简书的 Markdown 渲染有点问题, https://blog.kii.la/post/kubernetes/tattle/cka-相关信息和资料总结/
考试注意事项
- 考试前 15 分钟进入考试界面. 涉及确认身份可以带护照. 检查周围环境.桌面环境以及提示注意事项.全程全英文对话沟通.
- 进入考题,考题是中文显示,有些翻译不是很好,建议打开英文版查看.
- 建议找个好一点的网络考试,可以选择使用 VPN 或者公司网络.
- 如果考试中断,新建 Tab 页申请进入.
- Chrome 浏览器.
- 考试时间比较紧张.建议对于比较难的题目暂时放下,记录在提供的
note表里, 做完简单的再功课. - 对于
Kubernetes.io的内容是可以直接拷贝粘贴的. - 节省时间的技巧:
- 尽量使用
kubectl run命令 - 可以将相关的内容保存标签,方便快速打开.
- CLI 的
-h求助 - 尽量使用简写,例如
Namespace - ns等. -
source < (kubectl completion bash)命令补全.
- 尽量使用
Scheduling [调度] 5%
Exam1: 创建一个运行 60 次,同时运行 2 个作业的 Job
参考链接 [Jobs - Run to Completion] (https://git.kii.la/Kiila/kubernetes-document/blob/master/Concepts/Controller/Jobs%20-%20Run%20to%20Completion.md#jobs-run-to-completion)
<details>
<summary>show code</summary>
apiVersion: batch/v1
kind: Job
metadata:
name: sixty-times-job
spec:
completions: 60
parallelism: 2
template:
spec:
containers:
- name: sixty-times-job
image: perl
command:
- perl
- -Mbigmum=bpi
- -wle
- print bpi(2000)
restartPolicy: Never
</details>
Exam: 设置现有名为 myjob 的 Job 的副本数为 10.
<details>
<summary>show code</summary>
$ kubectl scale --replicas=10 jobs/myjob
job "myjob" scalled
注意:
- parallelism : 并行执行的数量.
- completions: 运行
job成功的次数 - RestartPolicy: 仅支持
Never或OnFailure - activeDeadlineSeconds: 如果
Pod失败时, 重试最大时间, 超过这个时间就不会继续重试.
</details>
Exam: Static Pod
在指定位置创建
Pod清单, 然后编辑用于kubelet(/etc/systemd/system/kubelet.service) 的systemd服务文件, 包含--pod-manifest-path=/specified/path. 一旦完成, 重新启动服务.
<details>
<summary>show code</summary>
Choose a node where we want to run the static pod. In this example, it’s my-node1.
[joe@host ~] $ ssh my-node1
Choose a directory, say /etc/kubelet.d and place a web server pod definition there, e.g. /etc/kubelet.d/static-pod.yaml:
[root@my-node1 ~] $ mkdir /etc/kubernetes.d/
[root@my-node1 ~] $ cat <<EOF >/etc/kubernetes.d/static-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: static-pod
spec:
containers:
- image: busybox
name: test-container
command: ["/bin/sh", "-c", "sleep 9999"]
EOF
Configure your kubelet daemon on the node to use this directory by running it with --pod-manifest-path=/etc/kubelet.d/ argument. On Fedora edit /etc/kubernetes/kubelet to include this line:
KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubelet.d/"
Instructions for other distributions or Kubernetes installations may vary. Restart kubelet. On Fedora, this is:
[root@my-node1 ~] $ systemctl restart kubelet
效果如下:
[root@dev-9 manifests]# kubectl get pod
NAME READY STATUS RESTARTS AGE
static-pod-dev-9 1/1 Running 0 34s
[root@dev-9 manifests]#
[root@dev-9 manifests]# kubectl describe pod static-pod-dev-9
Name: static-pod-dev-9
Namespace: default
Node: dev-9/192.168.1.190
Start Time: Sun, 12 Nov 2017 21:21:48 +0800
Labels: <none>
Annotations: kubernetes.io/config.hash=1dcad4affd910f45b5c3a8dbdeec8933
kubernetes.io/config.mirror=1dcad4affd910f45b5c3a8dbdeec8933
kubernetes.io/config.seen=2017-11-12T21:21:48.15196949+08:00
kubernetes.io/config.source=file
Status: Running
IP: 10.244.3.45
Containers:
test-container:
Container ID: docker://ef3e28e45e280e4a50942fc472fd025cb84a7014a64dbc57308cddbfeb1bd979
Image: busybox
