一个简单Kubernetes使用例子

环境准备

基础环境说明

VMware + Centos7
PS：尝试过在Centos 6.5上面执行安装，发现安装失败，果断转向书本中推荐的Centos7
Centos7 minimal下载地址点击链接

Centos7安装Kubernetes

关闭防火墙

[root@spareribs ~]# systemctl disable firewalld
[root@spareribs ~]# systemctl stop firewalld

安装etcd和kubernetes(会自动安装Docker软件)

安装

# 由于centos mini版本没有ifconfig和netstat的命令。所以我安装了net-tools的工具
[root@spareribs ~]# yum -y install net-tools
[root@spareribs ~]# yum install -g etcd kubernetes

k8s、etcd和Docker软件版本查询

# -----------------------k8s 软件信息查询
# 默认安装完成以后，我看了一下k8s的版本，是v1.5.2 [时间: 2017.08.31]
[root@spareribs ~]# kubectl --version
Kubernetes v1.5.2

[root@spareribs ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"269f928217957e7126dc87e6adfa82242bfe5b1e", GitTreeState:"clean", BuildDate:"2017-07-03T15:31:10Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"269f928217957e7126dc87e6adfa82242bfe5b1e", GitTreeState:"clean", BuildDate:"2017-07-03T15:31:10Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

# -----------------------docker 软件信息查询
[root@spareribs ~]# docker version  
Client:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
 Go version:      go1.7.4
 Git commit:      88a4867/1.12.6
 Built:           Mon Jul  3 16:02:02 2017
 OS/Arch:         linux/amd64

Server:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
 Go version:      go1.7.4
 Git commit:      88a4867/1.12.6
 Built:           Mon Jul  3 16:02:02 2017
 OS/Arch:         linux/amd64

# -----------------------etcd 软件信息查询
[root@spareribs ~]# etcdctl --version
etcdctl version: 3.1.9
API version: 2

修改配置文件

修改Docker的OPTIONS配置

[root@spareribs ~]# vi /etc/sysconfig/docker
# OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'
OPTIONS='--selinux-enabled=false --insecure-registry gcr.io'

修改k8s APIserver的配置文件

[root@spareribs ~]# vi /etc/kubernetes/apiserver 
# KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota"

启动服务

按顺序启动服务

[root@spareribs ~]# systemctl start etcd
[root@spareribs ~]# systemctl start docker
[root@spareribs ~]# systemctl start kube-apiserver
[root@spareribs ~]# systemctl start kube-controller-manager
[root@spareribs ~]# systemctl start kube-scheduler
[root@spareribs ~]# systemctl start kubelet
[root@spareribs ~]# systemctl start kube-proxy

查看当前启动的服务和端口

[root@spareribs ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:10250         0.0.0.0:*               LISTEN      2964/kubelet
tcp        0      0 127.0.0.1:2379          0.0.0.0:*               LISTEN      2728/etcd
tcp        0      0 127.0.0.1:2380          0.0.0.0:*               LISTEN      2728/etcd
tcp        0      0 127.0.0.1:10255         0.0.0.0:*               LISTEN      2964/kubelet
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      2906/kube-apiserver
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1353/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1993/master
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      2964/kubelet
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      3008/kube-proxy
tcp6       0      0 :::10251                :::*                    LISTEN      2953/kube-scheduler
tcp6       0      0 :::6443                 :::*                    LISTEN      2906/kube-apiserver
tcp6       0      0 :::10252                :::*                    LISTEN      2941/kube-controlle
tcp6       0      0 :::22                   :::*                    LISTEN      1353/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1993/master
tcp6       0      0 :::4194                 :::*                    LISTEN      2964/kubelet

通过PS查看进程

#----------------这几个进程分别对应k8s
# kube-apiserver
# kube-controll
# kube-scheduler
# kubelet
# kube-proxy

[root@spareribs ~]# ps -auxwww | grep kube
kube       8977  0.9  3.5 127928 65888 ?        Ssl  04:35   0:00 /usr/bin/kube-apiserver --logtostderr=true --v=0 --etcd-servers=http://127.0.0.1:2379 --insecure-bind-address=127.0.0.1 --allow-privileged=false --service-cluster-ip-range=10.254.0.0/16 --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota

kube       8987  0.8  2.2 282604 42872 ?        Ssl  04:35   0:00 /usr/bin/kube-controller-manager --logtostderr=true --v=0 --master=http://127.0.0.1:8080

kube       8997  0.1  1.9 270720 35752 ?        Ssl  04:35   0:00 /usr/bin/kube-scheduler --logtostderr=true --v=0 --master=http://127.0.0.1:8080

root       9007  1.3  2.6 503800 49536 ?        Ssl  04:35   0:01 /usr/bin/kubelet --logtostderr=true --v=0 --api-servers=http://127.0.0.1:8080 --address=127.0.0.1 --hostname-override=127.0.0.1 --allow-privileged=false --pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest

root       9017  0.6  1.9 420552 36728 ?        Ssl  04:35   0:00 /usr/bin/kube-proxy --logtostderr=true --v=0 --master=http://127.0.0.1:8080


