380,etcd-3=https://192.168.217.18:2380"
- ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
- ETCD_INITIAL_CLUSTER_STATE="new"
启动脚本:
主要是稍后会使用到证书存放路径
- [root@master ~]# cat /usr/lib/systemd/system/etcd.service
- [Unit]
- Description=Etcd Server
- After=network.target
- After=network-online.target
- Wants=network-online.target
-
- [Service]
- Type=notify
- EnvironmentFile=/opt/etcd/cfg/etcd.conf
- ExecStart=/opt/etcd/bin/etcd \
- --name=${ETCD_NAME} \
- --data-dir=${ETCD_DATA_DIR} \
- --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
- --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
- --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
- --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
- --initial-cluster=${ETCD_INITIAL_CLUSTER} \
- --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
- --initial-cluster-state=new \
- --cert-file=/opt/etcd/ssl/server.pem \
- --key-file=/opt/etcd/ssl/server-key.pem \
- --peer-cert-file=/opt/etcd/ssl/server.pem \
- --peer-key-file=/opt/etcd/ssl/server-key.pem \
- --trusted-ca-file=/opt/etcd/ssl/ca.pem \
- --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
- Restart=on-failure
- LimitNOFILE=65536
-
- [Install]
- WantedBy=multi-user.target
根据以上配置文件,写入如下变量到 /etc/profile 文件内
vim /etc/profile
做了一个别名命令,名字为etcd_search,将相关证书和etcd的客户端做了相关绑定
- export ETCDCTL_API=3
- alias etcd_search=/opt/etcd/bin/etcdctl --endpoints=192.168.217.16 \
- --cert=/opt/etcd/ssl/server.pem \
- --key=/opt/etcd/ssl/server-key.pem \
- --cacert=/opt/etcd/ssl/ca.pem
激活变量:
source /etc/profile二,
etcd状态查询
- [root@master ~]# etcd_search member list -w table
- +------------------+---------+--------+-----------------------------+-----------------------------+
- | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS |
- +------------------+---------+--------+-----------------------------+-----------------------------+
- | 1a58a86408898c44 | started | etcd-1 | https://192.168.217.16:2380 | https://192.168.217.16:2379 |
- | 67146ac2958941d0 | started | etcd-2 | https://192.168.217.17:2380 | https://192.168.217.17:2379 |
- | e078026890aff6e3 | started | etcd-3 | https://192.168.217.18:2380 | https://192.168.217.18:2379 |
- +------------------+---------+--------+-----------------------------+-----------------------------+
etcd健康查询(其实有上面那一个就可以了,都是started状态了嘛):
- [root@master ~]# etcd_search endpoint health -w table
- 127.0.0.1:2379 is healthy: successfully committed proposal: took = 2.981431ms
kubernetes集群有哪几个节点查询(简略信息):
- [root@master ~]# etcd_search get /registry/minions/ --prefix --keys-only
- /registry/minions/k8s-master
-
- /registry/minions/k8s-node1
-
- /registry/minions/k8s-node2
-
kubernetes集群状态查询(详细信息):
看到这些不要慌,都是使用base64加密过的信息,解一哈密就可以了,例如:
- [root@master ~]# echo "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW1hc3Rlcg==" |base64 -d
- /registry/minions/k8s-master
查询规则:
查询某个key的值,–keys-only=false表示要给出value,该参数默认值即为false,,如果要查询不包括values, –keys-only=true即可,所以该参数可以不出现,-w=json表示输出json格式。 python -m json.tool 表示使用python的内置模块json.tool 处理一哈数据
- [root@master ~]# etcd_search get /registry/minions/ --prefix --keys-only -w json | python -m json.tool
- {
- "count": 3,
- "header": {
- "cluster_id": 16483616014024957692,
- "member_id": 1898452390530092100,
- "raft_term": 12,
- "revision": 719002
- },
- "kvs": [
- {
- "create_revision": 13103,
- "key": "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW1hc3Rlcg==",
- "mod_revision": 718962,
- "version": 4016
- },
- {
- "create_revision": 48118,
- "key": "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW5vZGUx",
- "mod_revision": 718963,
- "version": 1077
- },
- {
- "create_revision": 48351,
- "key": "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW5vZGUy",
- "mod_revision": 718961,
- "version": 1083
- }
- ]
- }
查询kubernetes的default 命名空间:
查询一哈default这个命名空间内的详情