Image ID: docker-pullable://busybox@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0
Port: <none>
Command:
/bin/sh
-c
sleep 9999
State: Running
Started: Sun, 12 Nov 2017 21:21:52 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts: <none>
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes: <none>
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: :NoExecute
Events: <none>
[root@dev-9 manifests]#
</details>
Exam: 仅在指定节点上运行 Jenkins Pod
Logging / Monitoring [日志 / 监控] 5%
Exam: 找到使用 CPU 资源最多的 Pod
<details>
<summary>show code</summary>
kubectl top pod sort-by=.spec.capacity.xxx
kubectl top pod | awk '{print $1 "\t" $3 | "sort -r -n"}'
</details>
Exam: 找到带有字符串 Some-error message here 的错误信息
https://kubernetes.io/docs/concepts/cluster-administration/logging/
see kubectl logs and /var/log for system services
Application Lifecycle Management [应用程序生命周期管理] 8%
Cluster [集群] 11%
Exam: 按名字排序列出所有 PresistenteVolumes
<details>
<summary>show code</summary>
kubectl get pv sort-by=.metadata.name
</details>
Exam: 使用应用程序 nslookup 查找 service 和 pod 的 DNS 记录
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
<details>
<summary>Services</summary>
$ kubectl exec -ti busybox -- nslookup mysvc.myns.svc.cluster.local
Naming conventions for services and pods:
For a regular service, this resolves to the port number and the CNAME: (解析到Cluster-IP)
my-svc.my-namespace.svc.cluster.local.
root@test-9:~/henry# kubectl exec -ti busybox-2520568787-kkmrw -- nslookup nginx.default.svc.cluster.local
Server: 10.43.0.10
Address 1: 10.43.0.10 kube-dns.kube-system.svc.cluster.local
Name: nginx.default
Address 1: 10.43.120.19 nginx.default.svc.cluster.local
root@test-9:~/henry#
For a headless service, this resolves to multiple answers(RR解析到多个Pod IP), one for each pod that is backing the service, and contains the port number and a CNAME of the pod of the form
auto-generated-name.my-svc.my-namespace.svc.cluster.local
</details>
<details>
<summary>Pods</summary>
When enabled, pods are assigned a DNS A record in the form of
pod-ip-address.my-namespace.pod.cluster.local
For example, a pod with IP 1.2.3.4 in the namespace default with a DNS name of cluster.local would have an entry: 1-2-3-4.default.pod.cluster.local
root@test-9:~/henry# kubectl exec -ti busybox-2520568787-kkmrw -- nslookup 10-42-236-215.default.pod.cluster.local
Server: 10.43.0.10
Address 1: 10.43.0.10 kube-dns.kube-system.svc.cluster.local
Name: 10-42-236-215.default.pod.cluster.local
Address 1: 10.42.236.215
</details>
Exame: 对deployment做rollingUpdate,再滚回来
<details>
<summary>show code</summary>
RollingUpdate (貌似对于deploy限制只能够设置其image、resource、selector、subject来实现)
[root@dev-7 henry]# kubectl run demo --image=nginx --port=80 --replicas=2 --labels="cka=true"
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
demo 2 2 2 2 4m
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl get pod -l cka=true
NAME READY STATUS RESTARTS AGE
demo-2959463917-gbv3r 1/1 Running 0 1m
demo-2959463917-j76m9 1/1 Running 0 1m
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set --help
Configure application resources
These commands help you make changes to existing application resources.
