一:题目一

创建一个名为deployment-clusterrole的clusterrole,并且对该clusterrole只绑定对Deployment、Daemonset、Statefulset的创建权限。在指定命名空间exam创建一个名为exam-user的serviceaccount,并且将上一步创建clusterrole和该serviceaccount绑定。

通过命令行进行创建clusterrole

  1. [root@master ~]# kubectl create clusterrole -h
  2. Create a ClusterRole.
  4. Examples:
  5.   # Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
  6.   kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
  7. .............
  9. Usage:
  10.   kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename]
  11. [--dry-run=server|client|none] [options]
  13. Use "kubectl options" for a list of global command-line options (applies to all commands).
  15. ##创建步骤在这里
  16. [root@master ~]# kubectl create clusterrole deployment-clusterrole --verb=create --resource=Deployment,Daemonset,Statefulset 
  17. [root@master ~]# clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created

通过编写yaml来创建

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: ClusterRole                                                                #kind类型为集群
  3. metadata:
  4.   # "namespace" omitted since ClusterRoles are not namespaced
  5.   name: secret-reader
  6. rules:
  7. - apiGroups: [""]
  8.   resources: ["Deployment,Daemonset,Statefulset"]
  9.   verbs: ["create"]

创建exam命名空间

  1. [root@master ~]# kubectl create ns exam

创建serviceaccount

  1. [root@master ~]# kubectl create ServiceAccount exam-user

将clusterrole和该serviceaccount绑定

  1. [root@master ~]# kubectl create rolebinding -h
  2. Create a RoleBinding for a particular Role or ClusterRole.
  4. Examples:
  5.   # Create a RoleBinding for user1, user2, and group1 using the admin ClusterRole
  6.   kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
  7. .....................
  8. Usage:
  9.   kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
  10. [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
  12. Use "kubectl options" for a list of global command-line options (applies to all commands).
  15. 进行绑定
  16. [root@master ~]# kubectl create rolebinding exam-binding  --clusterrole=deployment-clusterrole --serviceaccount=exam:exam-user

通过编写yaml方式绑定

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: RoleBinding
  3. metaData:
  4. name: deployment-rolebinding
  5. namespaces: exam
  6. roleRef:
  7.   apiGroup: rbac.authorization.k8s.io/v1
  8.   kind: ClusterRole
  9.   name:deployment-clusterrole
  10. subjecs:
  11. - kind: ServiceAccount
  12.   name: exam-user
  13.   namespaces: exam

二:题目二

  1. 在default命名空间下使用镜像nginx创建一个工作负载nginx-exam,指定pod运行在master节点,然后以NodePort方式对外暴露10080端口

  2. 在default命名空间下创建HPA规则nginx-exam-autoscale来管理上一题的工作负载nginx-exam,要求其Pod副本数在1-10之间动态变化

创建deployment无状态工作负载

  1. [root@master ~]#vi  nginx-exam.yaml
  2. apiVersion: apps/v1
  3. kind: Deployment
  4. metadata:
  5.   name: my-nginx
  6.   namespace: default
  7. spec:
  8.   replicas: 2
  9.   selector:
  10.     matchLabels:
  11.       app: nginx
  12.   template:
  13.     metadata:
  14.       labels:
  15.         app: nginx
  16.     spec:
  17.       nodeName: master
  18.       containers:
  19.       - name: nginx
  20.         image: nginx
  21.         imagePullPolicy: IfNotPresent
  22.         ports:
  23.         - name: mynginxport
  24.           containerPort: 80

创建svc暴露端口

在写svc前要修改/etc/kubernetes/manifests/kube-apiserver.yaml
在文件中添加这一行,在默认情况下nodeport暴露的端口是30000-32XXX左右所以不包含10080所以要修改文件
- —service-node-port-range=10000-49999
image.png

  1. [root@master ~]# svc-deploy.yaml
  2. apiVersion: v1
  3. kind: Service
  4. metadata:
  5.   name: svc-deploy
  6. spec:
  7.   selector:
  8.     app: nginx   #标签要选择到上面创建的pod
  9.   type:  NodePort
  10.   ports:
  11.   - name: myport
  12.     targetPort: 80
  13.     port: 80
  14.     nodePort: 10080