CKA考试知识总结-3

之所以要将这篇很长很长的博文拆分开,是因为站内查询因这篇长文而失效了,另外打开一个页面实在有些卡顿(⊙﹏⊙)b

Come on baby! 操起键盘就是干,继续~

复习资料

TLS

Q: TLS bootstrapping, see
https://coreos.com/kubernetes/docs/latest/openssl.html
https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/
https://github.com/cloudflare/cfssl

一般证书的申请流程如下:

  1. 创建证书认证签名 CA (相当于证书颁发机构的证书和私钥)在现实中,这一步是要收钱的机构,直接忽略。
  2. 产生私钥 Key (请求认证方的私钥)
  3. 使用已生成的私钥产生证书签名请求CSR (请求认证方基于私钥生成向证书颁发机构所需的证书签名请求文件)
  4. 使用CA和CSR产生证书 CRT (使用证书颁发机构的证书、私钥以及请求认证放的证书请求文件生成目标证书)
  • 下载cfssl软件包
    1. 访问:https://pkg.cfssl.org
    2. 下载:cfssl_linux-amd64 => cfssl
    3. 下载:cfssljson_linux-amd64 => cfssljson
    4. 下载:cfssl-certinfo-linux-arm64 => cfssl-certinfo
  • 创建证书的流程

    1. 创建自签名的CA证书;
    2. 使用CA证书、CA私钥、CA的配置文件,以及客户的CSR生成客户的证书;
  • 操作流程

    1. 生成default配置文件

      1
      2
      3
      4
      5
      6
      7
      8
      # 这一步就是产生CSR和CA的配置模板,方便按需修改
      root@test-9:~/henry# ./cfssl print-defaults list
      Default configurations are available for:
      config
      csr
      root@test-9:~/henry# ./cfssl print-defaults config > ca-config.json
      root@test-9:~/henry# ./cfssl print-defaults csr > ca-csr.json
      root@test-9:~/henry#
    2. 配置CA的CSR,为自己生成CERT:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      root@test-9:~/henry# #下面是修改之后的结果,CSR就是讲清楚你是"谁"(相当于是在生成中间认证机构的CSR)
      root@test-9:~/henry# cat ca-csr.json
      {
      "CN": "Chen Leiji CA",
      "key": {
      "algo": "ecdsa",
      "size": 256
      },
      "names": [
      {
      "C": "US",
      "L": "CA",
      "ST": "San Francisco",
      "O": "WISE2C",
      "OU": "development"
      }
      ]
      }