Available Commands:
image Update image of a pod template
resources Update resource requests/limits on objects with pod templates
selector Set the selector on a resource
subject Update User, Group or ServiceAccount in a RoleBinding/ClusterRoleBinding
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set image deploy/demo demo=mysql
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo
deployments "demo"
REVISION CHANGE-CAUSE
1 <none>
2 <none>
[root@dev-7 henry]# kubectl rollout history deploy/demo --revison=2
deployments "demo" with revision #2
Pod Template:
Labels: cka=true
pod-template-hash=2216264665
Containers:
demo:
Image: mysql
Port: 80/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout undo deploy/demo
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo
deployments "demo"
REVISION CHANGE-CAUSE
2 <none>
3 <none>
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo --revision=3
deployments "demo" with revision #3
Pod Template:
Labels: cka=true
pod-template-hash=1786957899
Containers:
demo:
Image: nginx
Port: 80/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout undo deploy/demo --to-revision=2
一种较保守的做法是先将其锁住,等待操作完成,检查OK了再下发:
[root@dev-7 henry]# kubectl rollout pause deploy/demo
deployment "demo" paused
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set image deploy/demo demo=busybox
deployment "demo" image updated
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl set resources deploy/demo -c=demo --limits=cpu=200m,memory=512Mi
deployment "demo" resource requirements updated
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout resume deploy/demo
deployment "demo" resumed
[root@dev-7 henry]#
除此之外,rollingUpdate还可以通过kubectl apply来实现:
[root@dev-7 henry]# kubectl apply -f demo.yaml --record
deployment "demo" configured
[root@dev-7 henry]#
[root@dev-7 henry]# kubectl rollout history deploy/demo
deployments "demo"
REVISION CHANGE-CAUSE
4 <none>
5 <none>
6 <none>
7 <none>
8 kubectl apply --filename=demo.yaml --record=true
[root@dev-7 henry]#
自动弹性伸缩:
[root@dev-7 henry]# kubectl autoscale deploy/demo --min=10 --max=15 --cpu-percent=80
deployment "demo" autoscaled
Hook
Pod支持两种hook:
postStart 在pod启动成功了后调用
preStop 在pod停止之前调用
支持两种hook handler:
Exec
HTTP
apiVersion: v1
kind: Pod
metadata:
name: lifecycle-demo
spec:
containers:
- name: lifecycle-demo-container
image: nginx
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
preStop:
exec:
command: ["/usr/sbin/nginx","-s","quit"]
kubectl taint
</details>
Exam: ENV
Use Pod Field
<details>
<summary>show code</summary>
root@test-9:~# kubectl get deploy -o yaml | grep env -C 10
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
demo: "true"
spec:
containers:
- env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: SECRET_USER
valueFrom:
secretKeyRef:
key: user
name: demo
root@test-9:~#
root@test-9:~# kubectl exec -ti nginx-f7d4dc847-skb74 /bin/bash
root@nginx-f7d4dc847-skb74:/# env | grep MY_NODE
MY_NODE_NAME=test-10
root@nginx-f7d4dc847-skb74:/#
Use Container Filed
apiVersion: v1
kind: Pod
metadata:
name: dapi-envars-resourcefieldref
spec:
containers:
- name: test-container
image: gcr.io/google_containers/busybox:1.24
command: [ "sh", "-c"]
args:
- while true; do
echo -en '\n';
printenv MY_CPU_REQUEST MY_CPU_LIMIT;
printenv MY_MEM_REQUEST MY_MEM_LIMIT;
sleep 10;
done;
resources:
requests:
memory: "32Mi"
cpu: "125m"
limits:
memory: "64Mi"
cpu: "250m"
env:
- name: MY_CPU_REQUEST
valueFrom:
resourceFieldRef:
containerName: test-container
resource: requests.cpu
- name: MY_CPU_LIMIT
valueFrom:
resourceFieldRef:
containerName: test-container
resource: limits.cpu
restartPolicy: Never
</details>
Exam: 对node做taint (taint a node)
注意:
taint指定的 key:value 与node的label之间没有任何关系!
