目錄
pod的特點
- pod是最小部署的單元也是對象,一組容器的集合,一個pod中的容器共享網絡命名空間,pod是短暫的。
pod容器的分類
infrastructure container 基礎容器
- 基礎容器維護整個pod網絡空間,當我們創建kubelet時,同時創建了基礎容器
initcontainers 初始化容器
- init容器它是一種專用的容器,在pod內的應用容器啓動之前運行,並且包括一些應用鏡像中不存在的實例工具和安裝腳本
- init 容器與普通容器的區別:
init容器總是運行到完後並且每個init container必須在下一個啓動之前成功完成。
如果pod的init容器失敗,kubernetes會不斷地重啓該pod,直到init容器成功爲止,然後,如果pod對應地restartPolicy值爲Never,它不會重新啓動。
init容器支持應用容器的全部字段和特性,包括資源限制、數據卷和安全設置。然後,init容器對資源請求和限制的處理稍微有不同。
同時init容器不支持Readiness Probe,因爲它們必須在pod就緒之前運行完成。
如果爲一個pod指定了多個init容器,這些容器會按照順序逐個運行。每個init容器必須運行成功,下一個才能夠運行成功。當所有的init容器運行完成時,kubernetes纔會爲pod初始化應用容器並且像平常一樣運行。
-
如下是init容器YAML文件
##下面的例子定義了一個具有 2 個 Init 容器的簡單 Pod。
#第一個等待 myservice 啓動,第二個等待 mydb 啓動。
#一旦這兩個 Init容器 都啓動完成,Pod 將啓動spec區域中的應用容器
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: busybox:1.28
command: ['sh', '-c', 'echo The app is running! && sleep 3600']
initContainers:
- name: init-myservice
image: busybox:1.28
command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]
- name: init-mydb
image: busybox:1.28
command: ['sh', '-c', "until nslookup mydb.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for mydb; sleep 2; done"]
container 業務容器
- 業務容器就是我們創建的pod資源內的容器服務,業務容器也叫APP容器,並行啓動
鏡像拉取策略(image PullPolicy)
- 從公有或者私有倉庫拉取鏡像,策略分類如下;
1.ifNotpresent:默認值,鏡像在宿主機上不存在時才拉取
2.Always:每次創建pod都會重新拉取一次鏡像,拉取的鏡像爲最新版本
3.Never:pod永遠不會主動拉取這個鏡像
-
如右是kubernetes官方的文檔解釋,https://kubernetes.io/docs/concepts/containers/images/
-
在master01中查看YAML文件
- 創建一個pod的yaml文件,指定鏡像拉取策略
[root@master demo]# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx:1.14
imagePullPolicy: Always
[root@master demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 12s
nginx-deployment-d55b94fd-smrwb 1/1 Running 2 6d2h
[root@master demo]# kubectl describe Pod/mypod
Name: mypod
Namespace: default
Priority: 0
PriorityClassName: <none>
Node: 192.168.43.102/192.168.43.102
Start Time: Mon, 11 May 2020 14:07:42 +0800
Labels: <none>
Annotations: <none>
Status: Running
IP: 172.17.36.3
Containers:
nginx:
Container ID: docker://253ac0b5d65e2dd26e31b0f3dd81c5c8e0910c2385a9b232460feb9bb64ba953
Image: nginx:1.14
Image ID: docker-pullable://nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d
Port: <none>
Host Port: <none>
State: Running
Started: Mon, 11 May 2020 14:07:55 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-h4tl7 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-h4tl7:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-h4tl7
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 53s default-scheduler Successfully assigned default/mypod to 192.168.43.102
Normal Pulling 51s kubelet, 192.168.43.102 pulling image "nginx:1.14"
Normal Pulled 40s kubelet, 192.168.43.102 Successfully pulled image "nginx:1.14"
Normal Created 40s kubelet, 192.168.43.102 Created container
Normal Started 40s kubelet, 192.168.43.102 Started container
- 在node節點上查看頭部信息
在K8S羣集中添加Harbor私有倉庫
- 創建Harbor私有倉庫並且創建私有項目和鏡像,具體方法參考:https://blog.csdn.net/qq_42761527/article/details/105266673
- 在所有node節點上配置私有倉庫,指定IP地址
[root@node1 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://dnntzrw4.mirror.aliyuncs.com"],
"insecure-registries":["192.168.43.107"]
}
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker
注意:在使用harbor下載鏡像創建資源的時候,要保證node處於hatbor的登錄狀態
- 登錄完haibor之後,在node上查看登錄憑據,這個憑據是登錄harbor服務器的,所以所有node的憑據都一樣。
#-w 0表示布不轉行輸出
#base64 表示解碼器
[root@node1 ~]# cat .docker/config.json |base64 -w 0
ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjQzLjEwNyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
[root@node1 ~]#
- 創建secret資源,作爲私有倉庫與k8s平臺之間的過渡
##編輯yaml的文件
[root@master demo]# cat registry-pull-secret.yaml
apiVersion: v1
kind: Secret ##安全
metadata:
name: registry-pull-secret #私有庫的安全憑證
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjQzLjEwNyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
type: kubernetes.io/dockerconfigjson
[root@master demo]# kubectl create -f registry-pull-secret.yaml
secret/registry-pull-secret created
[root@master demo]# kubectl get secret
NAME TYPE DATA AGE
default-token-h4tl7 kubernetes.io/service-account-token 3 13d
registry-pull-secret kubernetes.io/dockerconfigjson 1 18s
[root@master demo]#
- 編輯tomcat的資源,並且從harbor中拉取鏡像創建資源
##這個yaml文件包含創建pod資源和service資源
[root@master demo]# cat tomcat-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-tomcat
spec:
replicas: 2
template:
metadata:
labels:
app: my-tomcat
spec:
imagePullSecrets: ##鏡像下載安全
- name: registry-pull-secret #憑據資源名稱
containers:
- name: my-tomcat
image: 192.168.43.107/k8s_project/tomcat
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: my-tomcat
spec:
type: NodePort
ports:
- port: 8080
targetPort: 8080
nodePort: 31111
selector:
app: my-tomcat
[root@master demo]# vi tomcat-deployment.yaml
[root@master demo]# kubectl create -f tomcat-deployment.yaml
deployment.extensions/my-tomcat created
service/my-tomcat created
[root@master demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-tomcat-6fb84f7ccd-4rrmj 1/1 Running 0 6s
my-tomcat-6fb84f7ccd-mc4j6 1/1 Running 0 6s
nginx-deployment-d55b94fd-smrwb 1/1 Running 2 6d3h
[root@master demo]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 13d
my-tomcat NodePort 10.0.0.53 <none> 8080:31111/TCP 3m48s
nginx-service NodePort 10.0.0.187 <none> 80:33856/TCP 6d3h
[root@master demo]#
- 查看harbor平臺,發現tomcat鏡像被下載兩次,說明在私有倉庫中拉鏡像成功
//如果遇到處於Terminating狀態的無法刪除的資源如何處理
[root@localhost demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-tomcat-57667b9d9-nklvj 1/1 Terminating 0 10h
my-tomcat-57667b9d9-wllnp 1/1 Terminating 0 10h
//這種情況下可以使用強制刪除命令:
kubectl delete pod [pod name] --force --grace-period=0 -n [namespace]使用kubectl get ns,查看命名空間