Installing with the Kubernetes API datastore (recommended)
Ensure that the Kubernetes controller manager has the following flags set:--cluster-cidr=10.244.0.0/16 and --allocate-node-cidrs=true.
Tip: If you’re using kubeadm, you can pass --pod-network-cidr=10.244.0.0/16 to kubeadm to set the Kubernetes controller flags.
If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
Note: You can also view the manifest in your browser.
Issue the following command to install Calico.
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
Note: You can also view the manifest in your browser.
4、现在我们来部署
a、首先我们部署一个rbac.yaml配置文件
[root@k8smaster flannel]# kubectl apply -f
clusterrole.rbac.authorization.k8s.io/calico created
clusterrole.rbac.authorization.k8s.io/flannel configured
clusterrolebinding.rbac.authorization.k8s.io/canal-flannel created
clusterrolebinding.rbac.authorization.k8s.io/canal-calico created
b、第二步我们部署canal.yaml
[root@k8smaster flannel]# kubectl apply -f \
configmap/canal-config created
daemonset.extensions/canal created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
[root@k8smaster ~]# kubectl explain networkpolicy
KIND: NetworkPolicy
VERSION: extensions/v1beta1
DESCRIPTION:
DEPRECATED 1.9 - This group version of NetworkPolicy is deprecated by
networking/v1/NetworkPolicy. NetworkPolicy describes what network traffic
is allowed for a set of Pods
FIELDS:
apiVersion
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
kind
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
metadata
[root@k8smaster ~]# kubectl explain networkpolicy.spec
KIND: NetworkPolicy
VERSION: extensions/v1beta1
RESOURCE: spec DESCRIPTION:
Specification of the desired behavior for this NetworkPolicy.
DEPRECATED 1.9 - This group version of NetworkPolicySpec is deprecated by
networking/v1/NetworkPolicySpec.
FIELDS:
egress <[]Object> #出栈规则
List of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster
policy otherwise allows the traffic), OR if the traffic matches at least
one egress rule across all of the NetworkPolicy objects whose podSelector
matches the pod. If this field is empty then this NetworkPolicy limits all
outgoing traffic (and serves solely to ensure that the pods it selects are
isolated by default). This field is beta-level in 1.8
ingress <[]Object> #入栈规则
List of ingress rules to be applied to the selected pods. Traffic is
allowed to a pod if there are no NetworkPolicies selecting the pod OR if
the traffic source is the pod's local node, OR if the traffic matches at
least one ingress rule across all of the NetworkPolicy objects whose
podSelector matches the pod. If this field is empty then this NetworkPolicy
does not allow any traffic (and serves solely to ensure that the pods it
selects are isolated by default).
podSelector -required- #规则应用在哪个pod上
Selects the pods to which this NetworkPolicy object applies. The array of
ingress rules is applied to any pods selected by this field. Multiple
network policies can select the same set of pods. In this case, the ingress
rules for each are combined additively. This field is NOT optional and
follows standard label selector semantics. An empty podSelector matches all
pods in this namespace.
policyTypes <[]string> #策略类型,指的是假如我在当前这个策略中即定义了Egress又定义了Ingress,那么谁生效呢?虽然他们并不冲突,但是你可以定义在某个时候某一方向的规则生效。
List of rule types that the NetworkPolicy relates to. Valid options are
Ingress, Egress, or Ingress,Egress. If this field is not specified, it will
default based on the existence of Ingress or Egress rules; policies that
contain an Egress section are assumed to affect Egress, and all policies
(whether or not they contain an Ingress section) are assumed to affect
Ingress. If you want to write an egress-only policy, you must explicitly
specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy
that specifies that no egress is allowed, you must specify a policyTypes
value that include "Egress" (since such a policy would not include an
Egress section and would otherwise default to just [ "Ingress" ]). This
field is beta-level in 1.8
我们来看egress定义
[root@k8smaster ~]# kubectl explain networkpolicy.spec.egress
KIND: NetworkPolicy
VERSION: extensions/v1beta1
RESOURCE: egress <[]Object>DESCRIPTION:
List of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster
policy otherwise allows the traffic), OR if the traffic matches at least
one egress rule across all of the NetworkPolicy objects whose podSelector
matches the pod. If this field is empty then this NetworkPolicy limits all
outgoing traffic (and serves solely to ensure that the pods it selects are
isolated by default). This field is beta-level in 1.8
DEPRECATED 1.9 - This group version of NetworkPolicyEgre***ule is
deprecated by networking/v1/NetworkPolicyEgre***ule.
