Deploy资源
spec:
progressDeadlineSeconds: 600 # 等待多少秒才能确定Deployment进程是卡住的
replicas: 1
revisionHistoryLimit: 10 #指定保留多少旧的 ReplicaSet
selector:
matchLabels:
k8s.kuboard.cn/layer: monitor
k8s.kuboard.cn/name: monitor-grafana
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
k8s.kuboard.cn/layer: monitor
k8s.kuboard.cn/name: monitor-grafana
spec:
containers:
- env:
- name: POD_NAME
valueFrom:
fieldRef: #resourceFieldRef去获取容器的资源请求和资源限制信息
fieldPath: metadata.name #pod的name做为环境变量传入pod中
#fieldPath: metadata.labels['env']
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: 'grafana/grafana:7.0.1'
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true #以只读方式访问根文件系统
name: grafana
ports:
- containerPort: 3000
protocol: TCP
terminationMessagePath: /dev/termination-log #容器中止消息,可通过"{{range .status.containerStatuses}}{{.lastState.terminated.message}}{{end}}"查看
terminationMessagePolicy: File #仅从终止消息文件检索终止消息
volumeMounts:
- mountPath: /var/lib/grafana
name: grafana-storage
subPath: grafana
dnsPolicy: ClusterFirst #集群dns优先
priorityClassName: system-node-critical #优先级调度
nodeSelector:
node-role.kubernetes.io/master: ''
restartPolicy: Always
schedulerName: default-scheduler
securityContext: #可指定容器或应用所有pod
#privileged: true #特权模式
runAsNonRoot: false
runAsUser: 0 #userid
#fsGroup #volume FSGroup
allowPrivilegeEscalation: false #限制 root 账号特权级提升
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
#https://www.qikqiak.com/post/capabilities-on-k8s/
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- name: grafana-storage
persistentVolumeClaim:
claimName: kubernetes-grafana-pvc
service资源
修改nodeport的范围
vim /etc/kubernetes/apiserver
最后一行KUBE_API_ARGS="--service-node-port-range=3000-50000"
命令行创建svc资源
kubectl expose rc nginx --type=NodePort --port=80
#为nginx的rc暴露端口,nodeport指定不了,--cluster-ip=指定vip地址
deployment资源
有rc在滚动升级之后,会造成服务访问中断,于是k8s引入了deployment资源
启动deploy时会启动一个rs(rc的升级版),rs会启动pod,deploy的配置文件变更时会启动新的rs
命令行
创建
kubectl run nginx --image=10.0.0.11:5000/nginx:1.13 --replicas=3 --record
#后续显示版本信息
升级
kubectl set image deployment nginx nginx=10.0.0.11:5000/nginx:1.15
#交互式升级直接edit修改镜像版本
查看所有历史版本
kubectl rollout history deployment nginx
回滚到上一个版本
kubectl rollout undo deployment nginx
回滚到指定版本
kubectl rollout undo deployment nginx --to-revision=2
健康检查
探针的种类
livenessProbe:健康状态检查,周期性检查服务是否存活,检查结果失败,将重启容器
readinessProbe:可用性检查,周期性检查服务是否可用,不可用将从service的endpoints中移除
探针的检测方法
exec:执行一段命令 返回值为0, 非0
httpGet:检测某个 http 请求的返回状态码 2xx,3xx正常, 4xx,5xx错误
tcpSocket:测试某个端口是否能够连接
liveness探针的exec使用
apiVersion: v1
kind: Pod
metadata:
name: exec
spec:
containers:
- name: nginx
image: 10.0.0.11:5000/nginx:1.13
ports:
- containerPort: 80
args: #容易被覆盖,command不容易被覆盖
- /bin/sh
- -c
- touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5 #第一次检查的时间,容器启动需要时间
periodSeconds: 5 #5s检查一次
timeoutSeconds: 5 #检查的超时时间
successThreshold: 1 #成功一次就是健康
failureThreshold: 1 #失败一次就是不健康
liveness探针的httpGet使用
apiVersion: v1
kind: Pod
metadata:
name: httpget
spec:
containers:
- name: nginx
image: 10.0.0.11:5000/nginx:1.13
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /index.html
port: 80
initialDelaySeconds: 3
periodSeconds: 3
liveness探针的tcpSocket使用
apiVersion: v1
kind: Pod
metadata:
name: tcpSocket
spec:
containers:
- name: nginx
image: 10.0.0.11:5000/nginx:1.13
ports:
- containerPort: 80
args:
- /bin/sh
- -c
- tail -f /etc/hosts
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 10
periodSeconds: 3
readiness探针的httpGet使用
apiVersion: v1
kind: ReplicationController
metadata:
name: readiness
spec:
replicas: 2
selector:
app: readiness
template:
metadata:
labels:
app: readiness
spec:
containers:
- name: readiness
image: 10.0.0.11:5000/nginx:1.13
ports:
- containerPort: 80
readinessProbe:
httpGet:
path: /qiangge.html
port: 80
initialDelaySeconds: 3
periodSeconds: 3
startupProbe的使用
startupProbe: #忽略其他探针
httpGet:
path: /healthz
port: liveness-port
failureThreshold: 30
periodSeconds: 10 #300s后无法启动,kubelet杀死容器,根据重启策略,300s内检测成功一次后由livenessProbe接管
通过apiservicer反向代理访问service
