Kubernetes探索学习004--深入Kubernetes的Pod
2024-10-19 09:00:45
深入研究学习Pod
首先需要认识到Pod才是Kubernetes项目中最小的编排单位原子单位,凡是涉及到调度,网络,存储层面的,基本上都是Pod级别的!官方是用这样的语言来描述的: A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy.
1.Pod API对象
1.1.Pod中的一些重要字段解释
NodeSelector:将Pod与Node绑定的字段,可以用来指定对象的调度节点
NodeName:该字段被赋值,调度器会认为这个Pod已经经过了调度
HostAliases:定义Pod的hosts文件内容
shareProcessNamespace:Pod中的容器共享 PID Namespace
hostNetwork:共享宿主机Network
hostIPC:共享宿主机IPC
hostPID:共享宿主机PID Namespace
ImagePullPolicy:定义镜像拉取的策略
Lifecycle:Container Lifecycle Hooks的作用,钩子
1.2.Pod生命周期中的几种状态
Pending 悬而未决,Pod中的容器可能因为某种原因不能被顺利创建,比如调度不成功
Running Pod已经调度成功
Succeeded Pod里面的容器正常运行完毕并已经退出
Failed Pod中至少有一个容器以不正常的状态退出,你要想办法查日志了分析具体原因!
UnKnown 异常状态
2.认识特殊的Volume-Projected Volume
这块儿需要先理解Projected Volume的含义,在Kubernetes中有几种特殊的Volume它们为容器提供预先定义好的数据,从Container的角度来看,这些Volume就好像是被Kubernetes Project(投射)进入Container中的。
2.1.Projected Volume分类
Secret 把Pod想要访问的加密数据放入Etcd中
ConfigMap 把Pod想要访问的非加密数据放入Etcd中
Downward API 让Pod容器能够直接获取这个Pod API对象的本身
ServiceAccountToken 一种特殊的secret保存授权信息和文件
2.2.关于这些卷的实践
1.Secret保存账号密码的例子
1.首先准备YAML文件
[root@kubernetes01 ~]# cat test-projected-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: test-projected-volume001
spec:
containers:
- name: test-secret-volume001
image: busybox
args:
- sleep
- "86400"
volumeMounts:
- name: mysql-cred
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: mysql-cred
projected:
sources:
- secret:
name: user001
- secret:
name: pass001
2.存放账号密码
[root@kubernetes01 ~]# cat ./username.txt
Ym95YW5nMDAx
[root@kubernetes01 ~]# cat ./password.txt
Ym95YW5nMDAx
[root@kubernetes01 ~]# kubectl create secret generic user001 --from-file=./username.txt
[root@kubernetes01 ~]# kubectl create secret generic pass001 --from-file=./password.txt
3.查看Secret对象
[root@kubernetes01 ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-8j8dl kubernetes.io/service-account-token 3 11d
pass Opaque 1 7d
pass001 Opaque 1 2d1h
user Opaque 1 7d
user001 Opaque 1 2d1h
4.创建Pod之后进入Pod进行查看
[root@kubernetes01 ~]# kubectl exec -it test-projected-volume001 -- /bin/sh
/ # ls /projected-volume/
password.txt username.txt
/ # cat /projected-volume/username.txt
Ym95YW5nMDAx
/ # cat /projected-volume/password.txt
Ym95YW5nMDAx
需要注意一点,生产使用中密码的加密方式!
2.ConfigMap保存java配置文件的例子
1.首先准备一段java配置文件
[root@kubernetes01 ~]# cat ./application.properties
#actuator \u53EA\u5F00\u653Ehealth\u63A5\u53E3
endpoints.enabled=false
endpoints.health.enabled=true
# Server
server.port=15051
spring.application.name=loancenter-app-web
server.sessionTimeout=30
spring.profiles.active=dev
...
2.创建ConfigMap
kubectl create configmap loancenter-app-web-config --from-file=./application.properties
3.查看
[root@kubernetes01 ~]# kubectl get configmaps loancenter-app-web-config -o yaml
apiVersion: v1
data:
application.properties: |
#actuator \u53EA\u5F00\u653Ehealth\u63A5\u53E3
endpoints.enabled=false
endpoints.health.enabled=true
# Server
server.port=15051
spring.application.name=loancenter-app-web
server.sessionTimeout=30
spring.profiles.active=dev
...