NetworkPolicyEgre***ule describes a particular set of traffic that is
allowed out of pods matched by a NetworkPolicySpec's podSelector. The
traffic must match both ports and to. This type is beta-level in 1.8FIELDS:
ports <[]Object> #目标端口,可以是端口名和相关的协议
List of destination ports for outgoing traffic. Each item in this list is
combined using a logical OR. If this field is empty or missing, this rule
matches all ports (traffic not restricted by port). If this field is
present and contains at least one item, then this rule allows traffic only
if the traffic matches at least one port in the list.
to <[]Object>
List of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field
is empty or missing, this rule matches all destinations (traffic not
restricted by destination). If this field is present and contains at least
one item, this rule allows traffic only if the traffic matches at least one
item in the to list.
[root@k8smaster ~]# kubectl explain networkpolicy.spec.egress.to
KIND: NetworkPolicy
VERSION: extensions/v1beta1
RESOURCE: to <[]Object>DESCRIPTION:
List of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field
is empty or missing, this rule matches all destinations (traffic not
restricted by destination). If this field is present and contains at least
one item, this rule allows traffic only if the traffic matches at least one
item in the to list.
DEPRECATED 1.9 - This group version of NetworkPolicyPeer is deprecated by
networking/v1/NetworkPolicyPeer.
FIELDS:
ipBlock #目标地址也可以是一个IP地址块,是一个IP地址范围内的所有端点。不管它是pod或主机都行。
IPBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
namespaceSelector #意思是名称空间选择器,意思是我们控制的pod能到达其它名称空间的,那个名称空间内的所有pod都在这个范围内。我使用这个选择器选择一组名称空间是指用于控制这组源pod是怎么去访问这组名称空间之内的所有pod或者某一个pod。
Selects Namespaces using cluster-scoped labels. This field follows standard
label selector semantics; if present but empty, it selects all namespaces.
If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
the Pods matching PodSelector in the Namespaces selected by
NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected
by NamespaceSelector.
podSelector #目标地址也可以是另外一组pod,控制两组pod之间通信。源是一组pod,目标地址也是一组pod。
This is a label selector which selects Pods. This field follows standard
label selector semantics; if present but empty, it selects all pods. If
NamespaceSelector is also set, then the NetworkPolicyPeer as a whole
selects the Pods matching PodSelector in the Namespaces selected by
NamespaceSelector. Otherwise it selects the Pods matching PodSelector in
the policy's own Namespace.
[root@k8smaster networkpolicy]# kubectl get netpol -n dev
NAME POD-SELECTOR AGE
deny-all-ingress 1m
c、接下来我们dev名称空间创建一个pod看能否被访问到
[root@k8smaster networkpolicy]# cat pod-a.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers: - name: myapp
image: ikubernetes/myapp:v1
[root@k8smaster networkpolicy]# kubectl apply -f pod-a.yaml -n dev
pod/pod1 created
[root@k8smaster networkpolicy]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 7s
[root@k8smaster networkpolicy]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE
pod1 1/1 Running 0 1m 10.244.2.2 k8snode2
[root@k8smaster networkpolicy]# curl 10.244.2.2 #可以看到无法访问^C
d、我们在prod名称空间中创建一个pod看能否被访问
[root@k8smaster networkpolicy]# kubectl apply -f pod-a.yaml -n prod
pod/pod1 created
[root@k8smaster networkpolicy]# kubectl get pods -n prod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
pod1 1/1 Running 0 12s 10.244.1.2 k8snode1
[root@k8smaster networkpolicy]# curl 10.244.1.2 #可以看到因为没有定义规则所以能够访问Hello MyApp | Version: v1 | Pod Name
<script language="javascript">
$(function (){
var i = 4;$(window).bind("scroll", function (event){
//滚动条到网页头部的 高度,兼容ie,ff,chrome
var top = document.documentElement.s
包冲突是开发过程中很常见的问题:
其表现有:
1.明明在eclipse中能够索引到某个类,运行时却报出找不到类。
2.明明在eclipse中能够索引到某个类的方法,运行时却报出找不到方法。
3.类及方法都有,以正确编译成了.class文件,在本机跑的好好的,发到测试或者正式环境就
抛如下异常:
java.lang.NoClassDefFoundError: Could not in
NAME: gpasswd - administer the /etc/group file
SYNOPSIS:
gpasswd group
gpasswd -a user group
gpasswd -d user group
gpasswd -R group
gpasswd -r group
gpasswd [-A user,...] [-M user,...] g
enquiry mysql version in centos linux
yum list installed | grep mysql
yum -y remove mysql-libs.x86_64
enquiry mysql version in yum repositoryyum list | grep mysql oryum -y list mysql*
install mysq
Given a string s1, we may represent it as a binary tree by partitioning it to two non-empty substrings recursively.
Below is one possible representation of s1 = "great":
select p.spid,c.object_name,b.session_id,b.oracle_username,b.os_user_name from v$process p,v$session a, v$locked_object b,all_objects c where p.addr=a.paddr and a.process=b.process and c.object_id=b.