Open diguage opened 5 years ago
1
After you create the PersistentVolumeClaim, the Kubernetes control plane looks for a PersistentVolume that satisfies the claim’s requirements. If the control plane finds a suitable PersistentVolume with the same StorageClass, it binds the claim to the volume.
Configure a Security Context for a Pod or Container - Kubernetes 这里面关于 Linux 的文档都读一读。
The securityContext field is a SecurityContext object.
学习一下 Linux capabilities:
cd /proc/1
别有洞天, cat /proc/1/status
大开眼界。学习一下 Linux 进程表示。
Share Process Namespace between Containers in a Pod - Kubernetes -- 感觉 Linux 的进程真的好神奇…
如何搭建私有的 Docker Image Registry ?如果在 Kubernetes 集群中配置统一的私有 Registry?
解:
ServiceAccount
配置,增加 imagePullSecrets
,这样 pull 私有 Registry 中的镜像时,就不需要在 YAML 中配置 imagePullSecrets
。但是,如果从 Docker Hub 下载,也会报错。如果清理掉 Kubernetes 集群中,不再使用的 Docker Image?
apiVersion: v1
kind: Pod
metadata:
name: init-demo
spec:
containers:
- name: nginx-ctr
image: nginx
ports:
- containerPort: 80
volumeMounts:
- name: workdir
mountPath: /usr/share/nginx/html // 这个地方先是写成了 /user, 更正之后,使用 kubectl apply -f init-containers.yaml 更新 Pod 报错
initContainers:
- name: install
image: busybox
command:
- wget
- "-O"
- "/work-dir/index.html"
- https://kubernetes.io
volumeMounts:
- name: workdir
mountPath: "/work-dir"
dnsPolicy: Default
volumes:
- name: workdir
emptyDir: {}
错误日志:
➜ kubectl apply -f init-containers.yaml
The Pod "init-demo" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
core.PodSpec{
Volumes: []core.Volume{{Name: "workdir", VolumeSource: core.VolumeSource{EmptyDir: &core.EmptyDirVolumeSource{}}}, {Name: "default-token-pm7m9", VolumeSource: core.VolumeSource{Secret: &core.SecretVolumeSource{SecretName: "default-token-pm7m9", DefaultMode: &420}}}},
InitContainers: []core.Container{{Name: "install", Image: "busybox", Command: []string{"wget", "-O", "/work-dir/index.html", "https://kubernetes.io"}, VolumeMounts: []core.VolumeMount{{Name: "workdir", MountPath: "/work-dir"}, {Name: "default-token-pm7m9", ReadOnly: true, MountPath: "/var/run/secrets/kubernetes.io/serviceaccount"}}, TerminationMessagePath: "/dev/termination-log", TerminationMessagePolicy: "File", ImagePullPolicy: "Always"}},
Containers: []core.Container{
{
... // 7 identical fields
Env: nil,
Resources: core.ResourceRequirements{},
VolumeMounts: []core.VolumeMount{
{
- Name: "default-token-pm7m9",
+ Name: "workdir",
- ReadOnly: true,
+ ReadOnly: false,
- MountPath: "/var/run/secrets/kubernetes.io/serviceaccount",
+ MountPath: "/user/share/nginx/html",
SubPath: "",
MountPropagation: nil,
SubPathExpr: "",
},
{
- Name: "workdir",
+ Name: "default-token-pm7m9",
- ReadOnly: false,
+ ReadOnly: true,
- MountPath: "/usr/share/nginx/html",
+ MountPath: "/var/run/secrets/kubernetes.io/serviceaccount",
SubPath: "",
MountPropagation: nil,
SubPathExpr: "",
},
},
VolumeDevices: nil,
LivenessProbe: nil,
... // 9 identical fields
},
},
RestartPolicy: "Always",
TerminationGracePeriodSeconds: &30,
... // 21 identical fields
}
使用 pod-single-configmap-env-variable.yaml 启动一个 Pod
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-ctr
image: k8s.gcr.io/busybox
command: ["/bin/sh", "-c", "env"]
env:
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.how
restartPolicy: Never
使用 pod-multiple-configmap-env-variable.yaml 再次启动一个 Pod 时,报错:
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: ["/bin/sh", "-c", "env"]
env:
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.how
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: env-config
key: log_level
restartPolicy: Never
错误日志:
➜ kubectl apply -f pod-multiple-configmap-env-variable.yaml
The Pod "dapi-test-pod" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
core.PodSpec{
Volumes: []core.Volume{{Name: "default-token-pm7m9", VolumeSource: core.VolumeSource{Secret: &core.SecretVolumeSource{SecretName: "default-token-pm7m9", DefaultMode: &420}}}},
InitContainers: nil,
Containers: []core.Container{
{
- Name: "test-container",
+ Name: "test-ctr",
Image: "k8s.gcr.io/busybox",
Command: []string{"/bin/sh", "-c", "env"},
... // 2 identical fields
Ports: nil,
EnvFrom: nil,
Env: []core.EnvVar{
{Name: "SPECIAL_LEVEL_KEY", ValueFrom: &core.EnvVarSource{ConfigMapKeyRef: &core.ConfigMapKeySelector{LocalObjectReference: core.LocalObjectReference{Name: "special-config"}, Key: "special.how"}}},
- {
- Name: "LOG_LEVEL",
- ValueFrom: &core.EnvVarSource{
- ConfigMapKeyRef: &core.ConfigMapKeySelector{
- LocalObjectReference: core.LocalObjectReference{Name: "env-config"},
- Key: "log_level",
- },
- },
- },
},
Resources: core.ResourceRequirements{},
- VolumeMounts: nil,
+ VolumeMounts: []core.VolumeMount{
+ {
+ Name: "default-token-pm7m9",
+ ReadOnly: true,
+ MountPath: "/var/run/secrets/kubernetes.io/serviceaccount",
+ },
+ },
VolumeDevices: nil,
LivenessProbe: nil,
... // 9 identical fields
},
},
RestartPolicy: "Never",
TerminationGracePeriodSeconds: &30,
... // 21 identical fields
}
在配置 ConfigMap
时,如果同名,则追加配置。 -- 验证一下。
apiVersion: v1
kind: ResourceQuota
metadata:
name: mem-cpu-demo
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
这里的 requests
和 limits
怎么跟其他地方写法如此不协调?
Overview of kubectl - Kubernetes -- kubectl
文档,可以读一读。
Pod 中的每个容器的 /var/run/secrets/kubernetes.io/serviceaccount
目录下存在 token
, namespace
, ca.crt
。
Task
Configure Pods and Containers
task-pv-volume
与task-pv-claim
之间没有声明有依赖关系,为啥会自动建立关联?Administer a Cluster
kubeadm alpha certs check-expiration
找不到/etc/kubernetes/pki/apiserver-etcd-client.crt
证书。证书介绍: PKI certificates and requirements - Kubernetesalpha certs renew uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
如何同步?limit
和request
?type: Container
这里是否也可以指定Namespace
?curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
-- 如何把--insecure
去掉?curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
--TOKEN
只有一定的有效期。如何生成长期有效的TOKEN
?如何配置生成TOKEN
的有效期? 阅读 Controlling Access to the Kubernetes API - Kubernetes 也许有用。Think about whether the service being exposed is secure. Does it do its own authentication?
-- Think Think...