3.Downward API容器获取信息的例子
1.准备YAML文件
[root@kubernetes01 ~]# cat test-downwardapi-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: test-downwardapi-volume
labels:
zone: cn-beijing-coast
cluster: cluster001
rack: rack-007
spec:
containers:
- name: client-container
image: busybox
command: ["sh", "-c"]
args:
- while true; do
if [[ -e /etc/podinfo/labels ]]; then
echo -en '\n\n'; cat /etc/podinfo/labels; fi;
sleep 5;
done;
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo
readOnly: false
volumes:
- name: podinfo
projected:
sources:
- downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
2.创建Pod
[root@kubernetes01 ~]# kubectl apply -f test-downwardapi-volume.yaml
3.查看日志输出
[root@kubernetes01 ~]# kubectl logs test-downwardapi-volume | tail -n 10
cluster="cluster001"
rack="rack-007"
zone="cn-beijing-coast"
cluster="cluster001"
rack="rack-007"
zone="cn-beijing-coast"
cluster="cluster001"
rack="rack-007"
可以看到Volume声明暴露的metadata.labels信息被Container打印出来了!
4.ServiceAccountToken
Service Account对象的作用,就是Kubernetes系统内置的一种“服务账户”。
这块需要我们记住的是Kubernetes API编程最佳授权方式是default Service Account自动授权
3.Pod中的容器健康检查和恢复机制
我们可以在Pod中定义Probe(探针),这是用来保证应用是否健康的重要手段!Pod还具有恢复机制restartPolicy!注意恢复永远只发生当前节点,如果同一个Pod出现在多个Node节点上就需要用控制器来管理,还要学会Pod中web应用的健康检查方法。
3.1.Pod中定义Probe
通过命令来充当探针的例子
1.准备YAML文件
[root@kubernetes01 ~]# cat test-liveness-exec.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: test-liveness-exec
spec:
containers:
- name: liveness
image: busybox
args:
- /bin/sh
- -c
- touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 60
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5
2.创建Pod之后,观察效果
[root@kubernetes01 ~]# kubectl get pods | grep "test-liveness"
test-liveness-exec 0/1 CrashLoopBackOff 317 20h
[root@kubernetes01 ~]# kubectl describe pods test-liveness-exec | tail -n 10
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Pulling 60m (x303 over 20h) kubelet, kubernetes05 pulling image "busybox"
Normal Killing 20m (x313 over 20h) kubelet, kubernetes05 Killing container with id docker://liveness:Container failed liveness probe.. Container will be killed and recreated.
Warning Unhealthy 6m2s (x951 over 20h) kubelet, kubernetes05 Liveness probe failed: cat: can't open '/tmp/healthy': No such file or directory
Warning BackOff 61s (x3881 over 19h) kubelet, kubernetes05 Back-off restarting failed container
这块儿因为探针检测到的Unhealthy状态,再加上默认的restartPolicy Pod具有的恢复机制,所以20小时内重启了317次。
3.2.Pod中web应用的健康检查
通过http请求tomcat服务充当探针的例子
1.编写YAML文件
[root@kubernetes01 ~]# cat java-web-health.yaml
apiVersion: v1
kind: Pod
metadata:
name: java-web-healthtest
spec:
initContainers:
- image: registry:5000/jenkins:v2
name: war
command: ["cp","/jenkins.war","/app"]
volumeMounts:
- name: java-web-health-volume
mountPath: "/app"
containers:
- image: tomcat:latest
name: tomcat
volumeMounts:
- name: java-web-health-volume
mountPath: "/usr/local/tomcat/webapps"
ports:
- containerPort: 8080
name: tomcatwebsite
hostPort: 8004
protocol: TCP
livenessProbe:
httpGet:
path: /jenkins/
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 5
volumes:
- name: java-web-health-volume
emptyDir: {}
解释下这三个字段的意思
initialDelaySeconds: 容器启动后第一次探测需要等久,单位秒,因为是tomcat所以可以设置的长一点
timeoutSeconds: 探测的超时时间,单位秒
periodSeconds: 执行探测的频率,单位秒
2.创建Pod后查看
[root@kubernetes01 ~]# curl -I 10.44.0.10:8080/jenkins/
HTTP/1.1 403
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=C4379308E14D00BEAFFDA51E2E38A2F3; Path=/jenkins; HttpOnly
X-Hudson: 1.395
X-Jenkins: 2.132
X-Jenkins-Session: d5a26f97
X-You-Are-Authenticated-As: anonymous
X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
X-Required-Permission: hudson.model.Hudson.Administer
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 20 Mar 2019 08:29:41 GMT
这块可以看到返回的是403!
