什麼是Namespace
Namespace是對全局系統資源的一種封裝隔離,使處於不同Namespace的進程擁有獨立的系統資源。通過不同的Namespace可以合理地管理不同的服務。他們相互隔離,但又可以相互通信。常見的pods,services,replication,controllers和persistentVolumes等都是屬於某一個Namespace的(默認爲default),但是node和persistentVolumes等不屬於任何Namespace。
Namespace常用操作
創建
- 命令行
kubectl create namespace my-home
- yaml編排
#[root@k8s0 zookeeper]# cat my-home.yml
apiVersion: v1
kind: Namespace
metadata:
name: my-home-2
kubectl apply -f my-home.yml
查詢
[root@k8s0 zookeeper]# kubectl get namespace
default Active 18d
kube-node-lease Active 18d
kube-ops Active 17d
kube-public Active 18d
kube-system Active 18d
my-home Active 2m58s
my-home-2 Active 6s
刪除
kubectl delete namespace my-home-2
臨時設置Request的Namespace
kubectl --namespace=<${your-namespace-name}> run nginx --image=alpine
kubectl get pod --namespce=<${your-namespace-name}>
Namespace中的資源限制
爲Namespace配額的方式有兩種:ResourceQuota和LimitRange
- ResourceQuota
ResourceQuota 用來限制 namespace 中所有的 Pod 佔用的總的資源 request 和 limit
- LimitRange
LimitRange 用來限制 namespace 中 單個Pod 默認資源 request 和 limit
ResourceQuota配置
- 限制Pod總數
kubectl create namespace my-pod
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-demo
namespace: my-pod
spec:
hard:
pods: "2"
kubectl get resourcequota pod-demo -n my-pod -o yaml
apiVersion: v1
kind: ResourceQuota
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ResourceQuota","metadata":{"annotations":{},"name":"pod-demo","namespace":"my-pod"},"spec":{"hard":{"pods":"2"}}}
creationTimestamp: "2020-03-30T06:03:28Z"
name: pod-demo
namespace: my-pod
resourceVersion: "2450965"
selfLink: /api/v1/namespaces/my-pod/resourcequotas/pod-demo
uid: ebdea686-b0ce-47d2-83ad-ac5c346ec915
spec:
hard:
pods: "2"
status:
hard:
pods: "2"
used:
pods: "0"
創建Pod測試:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: my-pod
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
[root@k8s0 zookeeper]# kubectl get pod -n my-pod
NAME READY STATUS RESTARTS AGE
nginx-7dc797df7b-9tkc4 1/1 Running 0 13m
nginx-7dc797df7b-nktzj 1/1 Running 0 13m
[root@k8s0 zookeeper]# kubectl get deployment -n my-pod
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/2 2 2 13m
現在增加一個Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: my-pod
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
[root@k8s0 zookeeper]# kubectl get pod -n my-pod
NAME READY STATUS RESTARTS AGE
nginx-7dc797df7b-9tkc4 1/1 Running 0 15m
nginx-7dc797df7b-nktzj 1/1 Running 0 15m
[root@k8s0 zookeeper]# kubectl get deployment -n my-pod
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/3 2 2 15m
可以看出只有兩個pod在運行
kubectl get deployment -n my-pod -o yaml
***
reason: MinimumReplicasUnavailable
status: "False"
type: Available
- lastTransitionTime: "2020-03-30T06:52:08Z"
lastUpdateTime: "2020-03-30T06:52:08Z"
message: 'pods "nginx-7dc797df7b-tcsr5" is forbidden: exceeded quota: pod-demo,
requested: pods=1, used: pods=2, limited: pods=2'
***
從上面可以看出有一個pod沒有創建成功。爲了驗證ResourceQuota是否是限制Namespace下所有Pod資源的總和,給之前的Pod數量改成2,再創建一個新的deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-add
namespace: my-pod
spec:
replicas: 2
selector:
matchLabels:
app: nginx-add
template:
metadata:
labels:
app: nginx-add
spec:
containers:
- name: nginx-add
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
[root@k8s0 zookeeper]# kubectl get pod -n my-pod
NAME READY STATUS RESTARTS AGE
nginx-7dc797df7b-9tkc4 1/1 Running 0 22m
nginx-7dc797df7b-nktzj 1/1 Running 0 22m
[root@k8s0 zookeeper]# kubectl get deployment -n my-pod
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 2/2 2 2 22m
nginx-add 0/2 0 0 21s
從上可以看出nginx-add這個deployment沒有創建成功而且pod中也沒有nginx-add的pod出現
- 限制CUP和內存
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-cpu
namespace: my-pod
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
- 每個容器必須設置內存請求(memory request),內存限額(memory limit),cpu請求(cpu request)和cpu限額(cpu limit)
- 所有容器的內存請求總額不得超過1 GiB
- 所有容器的內存限額總額不得超過2 GiB
- 所有容器的CPU請求總額不得超過1 CPU
- 所有容器的CPU限額總額不得超過2 CPU
- 創建Pod驗證
apiVersion: v1
kind: Pod
metadata:
name: nginx-cpu
namespace: my-pod
spec:
containers:
- name: nginx-cpu
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
resources:
limits:
memory: "800Mi"
cpu: "800m"
requests:
memory: "600Mi"
cpu: "400m"
具體驗證方法不再贅述。可以創建兩個pod分配不同的資源,觀察即可
- ResourceQuota其他限制
apiVersion: v1
kind: ResourceQuota
metadata:
name: object-counts
namespace: my-pod
spec:
hard:
configmaps: "10"
