Tasks - Kubernetes

[diguage]

Task

Configure Pods and Containers

1. Configure a Pod to Use a PersistentVolume for Storage - Kubernetes -- task-pv-volume 与 task-pv-claim 之间没有声明有依赖关系，为啥会自动建立关联？
2. Storage configured with a group ID (GID) allows writing only by Pods using the same GID. Mismatched or missing GIDs cause permission denied errors. To reduce the need for coordination with users, an administrator can annotate a PersistentVolume with a GID. Then the GID is automatically added to any Pod that uses the PersistentVolume. -- 使用这个 PV 就会自动添加 GID。为什么不是拥有 GID 才可以使用这个 PV？

Administer a Cluster

1. 了解 x509 证书原理
2. 执行 kubeadm alpha certs check-expiration 找不到 /etc/kubernetes/pki/apiserver-etcd-client.crt 证书。证书介绍： PKI certificates and requirements - Kubernetes
3. alpha certs renew uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync. 如何同步？
4. 阅读 Ansible Documentation 文档，学习 Ansible，熟悉 Kubespray 安装流程。
5. 如何设置整个 Namespace 的 limit 和 request ？ type: Container 这里是否也可以指定 Namespace ？
6. 阅读文档，查看 Kubernetes API Reference Docs -- ResourceQuota 和 Kubernetes API Reference Docs -- LimitRange 都支持对哪些资源做限制？
7. ”Install a Network Policy Provider“ 部分没有实验。
8. curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure -- 如何把 --insecure 去掉？
9. curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure -- TOKEN 只有一定的有效期。如何生成长期有效的 TOKEN？如何配置生成 TOKEN 的有效期？ 阅读 Controlling Access to the Kubernetes API - Kubernetes 也许有用。
10. Think about whether the service being exposed is secure. Does it do its own authentication? -- Think Think...

[diguage]

1

After you create the PersistentVolumeClaim, the Kubernetes control plane looks for a PersistentVolume that satisfies the claim’s requirements. If the control plane finds a suitable PersistentVolume with the same StorageClass, it binds the claim to the volume.

[diguage]

Configure a Security Context for a Pod or Container - Kubernetes 这里面关于 Linux 的文档都读一读。

[diguage]

The securityContext field is a SecurityContext object.

[diguage]

学习一下 Linux capabilities：

1. capabilities(7) - Linux manual page
2. linux/capability.h at master · torvalds/linux -- definitions of the capability constants.

[diguage]

cd /proc/1 别有洞天， cat /proc/1/status 大开眼界。学习一下 Linux 进程表示。

Share Process Namespace between Containers in a Pod - Kubernetes -- 感觉 Linux 的进程真的好神奇…

[diguage]

如何搭建私有的 Docker Image Registry ？如果在 Kubernetes 集群中配置统一的私有 Registry？

解：

1. harbor/installation_guide.md at master · goharbor/harbor
2. Pull an Image from a Private Registry - Kubernetes
3. How To Set Up a Private Docker Registry on Top of DigitalOcean Spaces and Use It with DigitalOcean Kubernetes | DigitalOcean -- 如何把 Harbor 搭建在 Kubernetes 集群之上？
4. Configure Service Accounts for Pods - Kubernetes -- 可以修改 ServiceAccount 配置，增加 imagePullSecrets，这样 pull 私有 Registry 中的镜像时，就不需要在 YAML 中配置 imagePullSecrets。但是，如果从 Docker Hub 下载，也会报错。

[diguage]

如果清理掉 Kubernetes 集群中，不再使用的 Docker Image？

[diguage]

apiVersion: v1
kind: Pod
metadata:
    name: init-demo
spec:
    containers:
        - name: nginx-ctr
          image: nginx
          ports:
              - containerPort: 80
          volumeMounts:
              - name: workdir
                mountPath: /usr/share/nginx/html  // 这个地方先是写成了 /user， 更正之后，使用 kubectl apply -f init-containers.yaml 更新 Pod 报错
    initContainers:
        - name: install
          image: busybox
          command:
              - wget
              - "-O"
              - "/work-dir/index.html"
              - https://kubernetes.io
          volumeMounts:
              - name: workdir
                mountPath: "/work-dir"
    dnsPolicy: Default
    volumes:
        - name: workdir
          emptyDir: {}