curl https://10.0.0.11:8080/api/v1/namespaces/kube-system/services/monitor-prometheus:monitor/proxy/-/reload -k --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key
访问kubelet
curl -k https://127.0.0.1:10250/metrics --cacert /etc/kubernetes/pki/ca.crt --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key
暴露api接口
kubectl proxy --address=0.0.0.0 --accept-hosts=^*$
port-forward
kubectl port-forward $(kubectl get pods --selector “app.kubernetes.io/name=traefik” --output=name) 9000:9000
弹性伸缩heapster
命令行创建弹性伸缩规则
kubectl autoscale deploy nginx-deployment --max=8 --min=1 --cpu-percent=10
#最大8个pod最小1个,cpu达到百分之十后进行扩容(hpa资源类型)
持久化
查询配置文件字段
kubectl explain pod.spec
-required必须的字段
<boolean>布尔值字段
<Objece>有下一级缩进
<[]Object>列表形式,有多个值
<string>字符串
storageclass
parameters: #保存应创建此存储类的卷的配置程序的参数
archiveOnDelete: "false"
provisioner: fuseim.pri/ifs
reclaimPolicy: Delete
volumeBindingMode: Immediate #pvc创建后就绑定,WaitForFirstConsumer直到pod被创建后才绑定
allowVolumeExpansion: true #支持卷扩展
官方文档
persistent volume
由管理员创建
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 100G #容量
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: nfs-pvc-kubernetes-grafana
namespace: kube-system
nfs:
accessModes: #访问模式
- ReadWriteMany
path: /data/kubernetes-grafana-pvc
server: 192.168.130.207
persistentVolumeReclaimPolicy: Retain #回收机制
storageClassName: nfs-storageclass-provisioner
volumeMode: Filesystem #存储卷模式
status:
phase: Bound
访问模式可选值如下:
- ReadWriteOnce:该卷能够以读写模式被加载到一个节点上。
- ReadOnlyMany:该卷能够以只读模式加载到多个节点上。
- ReadWriteMany:该卷能够以读写模式被多个节点同时加载。
回收策略可选值如下:
- Retain-持久化卷被释放后,需要手工进行回收操作。
- Recycle-基础擦除(“rm-rf /thevolume/*”)
- Delete-相关的存储资产,例如AWSEBS或GCE PD卷一并删除。
目前,只有NFS和HostPath支持Recycle策略,AWSEBS、GCE PD支持Delete策略。
一个 PV 的生命周期中,可能会处于4中不同的阶段:
Available(可用):表示可用状态,还未被任何 PVC 绑定
Bound(已绑定):表示 PVC 已经被 PVC 绑定
Released(已释放):PVC 被删除,但是资源还未被集群重新声明
Failed(失败): 表示该 PV 的自动回收失败
glusterfs
安装
安装下载源
yum install centos-release-gluster6.noarch -y
安装gluster
yum install glusterfs-server -y
一台机器上一个存储单元,一个存储单元就是一块硬盘
增加gluster节点
gluster peer probe k8s-node2
查看gluster节点
gluster pool list
#创建分布式复制卷
gluster volume create qiangge replica 2 k8s-master:/gfs/test1 k8s-node-1:/gfs/test1 k8s-master:/gfs/test2 k8s-node-1:/gfs/test2 force
#qiangge卷名字 replica副本数 force建议用硬盘名字
#启动卷
gluster volume start qiangge
#查看卷
gluster volume info qiangge
#挂载卷
mount -t glusterfs 10.0.0.11:qiangge /mnt
热扩容
gluster volume add-brick qiangge k8s-node-2:/gfs/test1 k8s-node-2:/gfs/test2 force
不重启识别硬盘
echo ‘- - -’ >/sys/class/scsi_host/host0/scan
echo ‘- - -’ >/sys/class/scsi_host/host1/scan
echo ‘- - -’ >/sys/class/scsi_host/host2/scan
blkid
查看硬盘的uuid,fstab写uuid
k8s对接分布式存储
gluster是外部资源,因此需要创建endpoints资源
apiVersion: v1
kind: Endpoints #ep
metadata:
name: glusterfs #和service一致
namespace: tomcat
subsets:
- addresses:
- ip: 10.0.0.11
- ip: 10.0.0.12
- ip: 10.0.0.13
ports:
- port: 49152
protocol: TCP
apiVersion: v1
kind: Service
metadata:
name: glusterfs
namespace: tomcat
spec:
ports:
- port: 49152
protocol: TCP
targetPort: 49152
type: ClusterIP
volumes:
- name: gluster
glusterfs:
path: xiaobing #卷名字
endpoints: "glusterfs"
创建gluster pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: gluster
labels:
type: glusterfs
spec:
capacity:
storage: 50Gi
accessModes:
- ReadWriteMany
glusterfs:
endpoints: "glusterfs"
path: "qiangge"
readOnly: false #只读
jenkins+gitee
vim dockerfile
FROM 10.0.0.11:5000/nginx:1.13
ADD . /usr/share/nginx/html
源码管理添加git地址和认证方式
添加文本变量
执行shell
docker build -t 10.0.0.11:5000/yiliao:$version .
docker push 10.0.0.11:5000/yiliao:$version
kubectl -s 10.0.0.11:8080 set image -n yiliao deploy yiliao yiliao=10.0.0.11:5000/yiliao:$version
-s 指定api地址
回滚(另一个任务)
kubectl -s 10.0.0.11:8080 rollout undo -n yiliao deployment yiliao
驱逐pod
kubectl drain $node --ignore-daemonsets --delete-local-data --force
#驱逐除ds以外所有pod,即使存在使用emptyDir存储的pod,即使存在不是由rc、rs、job、ds、statefulset控制的pod也要继续
kubectl cordon $node
#pod不会调度到该节点
kubectl uncordon $node
#维护完成,恢复状态
master同时打上node标签
kubectl label node master node-role.kubernetes.io/node=node
取消标签
kubectl label node master node-role.kubernetes.io/node-