k8s资源之pod全面讲解

k8s资源之pod全面讲解

​

----------------------------------------------------------------------------------------------------------------------------------------

1）

•K8s核心资源，用于运行容器

•简称：po

•一个pod可以运行多个容器

•Pod中的容器可以共享网络和存储

常用命令：

kubectl create -f nginx-01.yaml kubectl apply -f nginx-01.yaml kubectl get pod kubectl get pod -l name=nginxkubectl delete pod nginxkubectl delete pod –allkubectl get pod -o widekubectl edit pod nginxkubectl get pod nginx -o yamlKubectl delete pod –f nginx-01.yamlkubectl label pod nginx project=webkubectl annotate pod nginx project=webkubectl exec -it nginx /bin/bashkubectl cp default/nginx:/etc/nginx/nginx.conf ~/nginx.conf kubectl cp ~/aa default/nginx:/tmp kubectl logs nginx

2）Pod生命周期

3）Pod重启策略

•Pod的重启策略RestartPolicy可能的值为 Always、OnFailure 和 Never，默认为 Always

•Always：当容器失效时，由kubelet自动重启

•OnFailure：当容器终止运行且退出码不为0时，由kubelet自动重启

•Never：不论容器运行状态如何都不会重启

4）Pod健康检查

•LivenessProbe：存活性探测

ReadnessProbe：就绪性探测 其存活性探测的方法可配置以下三种实现方式：

ExecAction：在容器内执行指定命令。如果命令退出时返回码为 0 则表明容器健康

•TCPSocketAction：对指定端口上的容器的 IP 地址进行 TCP 检查。如果能够建立连接，则表明容器健康。

•HTTPGetAction：对指定的端口和路径上的容器的 IP 地址执行 HTTP Get 请求。如果响应的状态码大于等于200 且小于 400则表明容器健康

initialDelaySeconds和timeoutSeconds参数，分别表示首次检查等待时间以及超时时间。

periodSeconds: 15 #检查间隔时间

failureThreshold: 3最大失败次数

successThreshold: 1失败后测试成功的最小连接成功次数

[root@master01 readiness]# cat pod-readiness-exec.yaml apiVersion: v1kind: Podmetadata: labels: test: readiness-exec name: readiness-execspec: containers: - name: liveness image: busybox args: - /bin/sh - -c - echo ok > /tmp/health; sleep 10; rm -rf /tmp/health; sleep 600 readinessProbe: exec: command: - cat - /tmp/health initialDelaySeconds: 15 timeoutSeconds: 1

[root@master01 readiness]# cat pod-readiness-apiVersion: v1kind: Podmetadata: name: pod- containers: - name: nginx image: nginx ports: - containerPort: 80 readinessProbe: path: /_status/healthz port: 80 initialDelaySeconds: 30 timeoutSeconds: 1

[root@master01 readiness]# cat pod-readiness-tcp.yaml apiVersion: v1kind: Podmetadata: name: pod-tcp-healthcheckspec: containers: - name: nginx image: nginx ports: - containerPort: 80 readinessProbe: tcpSocket: port: 80 initialDelaySeconds: 30 timeoutSeconds: 1

liveness：

[root@master01 readiness]# cat pod-liveness-exec.yaml apiVersion: v1kind: Podmetadata: labels: test: readiness-exec name: liveness-execspec: containers: - name: liveness image: busybox args: - /bin/sh - -c - echo ok > /tmp/health; sleep 10; rm -rf /tmp/health; sleep 600 livenessProbe: exec: command: - cat - /tmp/health initialDelaySeconds: 15 timeoutSeconds: 1

[root@master01 readiness]# cat pod-liveness-apiVersion: v1kind: Podmetadata: name: pod-liveness- containers: - name: nginx image: nginx ports: - containerPort: 80 livenessProbe: path: /_status/healthz port: 80 initialDelaySeconds: 30 timeoutSeconds: 1

[root@master01 readiness]# cat pod-liveness-tcp.yaml apiVersion: v1kind: Podmetadata: name: pod-liveness-tcpspec: containers: - name: nginx image: nginx ports: - containerPort: 80 livenessProbe: tcpSocket: port: 80 initialDelaySeconds: 30 timeoutSeconds: 1

5）imagePullPolicy

三个选择Always、Never、IfNotPresent，每次启动时检查和更新（从registery）images的策略， # Always，每次都检查 # Never，每次都不检查（不管本地是否有） # IfNotPresent，如果本地有就不检查，如果没有就拉取

6）资源管理

[root@master01 resources]# cat tomcat.yaml apiVersion: v1kind: Podmetadata: name: volume-podspec: containers: - name: tomcat image: tomcat ports: - containerPort: 8080 volumeMounts: - name: app-logs mountPath: /usr/local/tomcat/logs resources: limits: cpu: 0.1 memory: 100Mi - name: busybox image: busybox command: ["sh", "-c", "tail -f /logs/catalina*.log"] volumeMounts: - name: app-logs mountPath: /logs volumes: - name: app-logs emptyDir: {}