      root@test-9:~/henry# #这一步是直接使用CSR来签署CA(相当于是在生成中间认证机构的CA)
      root@test-9:~/henry# ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca
      2017/11/15 13:16:04 [INFO] generating a new CA key and certificate from CSR
      2017/11/15 13:16:04 [INFO] generate received request
      2017/11/15 13:16:04 [INFO] received CSR
      2017/11/15 13:16:04 [INFO] generating key: ecdsa-256
      2017/11/15 13:16:04 [INFO] encoded CSR
      2017/11/15 13:16:04 [INFO] signed certificate with serial number 84349438505086023342597169366385715026517648791
      root@test-9:~/henry# ls
      ca-config.json ca.csr ca-key.pem ca.pem cfssl cfssljson csr.json
      root@test-9:~/henry#
    3. 查看生成的CA证书:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      43
      root@test-9:~/henry# ./cfssl-certinfo -cert ca.pem
      {
      "subject": {
      "common_name": "Chen Leiji CA",
      "country": "US",
      "organization": "WISE2C",
      "organizational_unit": "development",
      "locality": "CA",
      "province": "San Francisco",
      "names": [
      "US",
      "San Francisco",
      "CA",
      "WISE2C",
      "development",
      "Chen Leiji CA"
      ]
      },
      "issuer": {
      "common_name": "Chen Leiji CA",
      "country": "US",
      "organization": "WISE2C",
      "organizational_unit": "development",
      "locality": "CA",
      "province": "San Francisco",
      "names": [
      "US",
      "San Francisco",
      "CA",
      "WISE2C",
      "development",
      "Chen Leiji CA"
      ]
      },
      "serial_number": "84349438505086023342597169366385715026517648791",
      "not_before": "2017-11-15T05:11:00Z",
      "not_after": "2022-11-14T05:11:00Z",
      "sigalg": "ECDSAWithSHA256",
      "authority_key_id": "D4:54:B3:F5:DF:CA:4A:22:E5:E:99:F0:BE:5A:4E:B:89:3C:DC:53",
      "subject_key_id": "D4:54:B3:F5:DF:CA:4A:22:E5:E:99:F0:BE:5A:4E:B:89:3C:DC:53",
      "pem": "-----BEGIN CERTIFICATE-----\nMIICSjCCAfCgAwIBAgIUDsZcEST3fVKpcGgiDP+IvVG1ZZcwCgYIKoZIzj0EAwIw\ncTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT\nAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRYwFAYD\nVQQDEw1DaGVuIExlaWppIENBMB4XDTE3MTExNTA1MTEwMFoXDTIyMTExNDA1MTEw\nMFowcTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV\nBAcTAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRYw\nFAYDVQQDEw1DaGVuIExlaWppIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nCaeC0bFStNdMcaWjMWtc0/HyC/VrcuALsa7ie5xE1lB6wNtQE1JlDxQUPbOJvHXh\nXJ8Lhtp+GKR3nPWiy6+j36NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI\nMAYBAf8CAQIwHQYDVR0OBBYEFNRUs/Xfykoi5Q6Z8L5aTguJPNxTMB8GA1UdIwQY\nMBaAFNRUs/Xfykoi5Q6Z8L5aTguJPNxTMAoGCCqGSM49BAMCA0gAMEUCIQCIG5Hx\n6Pmhj3LT2dRpGGJW3yj3+r9txDjMUH7+CtvJ/AIga5REzrYKSByjSKrMmoa2NPl2\nIIKQ2hASUgXI3565qdc=\n-----END CERTIFICATE-----\n"
      }
      root@test-9:~/henry#
    4. 配置CA Profile选项(此处的profiles对应生成客户CA指定的–profile值):

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      root@test-9:~/henry# cat ca-config.json
      {
      "signing": {
      "default": {
      "expiry": "168h"
      },
      "profiles": {
      "server": {
      "expiry": "8760h",
      "usages": [
      "signing",
      "key encipherment",
      "server auth"
      ]
      },
      "client": {
      "expiry": "8760h",
      "usages": [
      "signing",
      "key encipherment",
      "client auth"
      ]
      },
      "peer": {
      "expiry": "8760h",
      "usages": [
      "signing",
      "key encipherment",
      "server auth"
      ]
      }
      }
      }
      }

      root@test-9:~/henry#
    5. 修改客户CSR.json:

      获取模板文件:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      # 这才是需要申请证书的客户提交的CSR,里面有“hosts”信息
      root@test-9:~/henry# ./cfssl print-defaults csr
      {
      "CN": "example.net",
      "hosts": [
      "example.net",
      "www.example.net"
      ],
      "key": {
      "algo": "ecdsa",
      "size": 256
      },
      "names": [
      {
      "C": "US",
      "L": "CA",
      "ST": "San Francisco"
      }
      ]
      }

      root@test-9:~/henry#

      修改CSR,主要涉及hosts的内容:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      root@test-9:~/henry# cat csr.json
      {
      "CN": "Chen Leiji Server",
      "key": {
      "algo": "ecdsa",
      "size": 256
      },
      "hosts":[
      "www.wise2c.com"
      ],
      "names": [
      {
      "C": "US",
      "L": "CA",
      "ST": "San Francisco",
      "O": "WISE2C",
      "OU": "development"
      }
      ]
      }
    6. 生成客户证书