在添加taint的时候,需要指定: key=value:effect
在删除taint的时候,不需要指定 value,格式为: key:effect
<details>
<summary>show code</summary>
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-5b444f5b58-dpvzq 1/1 Running 0 2m 10.244.0.7 test-9
nginx-5b444f5b58-k6qxp 1/1 Running 0 2m 10.244.0.8 test-9
nginx-5b444f5b58-n7prf 1/1 Running 0 2m 10.244.0.9 test-9
nginx-5b444f5b58-r4265 1/1 Running 0 2m 10.244.0.11 test-9
nginx-5b444f5b58-rs2hn 1/1 Running 0 2m 10.244.0.10 test-9
nginx-5b444f5b58-v6r2x 1/1 Running 0 2m 10.244.0.6 test-9
root@test-9:~#
root@test-9:~# kubectl taint node test-9 taint=true:NoExecute
node "test-9" tainted
root@test-9:~#
root@test-9:~# kubectl describe node test-9
Name: test-9
Roles: master
Labels: beta.kubernetes.io/arch=amd64
beta.kubernetes.io/os=linux
kubernetes.io/hostname=test-9
node-role.kubernetes.io/master=
Annotations: flannel.alpha.coreos.com/backend-data={"VtepMAC":"9a:e5:cf:c9:fb:79"}
flannel.alpha.coreos.com/backend-type=vxlan
flannel.alpha.coreos.com/kube-subnet-manager=true
flannel.alpha.coreos.com/public-ip=10.144.96.185
node.alpha.kubernetes.io/ttl=0
volumes.kubernetes.io/controller-managed-attach-detach=true
Taints: taint=true:NoExecute
CreationTimestamp: Mon, 13 Nov 2017 20:56:37 +0800
root@test-9:~#
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-5b444f5b58-2s5dw 1/1 Running 0 28s 10.244.1.24 test-10
nginx-5b444f5b58-b6pds 1/1 Running 0 28s 10.244.1.23 test-10
nginx-5b444f5b58-cg75j 1/1 Running 0 28s 10.244.1.21 test-10
nginx-5b444f5b58-d8nbl 1/1 Running 0 28s 10.244.1.20 test-10
nginx-5b444f5b58-pncbm 1/1 Running 0 28s 10.244.1.18 test-10
nginx-5b444f5b58-zbc4h 1/1 Running 0 28s 10.244.1.22 test-10
root@test-9:~#
root@test-9:~# kubectl taint node test-9 taint:NoExecute-
node "test-9" untainted
root@test-9:~#
Effect支持:
NoSchedule/NoExecute/PreferNoSchedule
kubectl taint nodes node1 key1=value1:NoSchedule
kubectl taint nodes node1 key1=value1:NoExecute
kubectl taint nodes node1 key2=value2:NoSchedule
</details>
Tolerations支持:
指定匹配 key/value和effect
tolerations:
key: “key”
operator: “Equal”
value: “value”
effect: “NoSchedule”
指定 key存在且指定effect
tolerations:
key: “key”
operator: “Exists”
effect: “NoSchedule”
只要有任何key存在
tolerations:
operator: “Exists”
指定key存在
tolerations:
key: “key”
operator: “Exists”
代表往node添加taint后,多长时间之内,该pod依然可以存活(时间结束后,将被删除)
tolerations:
key: “key1”
operator: “Equal”
value: “value1”
effect: “NoExecute”
tolerationSeconds: 3600
例子:
<details>
<summary>show code</summary>
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-5b444f5b58-2s5dw 1/1 Running 0 16m 10.244.1.24 test-10
nginx-5b444f5b58-b6pds 1/1 Running 0 16m 10.244.1.23 test-10
nginx-5b444f5b58-cg75j 1/1 Running 0 16m 10.244.1.21 test-10
nginx-5b444f5b58-d8nbl 1/1 Running 0 16m 10.244.1.20 test-10
nginx-5b444f5b58-pncbm 1/1 Running 0 16m 10.244.1.18 test-10
nginx-5b444f5b58-zbc4h 1/1 Running 0 16m 10.244.1.22 test-10
root@test-9:~#
root@test-9:~# kubectl taint node test-9 taint=true:NoExecute
node "test-9" tainted
root@test-9:~#
root@test-9:~# kubectl edit deploy nginx
deployment "nginx" edited
root@test-9:~#
root@test-9:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
nginx-9bf4c9c69-27r6m 1/1 Running 0 17s 10.244.1.26 test-10
nginx-9bf4c9c69-cnjk2 1/1 Running 0 23s 10.244.0.12 test-9
nginx-9bf4c9c69-fttrd 1/1 Running 0 23s 10.244.1.25 test-10
nginx-9bf4c9c69-jw7w2 1/1 Running 0 11s 10.244.1.27 test-10
nginx-9bf4c9c69-s57h2 1/1 Running 0 12s 10.244.0.14 test-9
nginx-9bf4c9c69-z8jrn 1/1 Running 0 18s 10.244.0.13 test-9
root@test-9:~#
root@test-9:~# kubectl get deploy nginx -o yaml | grep tolerations -C 5