[root@master01 resources]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80 resources: requests: cpu: 0.01 memory: 1Mi limits: cpu: 0.5 memory: 10Mi

r equests

limits

yum -y install httpd -tools

ab -c 500 -n 20000 vim /etc/sysctl.conf

net.ipv4.tcp_syncookies = 0

# sysctl -p

7）生命周期管理

postStart : # 容器运行之前运行的任务

preStop :# 容器关闭之前运行的任务

[root@master01 lifecycle]# cat nginx-postStart-exec.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: containers: - name: nginx image: nginx ports: - containerPort: 80 lifecycle: postStart: exec: command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]

[root@master01 lifecycle]# cat nginx-preStop-exec.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: containers: - name: nginx image: nginx ports: - containerPort: 80 lifecycle: preStop: exec: command: ["/usr/sbin/nginx","-s","quit"]

[root@master01 lifecycle]# cat nginx-preStop-apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: containers: - name: nginx image: nginx ports: - containerPort: 80 lifecycle: preStop: host: 192.168.4.170 path: api/v2/devops/pkg/upload_hooks port: 8090

8）Init Container

[root@master01 initContainers]# cat init.yaml apiVersion: v1kind: Podmetadata: name: myapp-pod labels: app: myappspec: containers: - name: myapp-container image: busybox command: ['sh', '-c', 'echo The app is running! && sleep 3600'] initContainers: - name: init-myservice image: busybox command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - name: init-mydb image: busybox command: ['sh', '-c', 'until nslookup mydb; do echo waiting for mydb; sleep 2; done;']

[root@master01 initContainers]# cat service.yaml kind: ServiceapiVersion: v1metadata: name: myservicespec: ports: - protocol: TCP port: 80 targetPort: 9376---kind: ServiceapiVersion: v1metadata: name: mydbspec: ports: - protocol: TCP port: 80 targetPort: 9377

9）nodeSelector

[root@master01 nodeSelector]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: nodeSelector: zone: node1 containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80

10）affinity

•podAffinity

•nodeAffinity

[root@master01 affinity]# cat node-affinity.yaml apiVersion: v1kind: Podmetadata: name: with-node-affinityspec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/e2e-az-name operator: In values: - e2e-az1 - e2e-az2 preferredDuringSchedulingIgnoredDuringExecution: - weight: 1 preference: matchExpressions: - key: type operator: In values: - ssd containers: - name: with-node-affinity image: nginx ports: - containerPort: 80

[root@master01 podAffinity]# cat ./*apiVersion: v1kind: Podmetadata: name: with-anti-affinityspec: affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: security operator: In values: - S1 topologyKey: "kubernetes.io/hostname" podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: security operator: In values: - S2 topologyKey: kubernetes.io/hostname containers: - name: with-anti-affinity image: nginxapiVersion: v1kind: Podmetadata: name: pod-flag-s2 labels: security: "S2" app: "nginx"spec: containers: - name: nginx image: nginxapiVersion: v1kind: Podmetadata: name: pod-flag-s1 labels: security: "S1" app: "nginx"spec: containers: - name: nginx image: nginxapiVersion: v1kind: Podmetadata: name: pod-affinityspec: affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: security operator: In values: - S1 topologyKey: kubernetes.io/hostname containers: - name: with-pod-affinity image: nginx

11）activeDeadlineSeconds

[root@master01 activeDeadlineSeconds]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: activeDeadlineSeconds: 30 containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80

12）dnsConfig

[root@master01 dnsConfig]# cat dns-example.yaml apiVersion: v1kind: Podmetadata: namespace: default name: dns-examplespec: containers: - name: test image: busybox args: - "sh" - "-c" - "sleep 3600" dnsPolicy: "None" dnsConfig: nameservers: - 114.114.115.115 searches: - ns1.svc.cluster.local - my.dns.search.suffix options: - name: ndots value: "2" - name: edns0

13）dnsPolicy

•None

设置dnsConfig

•ClusterFirst

•ClusterFirstWithHostNet

•Default

[root@master01 dnsPolicy]# cat dns-policy-default.yaml apiVersion: v1kind: Podmetadata: name: dns-examplespec: containers: - name: test image: busybox args: - "sh" - "-c" - "sleep 3600" dnsPolicy: "Default"

[root@master01 dnsPolicy]# cat dns-policy-hostNetwork.yaml apiVersion: v1kind: Podmetadata: name: dns-examplespec: containers: - name: test image: busybox args: - "sh" - "-c" - "sleep 3600" dnsPolicy: "ClusterFirstWithHostNet" hostNetwork: true

ephemeralContainers

[root@master01 ephemeralContainers]# cat ephemeral.json { "apiVersion": "v1", "kind": "EphemeralContainers", "metadata": { "name": "nginx" }, "ephemeralContainers": [{ "command": [ "bash" ], "image": "shoganator/rpi-alpine-tools", "imagePullPolicy": "Always", "name": "diagtools", "stdin": true, "tty": true, "terminationMessagePolicy": "File" }]}

kubectl -n default replace --raw / api /v1/namespaces/default/pods/ nginx / ephemeralcontainers -f ./ ephemeral.json