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      43
      44
      45
      46
      47
      48
      49
      50
      51
      52
      53
      54
      55
      56
      57
      # 需要使用证书颁发机构的CA和Key来为其生成CERT
      root@test-9:~/henry# ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --hostname="www.wise2c.com" --profile="server" csr.json | ./cfssljson -bare server
      2017/11/15 14:34:07 [INFO] generate received request
      2017/11/15 14:34:07 [INFO] received CSR
      2017/11/15 14:34:07 [INFO] generating key: ecdsa-256
      2017/11/15 14:34:07 [INFO] encoded CSR
      2017/11/15 14:34:07 [INFO] signed certificate with serial number 408368599847170747880405926931506246283785194006
      root@test-9:~/henry#
      root@test-9:~/henry# ls
      ca-config.json ca.csr ca-key.pem ca.pem cfssl cfssl-certinfo cfssljson csr.json server.csr server-key.pem server.pem
      root@test-9:~/henry#
      root@test-9:~/henry# ./cfssl-certinfo -cert server.pem
      {
      "subject": {
      "common_name": "Chen Leiji Server",
      "country": "US",
      "organization": "WISE2C",
      "organizational_unit": "development",
      "locality": "CA",
      "province": "San Francisco",
      "names": [
      "US",
      "San Francisco",
      "CA",
      "WISE2C",
      "development",
      "Chen Leiji Server"
      ]
      },
      "issuer": {
      "common_name": "Chen Leiji CA",
      "country": "US",
      "organization": "WISE2C",
      "organizational_unit": "development",
      "locality": "CA",
      "province": "San Francisco",
      "names": [
      "US",
      "San Francisco",
      "CA",
      "WISE2C",
      "development",
      "Chen Leiji CA"
      ]
      },
      "serial_number": "408368599847170747880405926931506246283785194006",
      "sans": [
      "www.wise2c.com"
      ],
      "not_before": "2017-11-15T06:29:00Z",
      "not_after": "2018-11-15T06:29:00Z",
      "sigalg": "ECDSAWithSHA256",
      "authority_key_id": "D4:54:B3:F5:DF:CA:4A:22:E5:E:99:F0:BE:5A:4E:B:89:3C:DC:53",
      "subject_key_id": "1D:DB:C:A:34:9D:50:98:B0:F7:7D:E5:43:AF:3:D:9E:7D:92:C4",
      "pem": "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUR4fhn28TfjY12WtKZvStTxZMyhYwCgYIKoZIzj0EAwIw\ncTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT\nAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRYwFAYD\nVQQDEw1DaGVuIExlaWppIENBMB4XDTE3MTExNTA2MjkwMFoXDTE4MTExNTA2Mjkw\nMFowdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV\nBAcTAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRow\nGAYDVQQDExFDaGVuIExlaWppIFNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABNS8mQT/DGMqig0Ju4VwcKtJoleoUF/lJokUhGKVudxIDRPMlgfHI7etIOBD\nPPhgrDdBWMEZHqZ0qLhmvp2v4G6jgZEwgY4wDgYDVR0PAQH/BAQDAgWgMBMGA1Ud\nJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFB3bDAo0nVCY\nsPd95UOvAw2efZLEMB8GA1UdIwQYMBaAFNRUs/Xfykoi5Q6Z8L5aTguJPNxTMBkG\nA1UdEQQSMBCCDnd3dy53aXNlMmMuY29tMAoGCCqGSM49BAMCA0cAMEQCIGou6e5c\nhQR0E3+piwH7VDchIlFUvU3OEttxqPnwYUqSAiBOgjYLgbJH07nf2mYqbegRkmpY\nwSmMdvZBSHvLyw81lA==\n-----END CERTIFICATE-----\n"
      }
      root@test-9:~/henry#
    7. 拷贝证书到系统,并更新证书库:

      1
      2
      3
      4
      chmod 600 *-key.pem
      cp ~/cfssl/ca.pem /etc/ssl/certs/

      update-ca-trust

Installation

Q: Setting up K8s master components with a binaries/from tar balls

Also, convert CRT to PEM: openssl x509 -in abc.crt -out abc.pem

life-cycle

Q: 对deployment做rollingUpdate,再滚回来

  • RollingUpdate (貌似对于deploy限制只能够设置其image、resource、selector、subject来实现)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
[root@dev-7 henry]# kubectl run demo --image=nginx --port=80 --replicas=2 --labels="cka=true"
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
demo 2 2 2 2 4m
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl get pod -l cka=true
NAME READY STATUS RESTARTS AGE
demo-2959463917-gbv3r 1/1 Running 0 1m
demo-2959463917-j76m9 1/1 Running 0 1m
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set --help
Configure application resources

These commands help you make changes to existing application resources.