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
status:
availableReplicas: 6
conditions:
- lastTransitionTime: 2017-11-13T13:23:03Z
root@test-9:~#
Secret
generic
root@test-9:~# kubectl create secret generic demo --from-literal=user=chenleji --from-literal=passwd=123
secret "demo" created
root@test-9:~#
root@test-9:~# kubectl get secret
NAME TYPE DATA AGE
default-token-wgrhs kubernetes.io/service-account-token 3 1h
demo Opaque 2 4s
root@test-9:~#
root@test-9:~# kubectl get secret demo -o yaml
apiVersion: v1
data:
passwd: MTIz
user: Y2hlbmxlamk=
kind: Secret
metadata:
creationTimestamp: 2017-11-13T14:12:00Z
name: demo
namespace: default
resourceVersion: "7108"
selfLink: /api/v1/namespaces/default/secrets/demo
uid: 9da9b9f4-c87c-11e7-9401-525400545760
type: Opaque
root@test-9:~#
root@test-9:~# echo -n MTIz | base64 --decode
123
root@test-9:~# echo -n Y2hlbmxlamk= | base64 --decode
chenleji
root@test-9:~#
root@test-9:~#
</details>
Storage [存储] 7%
Exam: 您有一个带有挂载卷的容器. 添加一个在卷中创建空文件的 InitContainer.
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
Exam: Redis 数据存储的问题
在预生产环境中运行 redis 键值对存储时, 许多部署都来自于 CI, 并在 Redis 中留下了大量陈旧的缓存数据, 这将导致测试失败.
CI 管理员要求, 在每次的 staging 中部署 Redis 键值对存储时, 它都不应该被持久化其数据. 创建一个名为 non-persistent-redis 的 pod, 它指定一个名为 app-cache 的卷, 以及挂载路径 /data/redis. 它应该在 staging 命名空间中启动,并且卷不能是持久性的. 创建一个带有 EmptyDir 的 Pod, 并在 YAML 文件中添加命名空间 CI.
Exam: TLS
<details>
<summary>show code</summary>
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Registry
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER
--docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
volume mount
未指定挂载的具体文件名:
root@test-9:~# kubectl get deploy -o yaml | grep volume -C 5
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /secret
name: secret
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- name: secret
secret:
defaultMode: 420
secretName: demo
status:
root@test-9:~#
root@test-9:~# kubectl exec -ti nginx-557769d5c5-45sdq /bin/bash
root@nginx-557769d5c5-45sdq:/# ls -l /secret/
total 0
lrwxrwxrwx 1 root root 13 Nov 13 14:23 passwd -> ..data/passwd
lrwxrwxrwx 1 root root 11 Nov 13 14:23 user -> ..data/user
root@nginx-557769d5c5-45sdq:/#
root@nginx-557769d5c5-45sdq:/# cat /secret/passwd
123
root@nginx-557769d5c5-45sdq:/#
指定挂载文件名:
root@test-9:~# kubectl describe secret demo
Name: demo
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
passwd: 3 bytes
user: 8 bytes
root@test-9:~#
root@test-9:~# kubectl get deploy nginx -o yaml | grep volume -C 8
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /secret
name: secret
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- name: secret
secret:
defaultMode: 420
items:
- key: user
path: haha/xx
secretName: demo
status:
root@test-9:~#
root@nginx-657c6dcd4c-56p5h:/# cat /secret/haha/xx
chenleji
root@nginx-657c6dcd4c-56p5h:/#
env
root@test-9:~# kubectl get deploy nginx -o yaml | grep env -C 6
metadata:
creationTimestamp: null
labels:
demo: "true"
spec:
containers:
- env:
- name: SECRET_USER
valueFrom:
secretKeyRef:
key: user
name: demo
image: nginx
root@test-9:~#
root@test-9:~# kubectl exec -ti nginx-548c9c4846-dgnbk /bin/bash
root@nginx-548c9c4846-dgnbk:/# env | grep SECRET
SECRET_USER=chenleji
root@nginx-548c9c4846-dgnbk:/#
</details>
Networking [网络] 11%
Exam: 创建一个网络策略,只允许通过busybox pod连接到端口8080
<details>
<summary>show code</summary>
# kubectl annotate ns default "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
namespace "default" annotated
# kubectl describe ns default
Name: default
Labels: <none>
Annotations: net.beta.kubernetes.io/network-policy={"ingress": {"isolation": "DefaultDeny"}}
Status: Active
No resource quota.