错误日志：

➜ kubectl apply -f init-containers.yaml
The Pod "init-demo" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
  core.PodSpec{
    Volumes:        []core.Volume{{Name: "workdir", VolumeSource: core.VolumeSource{EmptyDir: &core.EmptyDirVolumeSource{}}}, {Name: "default-token-pm7m9", VolumeSource: core.VolumeSource{Secret: &core.SecretVolumeSource{SecretName: "default-token-pm7m9", DefaultMode: &420}}}},
    InitContainers: []core.Container{{Name: "install", Image: "busybox", Command: []string{"wget", "-O", "/work-dir/index.html", "https://kubernetes.io"}, VolumeMounts: []core.VolumeMount{{Name: "workdir", MountPath: "/work-dir"}, {Name: "default-token-pm7m9", ReadOnly: true, MountPath: "/var/run/secrets/kubernetes.io/serviceaccount"}}, TerminationMessagePath: "/dev/termination-log", TerminationMessagePolicy: "File", ImagePullPolicy: "Always"}},
    Containers: []core.Container{
        {
            ... // 7 identical fields
            Env:       nil,
            Resources: core.ResourceRequirements{},
            VolumeMounts: []core.VolumeMount{
                {
-                   Name:             "default-token-pm7m9",
+                   Name:             "workdir",
-                   ReadOnly:         true,
+                   ReadOnly:         false,
-                   MountPath:        "/var/run/secrets/kubernetes.io/serviceaccount",
+                   MountPath:        "/user/share/nginx/html",
                    SubPath:          "",
                    MountPropagation: nil,
                    SubPathExpr:      "",
                },
                {
-                   Name:             "workdir",
+                   Name:             "default-token-pm7m9",
-                   ReadOnly:         false,
+                   ReadOnly:         true,
-                   MountPath:        "/usr/share/nginx/html",
+                   MountPath:        "/var/run/secrets/kubernetes.io/serviceaccount",
                    SubPath:          "",
                    MountPropagation: nil,
                    SubPathExpr:      "",
                },
            },
            VolumeDevices: nil,
            LivenessProbe: nil,
            ... // 9 identical fields
        },
    },
    RestartPolicy:                 "Always",
    TerminationGracePeriodSeconds: &30,
    ... // 21 identical fields
  }

---

使用 pod-single-configmap-env-variable.yaml 启动一个 Pod

apiVersion: v1
kind: Pod
metadata:
    name: dapi-test-pod
spec:
    containers:
        - name: test-ctr
          image: k8s.gcr.io/busybox
          command: ["/bin/sh", "-c", "env"]
          env:
              - name: SPECIAL_LEVEL_KEY
                valueFrom:
                    configMapKeyRef:
                        name: special-config
                        key: special.how
    restartPolicy: Never

使用 pod-multiple-configmap-env-variable.yaml 再次启动一个 Pod 时，报错：

apiVersion: v1
kind: Pod
metadata:
    name: dapi-test-pod
spec:
    containers:
        - name: test-container
          image: k8s.gcr.io/busybox
          command: ["/bin/sh", "-c", "env"]
          env:
              - name: SPECIAL_LEVEL_KEY
                valueFrom:
                    configMapKeyRef:
                        name: special-config
                        key: special.how
              - name: LOG_LEVEL
                valueFrom:
                    configMapKeyRef:
                        name: env-config
                        key: log_level
    restartPolicy: Never

错误日志：

➜ kubectl apply -f pod-multiple-configmap-env-variable.yaml
The Pod "dapi-test-pod" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
  core.PodSpec{
    Volumes:        []core.Volume{{Name: "default-token-pm7m9", VolumeSource: core.VolumeSource{Secret: &core.SecretVolumeSource{SecretName: "default-token-pm7m9", DefaultMode: &420}}}},
    InitContainers: nil,
    Containers: []core.Container{
        {
-           Name:    "test-container",
+           Name:    "test-ctr",
            Image:   "k8s.gcr.io/busybox",
            Command: []string{"/bin/sh", "-c", "env"},
            ... // 2 identical fields
            Ports:   nil,
            EnvFrom: nil,
            Env: []core.EnvVar{
                {Name: "SPECIAL_LEVEL_KEY", ValueFrom: &core.EnvVarSource{ConfigMapKeyRef: &core.ConfigMapKeySelector{LocalObjectReference: core.LocalObjectReference{Name: "special-config"}, Key: "special.how"}}},
-               {
-                   Name: "LOG_LEVEL",
-                   ValueFrom: &core.EnvVarSource{
-                       ConfigMapKeyRef: &core.ConfigMapKeySelector{
-                           LocalObjectReference: core.LocalObjectReference{Name: "env-config"},
-                           Key:                  "log_level",
-                       },
-                   },
-               },
            },
            Resources:    core.ResourceRequirements{},
-           VolumeMounts: nil,
+           VolumeMounts: []core.VolumeMount{
+               {
+                   Name:      "default-token-pm7m9",
+                   ReadOnly:  true,
+                   MountPath: "/var/run/secrets/kubernetes.io/serviceaccount",
+               },
+           },
            VolumeDevices: nil,
            LivenessProbe: nil,
            ... // 9 identical fields
        },
    },
    RestartPolicy:                 "Never",
    TerminationGracePeriodSeconds: &30,
    ... // 21 identical fields
  }

[diguage]

在配置 ConfigMap 时，如果同名，则追加配置。 -- 验证一下。

[diguage]

1. 如何对 etcd 内的数据做备份？
2. 必须好好学一下 etcd 。

[diguage]

apiVersion: v1
kind: ResourceQuota
metadata:
  name: mem-cpu-demo
spec:
  hard:
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "2"
    limits.memory: 2Gi

这里的 requests 和 limits 怎么跟其他地方写法如此不协调？

[diguage]

Overview of kubectl - Kubernetes -- kubectl 文档，可以读一读。

[diguage]

Pod 中的每个容器的 /var/run/secrets/kubernetes.io/serviceaccount 目录下存在 token， namespace, ca.crt。