Available Commands:
image Update image of a pod template
resources Update resource requests/limits on objects with pod templates
selector Set the selector on a resource
subject Update User, Group or ServiceAccount in a RoleBinding/ClusterRoleBinding
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set image deploy/demo demo=mysql
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo
deployments "demo"
REVISION CHANGE-CAUSE
1 <none>
2 <none>
[root@dev-7 henry]# kubectl rollout history deploy/demo --revison=2
deployments "demo" with revision #2
Pod Template:
Labels: cka=true
pod-template-hash=2216264665
Containers:
demo:
Image: mysql
Port: 80/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>

[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout undo deploy/demo
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo
deployments "demo"
REVISION CHANGE-CAUSE
2 <none>
3 <none>
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo --revision=3
deployments "demo" with revision #3
Pod Template:
Labels: cka=true
pod-template-hash=1786957899
Containers:
demo:
Image: nginx
Port: 80/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>

[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout undo deploy/demo --to-revision=2

一种较保守的做法是先将其锁住,等待操作完成,检查OK了再下发:

1
2
3
4
5
6
7
8
9
10
11
12
[root@dev-7 henry]# kubectl rollout pause deploy/demo
deployment "demo" paused
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set image deploy/demo demo=busybox
deployment "demo" image updated
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set resources deploy/demo -c=demo --limits=cpu=200m,memory=512Mi
deployment "demo" resource requirements updated
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout resume deploy/demo
deployment "demo" resumed
[root@dev-7 henry]#

除此之外,rollingUpdate还可以通过kubectl apply来实现:

1
2
3
4
5
6
7
8
9
10
11
12
[root@dev-7 henry]# kubectl apply -f demo.yaml --record
deployment "demo" configured
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo
deployments "demo"
REVISION CHANGE-CAUSE
4 <none>
5 <none>
6 <none>
7 <none>
8 kubectl apply --filename=demo.yaml --record=true
[root@dev-7 henry]#
  • 自动弹性伸缩:

    1
    2
    [root@dev-7 henry]# kubectl autoscale deploy/demo --min=10 --max=15 --cpu-percent=80
    deployment "demo" autoscaled
  • Hook

    Pod支持两种hook:

    1. postStart 在pod启动成功了后调用
    2. preStop 在pod停止之前调用

    支持两种hook handler:

    1. Exec
    2. HTTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
apiVersion: v1
kind: Pod
metadata:
name: lifecycle-demo
spec:
containers:
- name: lifecycle-demo-container
image: nginx

lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
preStop:
exec:
command: ["/usr/sbin/nginx","-s","quit"]

kubectl taint

Q: 对node做taint (taint a node)

注意:

  1. taint指定的 key:value 与node的label之间没有任何关系!
  2. 在添加taint的时候,需要指定: key=value:effect
  3. 在删除taint的时候,不需要指定 value,格式为: key:effect
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-5b444f5b58-dpvzq 1/1 Running 0 2m 10.244.0.7 test-9
nginx-5b444f5b58-k6qxp 1/1 Running 0 2m 10.244.0.8 test-9
nginx-5b444f5b58-n7prf 1/1 Running 0 2m 10.244.0.9 test-9
nginx-5b444f5b58-r4265 1/1 Running 0 2m 10.244.0.11 test-9
nginx-5b444f5b58-rs2hn 1/1 Running 0 2m 10.244.0.10 test-9
nginx-5b444f5b58-v6r2x 1/1 Running 0 2m 10.244.0.6 test-9
root@test-9:~#
root@test-9:~# kubectl taint node test-9 taint=true:NoExecute
node "test-9" tainted
root@test-9:~#
root@test-9:~# kubectl describe node test-9
Name: test-9
Roles: master
Labels: beta.kubernetes.io/arch=amd64
beta.kubernetes.io/os=linux
kubernetes.io/hostname=test-9
node-role.kubernetes.io/master=
Annotations: flannel.alpha.coreos.com/backend-data={"VtepMAC":"9a:e5:cf:c9:fb:79"}
flannel.alpha.coreos.com/backend-type=vxlan
flannel.alpha.coreos.com/kube-subnet-manager=true
flannel.alpha.coreos.com/public-ip=10.144.96.185
node.alpha.kubernetes.io/ttl=0
volumes.kubernetes.io/controller-managed-attach-detach=true
Taints: taint=true:NoExecute
CreationTimestamp: Mon, 13 Nov 2017 20:56:37 +0800
root@test-9:~#
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-5b444f5b58-2s5dw 1/1 Running 0 28s 10.244.1.24 test-10
nginx-5b444f5b58-b6pds 1/1 Running 0 28s 10.244.1.23 test-10
nginx-5b444f5b58-cg75j 1/1 Running 0 28s 10.244.1.21 test-10
nginx-5b444f5b58-d8nbl 1/1 Running 0 28s 10.244.1.20 test-10
nginx-5b444f5b58-pncbm 1/1 Running 0 28s 10.244.1.18 test-10
nginx-5b444f5b58-zbc4h 1/1 Running 0 28s 10.244.1.22 test-10
root@test-9:~#
root@test-9:~# kubectl taint node test-9 taint:NoExecute-
node "test-9" untainted
root@test-9:~#
  • Effect支持:
    NoSchedule/NoExecute/PreferNoSchedule
1
2
3
kubectl taint nodes node1 key1=value1:NoSchedule
kubectl taint nodes node1 key1=value1:NoExecute
kubectl taint nodes node1 key2=value2:NoSchedule
  • Tolerations支持:

    1. 指定匹配 key/value和effect
      tolerations:

      • key: “key”
        operator: “Equal”
        value: “value”
        effect: “NoSchedule”
    2. 指定 key存在且指定effect
      tolerations:

      • key: “key”
        operator: “Exists”
        effect: “NoSchedule”
    3. 只要有任何key存在
      tolerations:

      • operator: “Exists”
    4. 指定key存在
      tolerations:

      • key: “key”
        operator: “Exists”
    5. 代表往node添加taint后,多长时间之内,该pod依然可以存活(时间结束后,将被删除)
      tolerations:

      • key: “key1”
        operator: “Equal”
        value: “value1”
        effect: “NoExecute”
        tolerationSeconds: 3600

例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-5b444f5b58-2s5dw 1/1 Running 0 16m 10.244.1.24 test-10
nginx-5b444f5b58-b6pds 1/1 Running 0 16m 10.244.1.23 test-10
nginx-5b444f5b58-cg75j 1/1 Running 0 16m 10.244.1.21 test-10
nginx-5b444f5b58-d8nbl 1/1 Running 0 16m 10.244.1.20 test-10
nginx-5b444f5b58-pncbm 1/1 Running 0 16m 10.244.1.18 test-10
nginx-5b444f5b58-zbc4h 1/1 Running 0 16m 10.244.1.22 test-10
root@test-9:~#
root@test-9:~# kubectl taint node test-9 taint=true:NoExecute
node "test-9" tainted
root@test-9:~#
root@test-9:~# kubectl edit deploy nginx
deployment "nginx" edited
root@test-9:~#
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-9bf4c9c69-27r6m 1/1 Running 0 17s 10.244.1.26 test-10
nginx-9bf4c9c69-cnjk2 1/1 Running 0 23s 10.244.0.12 test-9
nginx-9bf4c9c69-fttrd 1/1 Running 0 23s 10.244.1.25 test-10
nginx-9bf4c9c69-jw7w2 1/1 Running 0 11s 10.244.1.27 test-10
nginx-9bf4c9c69-s57h2 1/1 Running 0 12s 10.244.0.14 test-9
nginx-9bf4c9c69-z8jrn 1/1 Running 0 18s 10.244.0.13 test-9
root@test-9:~#
root@test-9:~# kubectl get deploy nginx -o yaml | grep tolerations -C 5
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
status:
availableReplicas: 6
conditions:
- lastTransitionTime: 2017-11-13T13:23:03Z
root@test-9:~#