- [root@master ~]# etcd_search get /registry/namespaces/default --prefix --keys-only=false -w=json | python -m json.tool
- {
- "count": 1,
- "header": {
- "cluster_id": 16483616014024957692,
- "member_id": 1898452390530092100,
- "raft_term": 12,
- "revision": 718975
- },
- "kvs": [
- {
- "create_revision": 148,
- "key": "L3JlZ2lzdHJ5L25hbWVzcGFjZXMvZGVmYXVsdA==",
- "mod_revision": 148,
- "value": "azhzAAoPCgJ2MRIJTmFtZXNwYWNlErIBCpcBCgdkZWZhdWx0EgAaACIAKiQ1ODlhYWQ1My00YTM4LTQ4OWMtODE0NS04ODA1ODc4MDhjZDIyADgAQggI7+OlmAYQAHoAigFPCg5rdWJlLWFwaXNlcnZlchIGVXBkYXRlGgJ2MSIICO/jpZgGEAAyCEZpZWxkc1YxOh0KG3siZjpzdGF0dXMiOnsiZjpwaGFzZSI6e319fRIMCgprdWJlcm5ldGVzGggKBkFjdGl2ZRoAIgA=",
- "version": 1
- }
- ]
- }
解一哈密:
- [root@master ~]# echo "azhzAAoPCgJ2MRIJTmFtZXNwYWNlErIBCpcBCgdkZWZhdWx0EgAaACIAKiQ1ODlhYWQ1My00YTM4LTQ4OWMtODE0NS04ODA1ODc4MDhjZDIyADgAQggI7+OlmAYQAHoAigFPCg5rdWJlLWFwaXNlcnZlchIGVXBkYXRlGgJ2MSIICO/jpZgGEAAyCEZpZWxkc1YxOh0KG3siZjpzdGF0dXMiOnsiZjpwaGFzZSI6e319fRIMCgprdWJlcm5ldGVzGggKBkFjdGl2ZRoAIgA=" |base64 -d
- k8s
-
- v1 Namespace²
-
- default"*$589aad53-4a38-489c-8145-880587808cd22ࣥzO
- kube-apiserverUpdatevࣥFieldsV1:
- "f:status":{"f:phase":{}}}
- kubernetes
查询一哈kube-system这个命名空间内有哪些使用deployment方式部署的pod:
- [root@master ~]# etcd_search get /registry/deployments/kube-system --prefix --keys-only
- /registry/deployments/kube-system/calico-kube-controllers
-
- /registry/deployments/kube-system/coredns
查询一哈kube-system这个命名空间内有哪些pods(总共有五个):
- [root@master ~]# etcd_search get /registry/pods/kube-system --prefix --keys-only
- /registry/pods/kube-system/calico-kube-controllers-57546b46d6-6jwqp
-
- /registry/pods/kube-system/calico-node-88pxp
-
- /registry/pods/kube-system/calico-node-m5vnd
-
- /registry/pods/kube-system/calico-node-wlmk5
-
- /registry/pods/kube-system/coredns-76648cbfc9-87fc7
以上的key和values都以base64编码了,如果想查看key的值可以执行如下命令。有些value的值包含二进制,不易解开。
插个题外话:
总的来说,etcd这么做也是为了一定的安全哈,虽然并没什么卵用。so,如果有人破解了你的kubernetes集群,进入了系统,通过etcd会非常快的搞定你的kubernetes集群,为什么呢?多少个节点,节点什么情况,有哪些pod,然后hacker可以把自己想安装的pod交由etcd注册然后就可以提权运行等等操作啦。
查询apiserver的详情,包括服务建立时间,服务状态等信息(很明显,我的kubernetes是8月27建立的,目前kube-apiserver 是正常的):
- [root@master ~]# etcd_search get /registry/apiregistration.k8s.io/apiservices/v1.apiextensions.k8s.io
- /registry/apiregistration.k8s.io/apiservices/v1.apiextensions.k8s.io
- {"kind":"APIService","apiVersion":"apiregistration.k8s.io/v1beta1","metadata":{"name":"v1.apiextensions.k8s.io","uid":"2efbefbf-ee03-4512-bea5-382d365ac03e","creationTimestamp":"2022-08-27T01:22:53Z","labels":{"kube-aggregator.kubernetes.io/automanaged":"onstart"}},"spec":{"group":"apiextensions.k8s.io","version":"v1","groupPriorityMinimum":16700,"versionPriority":15},"status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2022-08-27T01:22:53Z","reason":"Local","message":"Local APIServices are always available"}]}}
-
OK,以上是查询,下面来个增删改。
二,
etcd数据库增加:
- [root@master ~]# etcd_search put wo "zsk_json"
- OK
- [root@master ~]# etcd_search get wo
- wo
- zsk_json
- [root@master ~]# etcd_search put web1 dev1
- OK
- [root@master ~]# etcd_search put web2 dev2
- OK
- [root@master ~]# etcd_search put web3 dev3
- OK
- [root@master ~]# etcd_search get web --prefix
- web1
- dev1
- web2
- dev2
- web3
- dev3
-
三,
删除以上刚建立的哈(删除后,再次查询没有了哈):
- [root@master ~]# etcd_search del web --prefix
- 3
- [root@master ~]# etcd_search get web --prefix
- [root@master ~]# etcd_search del wo
- 1
- [root@master ~]# etcd_search get wo
-
删除kubernetes集群的节点:
- [root@master ~]# k get no
- NAME STATUS ROLES AGE VERSION
- k8s-master Ready
32d v1.18.3 - k8s-node1 Ready
32d v1.18.3 - k8s-node2 Ready
32d v1.18.3 -
- [root@master ~]# etcd_search del /registry/minions/k8s-node2
- 1
- [root@master ~]# k get no
- NAME STATUS ROLES AGE VERSION
- k8s-master Ready
32d v1.18.3 - k8s-node1 Ready
32d v1.18.3
OK,node节点看不到了,集群这就完蛋了,怎么办呢?我早有张良计:云原生|kubernetes|kubernetes的etcd集群备份策略_zsk_john的博客-CSDN博客
按照我上一篇的博客恢复哈etcd集群就好啦。