kubernetes--pod管理

前言

pod是k8s的最小部署单元 ，是一组容器的集合，一个pod中的容器共享网络命名空间，pod的寿命是短暂的

pod容器分类

1、infrastructure container 基础容器

• 用来维护整个pod的网络空间
• 查看容器的网络（在node节点查看）

[root@localhost ~]# cat /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.7.102 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

• 每次创建pod的时候就会创建，与pod对应的，对于用户是透明的

[root@localhost ~]# docker ps
CONTAINER ID        IMAGE                                                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
6beba77cbbc4        784cf2722f44                                                          "/dashboard --insecu…"   24 hours ago        Up 24 hours                             k8s_kubernetes-dashboard_kubernetes-dashboard-7dffbccd68-j4fqz_kube-system_87e9c168-905f-11ea-80d3-000c29535012_4
8b8426b7697a        registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0   "/pause"                 24 hours ago        Up 24 hours                             k8s_POD_kubernetes-dashboard-7dffbccd68-j4fqz_kube-system_87e9c168-905f-11ea-80d3-000c29535012_3

2、initcontainers 初始化容器

• 先于业务容器开始执行，原先pod中容器是并行开启，现在进行了改进

3、container 业务容器

• 并行启动

镜像的拉取策略

• ifNoRresent：默认值，镜像在宿主机上不存在时才会被拉取
• Always：每次创建pod都会重新拉取一次镜像
• Never：pod永远不会主动拉取镜像

[root@localhost demo]# kubectl run nginx --image=nginx
[root@localhost demo]# kubectl edit deployment/nginx
省略部分内容
    spec:
      containers:
      - image: nginx
        imagePullPolicy: Always		//此处可以看到创建pod资源使用的拉取策略是always
        name: nginx

创建拉取策略为always的pod资源

[root@localhost demo]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: nginx
      image: nginx:1.14
      imagePullPolicy: Always
[root@localhost demo]# kubectl create -f pod.yaml 
pod/mypod created
[root@localhost demo]# kubectl get pods
NAME                    READY   STATUS    RESTARTS   AGE
mypod                   1/1     Running   0          55s
#如果上面的状态为CrashLoopBackOff，检查yaml文件的格式或者检查master与node之间的连接是否有问题
#查看pod分配的节点
[root@localhost demo]# kubectl get pods -o wide
NAME                    READY   STATUS    RESTARTS   AGE    IP            NODE            NOMINATED NODE
mypod                   1/1     Running   0          4m8s   172.17.94.2   192.168.7.103   
#在node节点使用curl查看头部信息
[root@localhost ~]# curl -I 172.17.94.2
HTTP/1.1 200 OK
Server: nginx/1.14.2		//此处显示版本为1.14
Date: Thu, 21 May 2020 02:27:27 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 04 Dec 2018 14:44:49 GMT
Connection: keep-alive
ETag: "5c0692e1-264"
Accept-Ranges: bytes

部署harbor创建私有项目

• harbor部署请参考----Docker–Harbor私有镜像仓库搭建
• 私有仓库创建完成后创建一个项目
  

在node节点配置连接私有仓库

[root@localhost ~]# vim /etc/docker/daemon.json 
{
  "insecure-registries": ["192.168.7.106"],		//注意此处的逗号要添加
  "registry-mirrors": ["https://syy5204b.mirror.aliyuncs.com"]
}
#重启docker服务
[root@localhost ~]# systemctl restart docker
#登陆harbor私有仓库
[root@localhost ~]# docker login 192.168.7.106
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
#下载Tomcat镜像进行推送
[root@localhost ~]# docker pull tomcat
#打标签，推送镜像到私有仓库
[root@localhost ~]# docker tag tomcat:latest 192.168.7.106/my-project/tomcat
[root@localhost ~]# docker push 192.168.7.106/my-project/tomcat
#推送完成后删除本地的打标签镜像，做后续验证 使用
[root@localhost ~]# docker rmi 192.168.7.106/my-project/tomcat:latest 

创建pod资源，通过私有仓库下载镜像

#在node节点查看登陆凭据
[root@localhost ~]# cat .docker/config.json | base64 -w 0
ewoJImF1dGhzIjoge30sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
#创建secret资源
[root@localhost demo]# vim registry-pull-secret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: registry-pull-secret
data:
#下面插入上面查看到的登陆凭据
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjcuMTA2IjogewoJCQkiYXV0aCI6ICJZV1J0YVc0NlNHRnlZbTl5TVRJek5EVT0iCgkJfQoJfSwKCSJIdHRwSGVhZGVycyI6IHsKCQkiVXNlci1BZ2VudCI6ICJEb2NrZXItQ2xpZW50LzE5LjAzLjggKGxpbnV4KSIKCX0KfQ==
type: kubernetes.io/dockerconfigjson
[root@localhost demo]# kubectl create -f registry-pull-secret.yaml 
secret/registry-pull-secret created
[root@localhost demo]# kubectl get secret
NAME                   TYPE                                  DATA   AGE
default-token-9gtsc    kubernetes.io/service-account-token   3      21d
registry-pull-secret   kubernetes.io/dockerconfigjson        1      23s
#创建资源从harbor仓库中下载镜像
[root@localhost demo]# vim tomcat.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-tomcat
spec:
  replicas: 2		//创建的副本数为2
  template:
    metadata:
      labels:
        app: my-tomcat
    spec:
      imagePullSecrets:	//选择登陆下载镜像的验证
      - name: registry-pull-secret
      containers:
      - name: my-tomcat
        image: 192.168.7.106/my-project/tomcat  //添加镜像
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: my-tomcat
spec:
  type: NodePort
  ports:
  - port: 8080
    targetPort: 8080
    nodePort: 31111
  selector:
    app: my-tomcat
[root@localhost demo]# kubectl create -f tomcat.yaml 
deployment.extensions/my-tomcat created
service/my-tomcat created
#查看pod资源及发布的映射端口
[root@localhost demo]# kubectl get pods,svc
NAME                            READY   STATUS    RESTARTS   AGE
pod/my-tomcat-bd6957b58-n44c9   1/1     Running   0          110s
pod/my-tomcat-bd6957b58-xs6xf   1/1     Running   0          110s
pod/mypod                       1/1     Running   0          33m
pod/nginx-dbddb74b8-4dn2m       1/1     Running   0          50m

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)          AGE
service/kubernetes   ClusterIP   10.0.0.1             443/TCP          21d
service/my-tomcat    NodePort    10.0.0.236           8080:31111/TCP   110s