15）hostalias

[root@master01 hostalias]# cat hostalias.yaml apiVersion: v1kind: Podmetadata: name: hostaliases-podspec: restartPolicy: Never hostAliases: - ip: "127.0.0.1" hostnames: - "foo.local" - "bar.local" - ip: "10.1.2.3" hostnames: - "foo.remote" - "bar.remote" containers: - name: cat-hosts image: nginx command: - cat args: - "/etc/hosts"

16）hostname

[root@master01 hostname]# cat hostname.yaml apiVersion: v1kind: Podmetadata: name: hostname-podspec: restartPolicy: Never hostname: mark containers: - name: cat-hosts image: nginx command: - hostname

17）nodeName

[root@master01 nodename]# cat nodename.yaml apiVersion: v1kind: Podmetadata: name: nodename-podspec: restartPolicy: Never nodeName: 192.168.198.156 containers: - name: cat-hosts image: nginx

18）preemptionPolicy

[root@master01 preemptionPolicy]# cat preemption.yaml apiVersion: v1kind: Podmetadata: name: preemption-podspec: restartPolicy: Never preemptionPolicy: PreemptLowerPriority containers: - name: cat-hosts image: nginx

19）priority

[root@master01 priority]# cat priority.yaml apiVersion: v1kind: Podmetadata: name: priority-podspec: restartPolicy: Never preemptionPolicy: PreemptLowerPriority priority: 1000 containers: - name: cat-hosts image: nginx

20）priorityClassName

[root@master01 priorityClass]# cat priorityClass.yaml apiVersion: v1kind: Podmetadata: name: priorityclass-podspec: restartPolicy: Never priorityClassName: high-priority containers: - name: cat-hosts image: nginx[root@master01 priorityClass]# cat high-priority.yaml apiVersion: scheduling.k8s.io/v1kind: PriorityClassmetadata: name: high-priorityvalue: 1000000globalDefault: falsedescription: "This priority class should be used for XYZ service pods only."

21）readinessGates

[root@master01 readinessGates]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: readinessGates: - conditionType: "example.com/feature-1" containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80

22）Security Context

•Container-level Security Context：仅应用到指定的容器

•Pod-level Security Context：应用到Pod内所有容器以及Volume

•Pod Security Policies（PSP）：应用到集群内部所有Pod以及Volume

[root@master01 podSecurityContext]# cat ./*apiVersion: v1kind: Podmetadata: name: security-context-demo-10spec: securityContext: sysctls: - name: kernel.shm_rmid_forced value: "0" containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" apiVersion: v1kind: Podmetadata: name: security-context-demo-1spec: securityContext: runAsUser: 1000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: allowPrivilegeEscalation: falseapiVersion: v1kind: Podmetadata: name: security-context-demo-2spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-demo-2 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: runAsUser: 2000 allowPrivilegeEscalation: falseapiVersion: v1kind: Podmetadata: name: security-context-demo-3spec: containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: privileged: trueapiVersion: v1kind: Podmetadata: name: security-context-demo-4-1spec: containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"]apiVersion: v1kind: Podmetadata: name: security-context-demo-5spec: securityContext: runAsUser: 1000 runAsGroup: 1000 containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"]apiVersion: v1kind: Podmetadata: name: security-context-demo-6spec: securityContext: runAsNonRoot: true containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"]apiVersion: v1kind: Podmetadata: name: security-context-demo-7spec: securityContext: fsGroup: 1234 supplementalGroups: [5678] seLinuxOptions: level: "s0:c123,c456" containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000"apiVersion: v1kind: Podmetadata: name: security-context-demo-8spec: containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: capabilities: drop: - NET_RAW - CHOWNapiVersion: v1kind: Podmetadata: name: security-context-demo-9spec: securityContext: sysctls: - name: net.ipv4.ip_forward value: "1" containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000"

23）serviceAccountName

[root@master01 serviceAccountName]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: serviceAccountName: default containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80

24）subdomain

[root@master01 subdomain]# cat ./*apiVersion: v1kind: Podmetadata: name: nginx labels: app: nginx-0spec: hostname: mark subdomain: com containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80

25）terminationGracePeriodSeconds

[root@master01 terminationGracePeriodSeconds]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: terminationGracePeriodSeconds: 0 containers: - name: nginx image: nginx ports: - containerPort: 80 hostPort: 80

26）tolerations

Taints 和 Tolerations

taint 定义在 node 上，排斥 pod

toleration 定义在 pod 中， 容忍 taint

kubectl taint nodes node1 key=value:NoSchedule

kubectl taint nodes node1 key:NoSchedule-

Affect:

NoSchedule

NoExecute

[root@master01 tolerations]# cat nginx.yaml apiVersion: v1kind: Podmetadata: name: nginx labels: env: testspec: containers: - name: nginx image: nginx imagePullPolicy: IfNotPresent tolerations: - key: "example-key" operator: "Exists" effect: "NoSchedule"

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。