1 RBAC
切换 context
kubectl create ns app-team1
kubectl create serviceaccount cicd-token -n app-team1
kubectl create clusterrole deployment-clusterrole --verb=create --
resource=deployment,statefulset,daemonset
kubectl create rolebinding cicd-clusterrole --clusterrole=deployment-clusterrole --
serviceaccount=app-team1:cicd-token
2 设置节点不可用
切换 context
kubectl cordon ek8s-node-1
kubectl drain ek8s-node-1 --ignore-daemonsets --delete-local-data --force
3 升级kubeadm
apt-cache show kubeadm|grep kubeadm=1.20.1-00
kubectl version
切换 context
kubectl get nodes
ssh mk8s-master-0
kubectl cordon mk8s-master-0
kubectl drain mk8s-master-0 --ignore-daemonsets
apt-mark unhold kubeadm kubectl kubelet
apt-get update && apt-get install -y kubeadm=1.20.1-00 kubelet=1.20.1-00
kubectl=1.20.1-00
apt-mark hold kubeadm kubectl kubelet
systemctl daemon-reload
systemctl restart kubelet.service
kubeadm upgrade plan
kubeadm upgrade apply v1.20.1 --etcd-upgrade=false
kubectl -n kube-system rollout history deployment coredns
kubectl rollout undo deployment coredns -n kube-system
kubectl uncordon mk8s-master-0
4 备份还原etcd
实验环境配置
export ETCDCTL_API=3
[rancher@rmaster01 ~]$ docker ps -a |grep etcd
c93210bbcacc rancher/rke-tools:v0.1.72 "/docker-entrypoint.…" 3 weeks ago Up 6 days etcd-rolling-snapshots
e073d4c5266b rancher/coreos-etcd:v3.4.13-rancher1 "/usr/local/bin/etcd…" 3 weeks ago Up 6 days etcd
[rancher@rmaster01 ~]$ docker cp e073d4c5266b:/usr/local/bin/etcdctl /usr/local/bin
open /usr/local/bin/etcdctl: permission denied
[rancher@rmaster01 ~]$ exit
logout
[root@rmaster01 ~]# docker cp e073d4c5266b:/usr/local/bin/etcdctl /usr/local/bin
备份:
export ETCDCTL_API=3
ETCDCTL_API=3 etcdctl --endpoints https://172.0.0.1:2379 --cacert=/opt/KUIN00601/ca.crt --cert=/opt/KUIN00601/etcd-client.crt --key=/opt/KUIN00601/etcd-client.key snapshot save /var/lib/backup/etcd-snapshot.db
查看备份
ETCDCTL_API=3 etcdctl --write-out=table snapshot status /var/lib/backup/etcd-snapshot.db
还原:
systemctl stop kubelet
mv /var/lib/etcd/ /var/lib/bak_etcd
ETCDCTL_API=3 etcdctl --endpoints https://172.0.0.1:2379 --cacert=/opt/KUIN00601/ca.crt --cert=/opt/KUIN00601/etcd-client.crt --key=/opt/KUIN00601/etcd-client.key --name k8s-master --data-dir="/var/lib/etcd/" --skip-hash-check --initial-advertise-peer-urls=https://127.0.0.1:2380 --initial-cluster k8s-master=https://127.0.0.1:2380 snapshot restore /var/lib/backup/etcd-snapshot-previous.db
#systemctl start kubelet
5 配置网络策略
https://kubernetes.io/docs/concepts/services-networking/network-policies/
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
在命名空间 fubar 中创建网络策略 allow-port-from-namespace
只允许 ns my-app 中的 pod 连上 fubar 中 pod 的 80 端口
注意: 这里有 2 个 ns ,一个为 fubar(目标pod的ns),另外一个为 my-app(访问源pod的ns)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: fubar
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
my-app-key: my-app-value
- podSelector:
matchLabels: {}
ports:
- protocol: TCP
port: 80
6 创建 service
1)edit front-end ,在containers 中添加如下内容
kubectl edit deployment front-end
ports:
- name: http
protocol: TCP
containerPort: 80
2)expose 对应端口
kubectl expose deployment front-end --type=NodePort --port=80 --target-port=80 --name=front-end-svc
7 创建 ingress
https://kubernetes.io/docs/concepts/services-networking/ingress/
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ping
namespace: ing-internal
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /hello
pathType: Prefix
backend:
service:
name: hello
port:
number: 5678
8 扩容deployment
kubectl scale deployment --replicas=6 guestbook
9 调度pod 到指定节点
https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
env: test
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
nodeSelector:
disktype: ssd
切换 context
apiVersion: v1
kind: Pod
metadata:
name: nginx-kusc0041
spec:
containers:
- name: nginx
image: nginx
nodeSelector:
disk: ssd
【】
[root@master ~]# kubectl label nodes node01 disk=ssd
node/node01 labeled
[root@master ~]# kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
master Ready master 28d v1.18.17 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master,kubernetes.io/os=linux,node-role.kubernetes.io/master=
node01 Ready <none> 28d v1.18.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,disk=ssd,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux
node02 Ready <none> 28d v1.18.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux
[root@master ~]#
[root@master ~]# kubectl run nginx-kusc0041 --image=nginx --dry-run=client -oyaml > 9.yaml
[root@master ~]#
修改yaml文件、添加nodeSelector
nodeSelector:
disk: ssd
[root@master ~]# cat 9.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-kusc0041
name: nginx-kusc0041
spec:
containers:
- image: nginx
name: nginx-kusc0041