Secret

  • generic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@test-9:~# kubectl create secret generic demo --from-literal=user=chenleji --from-literal=passwd=123
secret "demo" created
root@test-9:~#
root@test-9:~# kubectl get secret
NAME TYPE DATA AGE
default-token-wgrhs kubernetes.io/service-account-token 3 1h
demo Opaque 2 4s
root@test-9:~#
root@test-9:~# kubectl get secret demo -o yaml
apiVersion: v1
data:
passwd: MTIz
user: Y2hlbmxlamk=
kind: Secret
metadata:
creationTimestamp: 2017-11-13T14:12:00Z
name: demo
namespace: default
resourceVersion: "7108"
selfLink: /api/v1/namespaces/default/secrets/demo
uid: 9da9b9f4-c87c-11e7-9401-525400545760
type: Opaque
root@test-9:~#
root@test-9:~# echo -n MTIz | base64 --decode
123
root@test-9:~# echo -n Y2hlbmxlamk= | base64 --decode
chenleji
root@test-9:~#
root@test-9:~#
  • TLS

    1
    kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
  • Registry

    1
    2
    kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER
    --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
  • volume mount

未指定挂载的具体文件名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@test-9:~# kubectl get deploy -o yaml | grep volume -C 5
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /secret
name: secret
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- name: secret
secret:
defaultMode: 420
secretName: demo
status:
root@test-9:~#
root@test-9:~# kubectl exec -ti nginx-557769d5c5-45sdq /bin/bash
root@nginx-557769d5c5-45sdq:/# ls -l /secret/
total 0
lrwxrwxrwx 1 root root 13 Nov 13 14:23 passwd -> ..data/passwd
lrwxrwxrwx 1 root root 11 Nov 13 14:23 user -> ..data/user
root@nginx-557769d5c5-45sdq:/#
root@nginx-557769d5c5-45sdq:/# cat /secret/passwd
123
root@nginx-557769d5c5-45sdq:/#

指定挂载文件名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@test-9:~# kubectl describe secret demo
Name: demo
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
passwd: 3 bytes
user: 8 bytes
root@test-9:~#
root@test-9:~# kubectl get deploy nginx -o yaml | grep volume -C 8
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /secret
name: secret
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- name: secret
secret:
defaultMode: 420
items:
- key: user
path: haha/xx
secretName: demo
status:
root@test-9:~#
root@nginx-657c6dcd4c-56p5h:/# cat /secret/haha/xx
chenleji
root@nginx-657c6dcd4c-56p5h:/#

  • env
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@test-9:~# kubectl get deploy nginx -o yaml | grep env -C 6
metadata:
creationTimestamp: null
labels:
demo: "true"
spec:
containers:
- env:
- name: SECRET_USER
valueFrom:
secretKeyRef:
key: user
name: demo
image: nginx
root@test-9:~#
root@test-9:~# kubectl exec -ti nginx-548c9c4846-dgnbk /bin/bash
root@nginx-548c9c4846-dgnbk:/# env | grep SECRET
SECRET_USER=chenleji
root@nginx-548c9c4846-dgnbk:/#

ENV

  • Use Pod Field
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@test-9:~# kubectl get deploy -o yaml | grep env -C 10
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
demo: "true"
spec:
containers:
- env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: SECRET_USER
valueFrom:
secretKeyRef:
key: user
name: demo
root@test-9:~#
root@test-9:~# kubectl exec -ti nginx-f7d4dc847-skb74 /bin/bash
root@nginx-f7d4dc847-skb74:/# env | grep MY_NODE
MY_NODE_NAME=test-10
root@nginx-f7d4dc847-skb74:/#
  • Use Container Filed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: v1
kind: Pod
metadata:
name: dapi-envars-resourcefieldref
spec:
containers:
- name: test-container
image: gcr.io/google_containers/busybox:1.24
command: [ "sh", "-c"]
args:
- while true; do
echo -en '\n';
printenv MY_CPU_REQUEST MY_CPU_LIMIT;
printenv MY_MEM_REQUEST MY_MEM_LIMIT;
sleep 10;
done;
resources:
requests:
memory: "32Mi"
cpu: "125m"
limits:
memory: "64Mi"
cpu: "250m"
env:
- name: MY_CPU_REQUEST
valueFrom:
resourceFieldRef:
containerName: test-container
resource: requests.cpu
- name: MY_CPU_LIMIT
valueFrom:
resourceFieldRef:
containerName: test-container
resource: limits.cpu
restartPolicy: Never

结束

好吧,这次真没有了!你以为你就可以考过了吗?呵呵~~
再好好看看官网的文档吧,另外,最后再附送一份k8s相关的资源大宝典。注意,需要翻墙!

0%