[root@kubernetes01 ~]# kubectl describe pods java-web-health | tail -n 15
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m30s default-scheduler Successfully assigned default/java-web-healthtest to kubernetes02
Normal Pulled 2m30s kubelet, kubernetes02 Container image "registry:5000/jenkins:v2" already present on machine
Normal Created 2m30s kubelet, kubernetes02 Created container
Normal Started 2m29s kubelet, kubernetes02 Started container
Normal Pulling 59s (x3 over 2m29s) kubelet, kubernetes02 pulling image "tomcat:latest"
Normal Killing 59s (x2 over 104s) kubelet, kubernetes02 Killing container with id docker://tomcat:Container failed liveness probe.. Container will be killed and recreated.
Normal Pulled 55s (x3 over 2m25s) kubelet, kubernetes02 Successfully pulled image "tomcat:latest"
Normal Created 55s (x3 over 2m25s) kubelet, kubernetes02 Created container
Normal Started 55s (x3 over 2m25s) kubelet, kubernetes02 Started container
Warning Unhealthy 20s (x8 over 115s) kubelet, kubernetes02 Liveness probe failed: HTTP probe failed with statuscode: 403
通过查看Events输出我们可以看到探针工作和恢复机制工作的过程
4.总结
自我感觉Pod对象相关的知识比较多但是很重要,在运行大规模集群包含各种各样任务的时候,会存在各种各样的关系,关系的妥善处理维护才是编排和系统管理最困难的地方。使用传统虚拟机的粒度控制的相对较粗,没有通过Kubernetes编排Pod这种方式粒度控制的细,最后Kubernetes声明式的API具有超强的编排能力。
PS:文中服务器使用的是国内某☁️的机器
欢迎大家留言讨论哦,欢迎大家和我一起研究学习Kubernetes~~~
最新文章
- 基于spring注解AOP的异常处理
- ubuntu 常见错误--Could not get lock /var/lib/dpkg/lock
- redis主从
- win8提升winform软件的权限
- 一道 google曾出过的笔试题:编程实现对数学一元多项式的相加和相乘操作(1)
- Interproscan, xml文件转化为tsv
- SmartWiki文档在线管理系统简介
- PHP 文件上传类
- BZOJ3329 : Xorequ
- hdoj 2049 错排
- Vijos.1096 津津储蓄计划
- Eclipse设置问题:字体大小、修改注释内容、修改快捷键
- 【译】Envoy with Nomad and Consul (一)
- hibernate学习(一)配置,导包
- vue自定义指令用法总结及案例
- Asp.net中web.config配置文件详解(二)
- hdu2295DLX重复覆盖+二分
- PAT 1005 Spell It Right
- socket实现两台FTP服务器指定目录下的文件转移(不依赖第三方jar包)
- Oracle EBS FTP显示无法与某IP 连接
热门文章
- jdk8中tomcat修改配置PermSize为MetaspaceSize 标签: tomcatPermSizeMetaspaceSize
- 多线程之ThreadLocal
- 利用java代码生成keyStore
- vmstat命令参数详解
- <摘录>字节对齐与结构体大小
- [图解tensorflow源码] Graph 图构建 (Graph Constructor)
- C++STL之unordered_map与QT的QHash对比
- Hive--可执行SQL的Hadoop数据仓库管理工具
- 使用jieba导入引用方法时,报错AttributeError: module 'jieba' has no attribute 'cut'
- SAP查找用户的登录记录