resources: {}
nodeSelector:
disk: ssd
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master ~]#
[root@master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-687598b8b4-9w6m6 1/1 Running 0 61m 172.16.196.132 node01 <none> <none>
myapp-687598b8b4-j7b54 1/1 Running 0 61m 172.16.196.133 node01 <none> <none>
myapp-687598b8b4-wrkm9 1/1 Running 0 61m 172.16.196.134 node01 <none> <none>
nginx-kusc0041 1/1 Running 0 64s 172.16.196.136 node01 <none> <none>
[root@master ~]#
删除标签
[root@master ~]# kubectl get nodes node01 --show-labels
NAME STATUS ROLES AGE VERSION LABELS
node01 Ready <none> 28d v1.18.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,disk=ssd,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux
[root@master ~]# kubectl label nodes node01 disk-
node/node01 labeled
[root@master ~]#
设置标签给node02 再次验证
[root@master ~]# kubectl label nodes node02 disk=ssd
node/node02 labeled
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-687598b8b4-9w6m6 1/1 Running 0 66m
myapp-687598b8b4-j7b54 1/1 Running 0 66m
myapp-687598b8b4-wrkm9 1/1 Running 0 66m
nginx-kusc0041 1/1 Running 0 5m49s
[root@master ~]# kubectl delete pod nginx-kusc0041
pod "nginx-kusc0041" deleted
[root@master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-687598b8b4-9w6m6 1/1 Running 0 67m 172.16.196.132 node01 <none> <none>
myapp-687598b8b4-j7b54 1/1 Running 0 67m 172.16.196.133 node01 <none> <none>
myapp-687598b8b4-wrkm9 1/1 Running 0 67m 172.16.196.134 node01 <none> <none>
[root@master ~]# kubectl apply -f 9.yaml
pod/nginx-kusc0041 created
[root@master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-687598b8b4-9w6m6 1/1 Running 0 67m 172.16.196.132 node01 <none> <none>
myapp-687598b8b4-j7b54 1/1 Running 0 67m 172.16.196.133 node01 <none> <none>
myapp-687598b8b4-wrkm9 1/1 Running 0 67m 172.16.196.134 node01 <none> <none>
nginx-kusc0041 1/1 Running 0 4s 172.16.140.76 node02 <none> <none>
[root@master ~]#
10 统计 ready 状态节点数量
切换 context
kubectl get nodes
kubectl describe nodes | grep -i taint | grep NoSchedule
两者数据相减,echo number > /path/file
11 配置多容器
https://kubernetes.io/docs/concepts/workloads/pods/
apiVersion: v1
kind: Pod
metadata:
name: kucc1
spec:
containers:
- name: nginx
image: nginx
- name: redis
image: redis
【】
[root@master ~]# kubectl run kucc1 --image=nginx --dry-run=client -oyaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: kucc1
name: kucc1
spec:
containers:
- image: nginx
name: kucc1
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master ~]#
apiVersion: v1
kind: PersistentVolume
metadata:
name: task-pv-volume
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/data"
apiVersion: v1
kind: PersistentVolume
metadata:
name: app-config
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteMany
hostPath:
path: /srv/app-config
【】
[root@master ~]# kubectl apply -f 12.yaml
persistentvolume/app-config created
[root@master ~]# kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
app-config 2Gi RWX Retain Available 4s
[root@master ~]#
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pv-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Mi
storageClassName: csi-hostpath-sc
apiVersion: v1
kind: Pod
metadata:
name: web-server
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: mypv
volumes:
- name: mypv
persistentVolumeClaim:
claimName: pv-volume
kubectl edit pvc pv-volume --record
14 监控 pod 日志
切换 context
kubectl logs foobar | grep unable-to-access-website > /opt/KUTR00101/foobar
15 添加 sidecar 容器并输出日志
https://kubernetes.io/docs/concepts/cluster-administration/logging/
kubectl get pod big-corp-app -oyaml >15.yaml
volumeMounts:
- name: varlog
mountPath: /var/log
- name: count-log-1
image: busybox
args: [/bin/sh, -c, 'tail -n+1 -f /var/log/1.log']
volumeMounts:
- name: varlog
mountPath: /var/log
- name: count-log-2
image: busybox
args: [/bin/sh, -c, 'tail -n+1 -f /var/log/2.log']
volumeMounts:
- name: varlog
mountPath: /var/log
volumes:
- name: varlog
emptyDir: {}
volumeMounts:
- name: varlog
mountPath: /var/log
- name: sidecar
image: busybox
args: [/bin/sh, -c, 'tail -n+1 -f /var/log/11-factor-app.log']
volumeMounts:
- name: varlog
mountPath: /var/log
volumes:
- name: varlog
emptyDir: {}
【】
-name: logs
mountPath:/var/log
-name: busybox
image: busybox args:[/bin/sh,-c,' tail -n+1-f/var/log/big-corp-app. log]
volumeMounts:
-name: logs mountPath:/var/log
- name: varlog
emptyDir: {}
16 查看cpu 使用率最高的pod
切换 context
kubectl top pod -l name=cpu-loader -A --sort-by=cpu
echo podName >> /opt/KUTR00401/KUTR00401.txt
17 排查集群中故障节点
切换 context
kubectl get nodes
ssh wk8s-node-0
sudo -i
systemctl status kubelet
systemctl enable kubelet
systemctl restart kubelet
systemctl status kubelet
再次 get nodes, 确保节点恢复 Ready 状态