目录
pod的特点
- pod是最小部署的单元也是对象,一组容器的集合,一个pod中的容器共享网络命名空间,pod是短暂的。
pod容器的分类
infrastructure container 基础容器
- 基础容器维护整个pod网络空间,当我们创建kubelet时,同时创建了基础容器
initcontainers 初始化容器
- init容器它是一种专用的容器,在pod内的应用容器启动之前运行,并且包括一些应用镜像中不存在的实例工具和安装脚本
- init 容器与普通容器的区别:
init容器总是运行到完后并且每个init container必须在下一个启动之前成功完成。
如果pod的init容器失败,kubernetes会不断地重启该pod,直到init容器成功为止,然后,如果pod对应地restartPolicy值为Never,它不会重新启动。
init容器支持应用容器的全部字段和特性,包括资源限制、数据卷和安全设置。然后,init容器对资源请求和限制的处理稍微有不同。
同时init容器不支持Readiness Probe,因为它们必须在pod就绪之前运行完成。
如果为一个pod指定了多个init容器,这些容器会按照顺序逐个运行。每个init容器必须运行成功,下一个才能够运行成功。当所有的init容器运行完成时,kubernetes才会为pod初始化应用容器并且像平常一样运行。
-
如下是init容器YAML文件
##下面的例子定义了一个具有 2 个 Init 容器的简单 Pod。
#第一个等待 myservice 启动,第二个等待 mydb 启动。
#一旦这两个 Init容器 都启动完成,Pod 将启动spec区域中的应用容器
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: busybox:1.28
command: ['sh', '-c', 'echo The app is running! && sleep 3600']
initContainers:
- name: init-myservice
image: busybox:1.28
command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]
- name: init-mydb
image: busybox:1.28
command: ['sh', '-c', "until nslookup mydb.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for mydb; sleep 2; done"]
container 业务容器
- 业务容器就是我们创建的pod资源内的容器服务,业务容器也叫APP容器,并行启动
镜像拉取策略(image PullPolicy)
- 从公有或者私有仓库拉取镜像,策略分类如下;
1.ifNotpresent:默认值,镜像在宿主机上不存在时才拉取
2.Always:每次创建pod都会重新拉取一次镜像,拉取的镜像为最新版本
3.Never:pod永远不会主动拉取这个镜像
-
如右是kubernetes官方的文档解释,https://kubernetes.io/docs/concepts/containers/images/
-
在master01中查看YAML文件
- 创建一个pod的yaml文件,指定镜像拉取策略
[root@master demo]# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx:1.14
imagePullPolicy: Always
[root@master demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 12s
nginx-deployment-d55b94fd-smrwb 1/1 Running 2 6d2h
[root@master demo]# kubectl describe Pod/mypod
Name: mypod
Namespace: default
Priority: 0
PriorityClassName: <none>
Node: 192.168.43.102/192.168.43.102
Start Time: Mon, 11 May 2020 14:07:42 +0800
Labels: <none>
Annotations: <none>
Status: Running
IP: 172.17.36.3
Containers:
nginx:
Container ID: docker://253ac0b5d65e2dd26e31b0f3dd81c5c8e0910c2385a9b232460feb9bb64ba953
Image: nginx:1.14
Image ID: docker-pullable://nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d
Port: <none>
Host Port: <none>
State: Running
Started: Mon, 11 May 2020 14:07:55 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-h4tl7 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-h4tl7:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-h4tl7
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 53s default-scheduler Successfully assigned default/mypod to 192.168.43.102
Normal Pulling 51s kubelet, 192.168.43.102 pulling image "nginx:1.14"
Normal Pulled 40s kubelet, 192.168.43.102 Successfully pulled image "nginx:1.14"
Normal Created 40s kubelet, 192.168.43.102 Created container
Normal Started 40s kubelet, 192.168.43.102 Started container
- 在node节点上查看头部信息
在K8S群集中添加Harbor私有仓库
- 创建Harbor私有仓库并且创建私有项目和镜像,具体方法参考:https://blog.csdn.net/qq_42761527/article/details/105266673
- 在所有node节点上配置私有仓库,指定IP地址
[root@node1 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://dnntzrw4.mirror.aliyuncs.com"],
"insecure-registries":["192.168.43.107"]
}
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker
注意:在使用harbor下载镜像创建资源的时候,要保证node处于hatbor的登录状态
- 登录完haibor之后,在node上查看登录凭据,这个凭据是登录harbor服务器的,所以所有node的凭据都一样。
#-w 0表示布不转行输出
#base64 表示解码器
[root@node1 ~]# cat .docker/config.json |base64 -w 0
ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjQzLjEwNyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
[root@node1 ~]#
- 创建secret资源,作为私有仓库与k8s平台之间的过渡
##编辑yaml的文件
[root@master demo]# cat registry-pull-secret.yaml
apiVersion: v1
kind: Secret ##安全
metadata:
name: registry-pull-secret #私有库的安全凭证
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjQzLjEwNyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
type: kubernetes.io/dockerconfigjson
[root@master demo]# kubectl create -f registry-pull-secret.yaml
secret/registry-pull-secret created
[root@master demo]# kubectl get secret
NAME TYPE DATA AGE
default-token-h4tl7 kubernetes.io/service-account-token 3 13d
registry-pull-secret kubernetes.io/dockerconfigjson 1 18s
[root@master demo]#
- 编辑tomcat的资源,并且从harbor中拉取镜像创建资源
##这个yaml文件包含创建pod资源和service资源
[root@master demo]# cat tomcat-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-tomcat
spec:
replicas: 2
template:
metadata:
labels:
app: my-tomcat
spec:
imagePullSecrets: ##镜像下载安全
- name: registry-pull-secret #凭据资源名称
containers:
- name: my-tomcat
image: 192.168.43.107/k8s_project/tomcat
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: my-tomcat
spec:
type: NodePort
ports:
- port: 8080
targetPort: 8080
nodePort: 31111
selector:
app: my-tomcat
[root@master demo]# vi tomcat-deployment.yaml
[root@master demo]# kubectl create -f tomcat-deployment.yaml
deployment.extensions/my-tomcat created
service/my-tomcat created
[root@master demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-tomcat-6fb84f7ccd-4rrmj 1/1 Running 0 6s
my-tomcat-6fb84f7ccd-mc4j6 1/1 Running 0 6s
nginx-deployment-d55b94fd-smrwb 1/1 Running 2 6d3h
[root@master demo]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 13d
my-tomcat NodePort 10.0.0.53 <none> 8080:31111/TCP 3m48s
nginx-service NodePort 10.0.0.187 <none> 80:33856/TCP 6d3h
[root@master demo]#
- 查看harbor平台,发现tomcat镜像被下载两次,说明在私有仓库中拉镜像成功
//如果遇到处于Terminating状态的无法删除的资源如何处理
[root@localhost demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-tomcat-57667b9d9-nklvj 1/1 Terminating 0 10h
my-tomcat-57667b9d9-wllnp 1/1 Terminating 0 10h
//这种情况下可以使用强制删除命令:
kubectl delete pod [pod name] --force --grace-period=0 -n [namespace]使用kubectl get ns,查看命名空间