persistentvolumeclaims: "4"
replicationcontrollers: "20"
secrets: "10"
services: "10"
services.loadbalancers: "2"
LimitRange配置默認的CPU請求和默認CPU限額
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-limit-range
namespace: default-cpu-example
spec:
limits:
- default:
cpu: 1
defaultRequest:
cpu: 0.5
type: Container
- 創建Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default-cpu-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
kubectl get pod nginx-7dc797df7b-f4n4b -n default-cpu-example -o yaml
***
resources:
limits:
cpu: "1"
requests:
cpu: 500m
***
- 如果指定了容器的限額,但未指定請求值
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default-cpu-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "1"
***
resources:
limits:
cpu: "1"
requests:
cpu: "1"
***
輸出展示該容器的CPU請求值與它的限額值相等。
注意該容器並未被賦予這個默認的CPU請求值0.5。
- 如果指定了請求值,但未指定限定值
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default-cpu-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
requests:
cpu: "0.75"
***
resources:
limits:
cpu: "1"
requests:
cpu: 750m
***
輸出顯示該容器的CPU請求值被設置爲該容器配置文件中指定的值。該容器的CPU限額設置爲1,這是該命名空間的默認CPU的限額值。
LimitRange配置默認的內存請求與限額
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
namespace: mem-example
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
***
limits:
memory: 512Mi
requests:
memory: 256Mi
***
輸出顯示該 Pod 的容器的內存請求值是 256MiB, 內存限額值是 512MiB. 這些是由 LimitRange 指定的默認值
- 測試指定請求值、不指定限額和不指定請求值、指定限額
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
requests:
memory: "128Mi"
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "1G"
LimitRange設置最小和最大內存限制
apiVersion: v1
kind: LimitRange
metadata:
name: mem-min-max-demo-lr
spec:
limits:
- max:
memory: 1Gi
min:
memory: 500Mi
type: Container
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem-example
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "800Mi"
requests:
memory: "600Mi"
***
resources:
limits:
memory: 800Mi
requests:
memory: 600Mi
***
輸出顯示了容器的內存請求爲 600 MiB,內存限制爲 800 MiB。這符合 LimitRange 施加的限制
- 刪除pod創建一個更大內存的pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "1.5Gi"
requests:
memory: "800Mi"
[root@k8s0 zookeeper]# kubectl get pod -n mem
No resources found in mem namespace.
[root@k8s0 zookeeper]# kubectl get deployment -n mem
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 0/1 0 0 72s
pod並沒有創建成功
kubectl get deployment nginx -n mem -o yaml
***
- lastTransitionTime: "2020-03-30T09:35:06Z"
lastUpdateTime: "2020-03-30T09:35:06Z"
message: 'pods "nginx-664685fbd6-n9l9w" is forbidden: maximum memory usage per
Container is 1Gi, but limit is 1536Mi'
***
- 創建一個不符合最小內存值的請求也是無法創建成功的
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
memory: "800Gi"
requests:
memory: "100Mi"
- 創建一個沒有任何限制的pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
***
resources:
limits:
memory: 1Gi
requests:
memory: 1Gi
***
輸出顯示 Pod 的容器具有 1 GiB 的內存請求和 1 GiB 的內存限制,因爲當容器沒有指定自己的內存請求和限制時,它將從 LimitRange 獲取 默認的內存請求和限制值
配置最小和最大CPU限制
apiVersion: v1
kind: LimitRange
metadata:
name: cpu-min-max-demo-lr
namespace: limit-mem
spec:
limits:
- max:
cpu: "800m"
min:
cpu: "200m"
type: Container
[root@k8s0 zookeeper]# kubectl get LimitRange -n limit-mem -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: LimitRange
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"LimitRange","metadata":{"annotations":{},"name":"cpu-min-max-demo-lr","namespace":"limit-mem"},"spec":{"limits":[{"max":{"cpu":"800m"},"min":{"cpu":"200m"},"type":"Container"}]}}
creationTimestamp: "2020-03-30T11:21:25Z"
name: cpu-min-max-demo-lr
namespace: limit-mem
resourceVersion: "2480768"
selfLink: /api/v1/namespaces/limit-mem/limitranges/cpu-min-max-demo-lr
uid: 2f0014f3-1b3a-4041-892f-bdc004838894
spec:
limits:
- default:
cpu: 800m
defaultRequest:
cpu: 800m
max:
cpu: 800m
min:
cpu: 200m
type: Container
kind: List
metadata:
resourceVersion: ""
selfLink: ""
- 創建符合限制的測試
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "800m"
requests:
cpu: "500m"
- 創建大於限制的測試
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "900m"
requests:
cpu: "500m"
- 創建小於限制的測試
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]
resources:
limits:
cpu: "800m"
requests:
cpu: "100m"
- 創建沒有指定的測試
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: limit-mem
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-qingdao.aliyuncs.com/ycbg/nginx_node_web
imagePullPolicy: IfNotPresent
command: ["nginx"]