No resource limits.
#
# kubectl get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx2-2627548522-6f5kf 1/1 Running 0 22m pod-template-hash=2627548522,run=nginx
nginx2-2627548522-8w87b 1/1 Running 0 22m pod-template-hash=2627548522,run=nginx
# kubectl get svc nginx --show-labels
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE LABELS
nginx NodePort 10.43.120.19 <none> 80:30014/TCP 16m run=nginx
# cat network-policy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
access: "true"
ports:
- protocol: TCP
port: 80
# kubectl get netpol
NAME POD-SELECTOR AGE
access-nginx run=nginx 2m
# kubectl get netpol access-nginx -o yaml
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
creationTimestamp: 2017-11-12T07:40:38Z
generation: 1
name: access-nginx
namespace: default
resourceVersion: "20699"
selfLink: /apis/extensions/v1beta1/namespaces/default/networkpolicies/access-nginx
uid: c72191d1-c77c-11e7-8dee-02cdc7a8bd69
spec:
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
ports:
- port: 80
protocol: TCP
podSelector:
matchLabels:
run: nginx
#
# kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # wget nginx
Connecting to nginx (10.43.120.19:80)
index.html 100% |********************************************************************************************| 612 0:00:00 ETA
/ #
<details>
Exam : 创建一个 Ingress 资源, Ingress 控制器以及一个 Service 解析 cs.rocks.ch 的服务.
<details>
<summary>show code</summary>
First, create controller and default backend
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress/master/controllers/nginx/examples/default-backend.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress/master/examples/deployment/nginx/nginx-ingress-controller.yaml
Second, create service and expose
kubectl run ingress-pod --image=nginx --port 80
kubectl expose deployment ingress-pod --port=80 --target-port=80 --type=NodePort
Create the ingress
cat <<EOF >ingress-cka.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
spec:
rules:
- host: "cs.rocks.ch"
http:
paths:
- backend:
serviceName: ingress-pod
servicePort: 80
EOF
To test, run a curl pod
kubectl run -i --tty client --image=tutum/curl
curl -I -L --resolve cs.rocks.ch:80:10.240.0.5 http://cs.rocks.ch/
我认为,要访问ingress,在flannel网络中,应该还可以使用hostPort来暴露出ingress-nginx的80和443端口。
Mandatory commands
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/default-backend.yaml | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/configmap.yaml | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/tcp-services-configmap.yaml | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/udp-services-configmap.yaml | kubectl apply -f -
Install with RBAC roles
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/rbac.yaml | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/with-rbac.yaml | kubectl apply -f -
Verify installation:
kubectl get pods --all-namespaces -l app=ingress-nginx --watch
</details>
Installation, Configuration & Validation [安装, 配置以及验证] 12%
Exam: etcd 备份和快照
https://kubernetes.io/docs/getting-started-guides/ubuntu/backups/
https://www.mirantis.com/blog/everything-you-ever-wanted-to-know-about-using-etcd-with-kubernetes-v1-6-but-were-afraid-to-ask/
网友评论