#----------------这个进程是etcd
[root@spareribs ~]# ps -auxwww | grep etcd
etcd       8819  0.6  1.9 10708308 35960 ?      Ssl  04:35   0:01 /usr/bin/etcd --name=default --data-dir=/var/lib/etcd/default.etcd --listen-client-urls=http://localhost:2379

#----------------这两个进程是docker
[root@spareribs ~]# ps -auxwww | grep docker
root       8864  0.1  1.4 559076 26648 ?        Ssl  04:35   0:00 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --selinux-enabled=false --insecure-registry gcr.io
root       8868  0.0  0.4 262960  7832 ?        Ssl  04:35   0:00 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc --runtime-args --systemd-cgroup=true

启动Mysql服务

定义Mysql RC文件

分析

• kind：资源的对象类型，eg：ReplicationController 表示是一个RC
• spec：RC的相关属性定义
• spec.selector：表示是RC的Pod标签（Label）选择器，即监控和管理拥有这些标签的Pod实例，确保当前集群上始终有且仅有replicas个Pod实例在运行
• spec.replicas：表示Pos实例运行的数量
• spec.template：当Pod数量小于replicas是，RC会根据spec.template定义的Pod模版来生成一个新的Pod实例
• spec.template.metadata.labels: 指定了该Pod的标签，必须匹配之前的spec.selector，否则RC每次创建的Pod都无法被selector识别，到时候会成为一个死循环

[root@spareribs ~]# cat mysql-rc.yaml
apiVersion: v1
kind: ReplicationController
metadata:
  name: mysql
spec:
  replicas: 1
  selector:
    app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - name: mysql
        image: mysql
        ports:
        - containerPort: 3306
        env:
        - name: MYSQL_ROOT_PASSWORD
          value: "123456"

各个字段说明

• kind：副本控制器RC
• metadata.name：RC的名称，全局唯一
• spec.selector.app：符合目标的Pod拥有此标签
• spec.replicas：Pod副本期待数量
• spec.template：根据此模版创建Pod的副本（实例）
• spec.template.metadata.labels：Pod副本拥有的标签，对应RC的Selector
• spec.template.spec.containers：Pod内容器的定义部分
• spec.template.spec.containers.name：容器的名字
• spec.template.spec.containers.iamge：容器对应的Docker Image
• spec.template.spec.containers.ports.containerPort：容器对应的端口号
• spec.template.spec.containers.ports.env：注入到容器内的环境变量

发布Mysql RC文件到集群中

[root@spareribs ~]# kubectl create -f mysql-rc.yaml
replicationcontroller "mysql" created

查询Mysql RC信息和Pod信息

Mysql RC

• 从RC定义创建的Pod需要花一定的时间等待，特别是第一次拉取容器的镜像需要一段时间，所以Pod的状态一开始有可能是Pending，最终才变为Running。

[root@spareribs ~]# kubectl get rc
NAME      DESIRED   CURRENT   READY     AGE
mysql     1         1         1         1m

[root@spareribs ~]# kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
mysql-rfrvk   1/1       Running   0          22s

[root@spareribs ~]# docker ps | grep mysql

定义一个Service文件

分析

• metadata.name：是Sevice的服务名（ServuceName）
• spec.ports.port：定义了Sevice的虚拟端口
• spec.selector：确定了哪些Pod副本（实例）对应到本服务

[root@spareribs ~]# vi mysql-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: mysql
spec:
  ports:
  - port: 3306
  selector:
    app: mysql

各个字段说明

• kind：标明是Kubernetes Services
• metadata.name：Service的全局唯一名称
• spec.ports.port：Service提供服务的端口号
• spec.selector：Service对应的Pod拥有这里定义的标签

发布Mysql SVC文件到集群中

[root@spareribs ~]# kubectl create -f mysql-svc.yaml
service "mysql" created

查询SVC文件信息

分析

• Mysql服务被分配了一个值为10.254.209.200的虚拟IP地址（CLUSTER-IP），Kubernetes集群中创建的Pod就可以通过Services的10.254.209.200（Cluster IP）+ 3306（端口号）来链接和访问
• Cluster IP由Kubenrnetes自动分配，其他的Pod无法预先知道某个Services的Cluster IP地址
• Kubenrnetes利用Linux的环境变量（Environment Variable）来解决这个问题，Sevice的名字唯一，容器可以从环境变量中或i渠道Service对应的Cluster IP地址和端口，从而发起TCP/IP链接请求

[root@spareribs ~]# kubectl get svc
NAME         CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
kubernetes   10.254.0.1               443/TCP          22h
mysql        10.254.209.200           3306/TCP         7s

启动Tomcat应用

定义Tomcat RC文件

分析

• MYSQL_SERVICE_HOST这个环境变量对应Mysql服务的服务名（svc）

# myweb rc
kind: ReplicationController
metadata:
  name: myweb
spec:
  replicas: 5
  selector:
    app: myweb
  template:
    metadata:
      labels:
        app: myweb
    spec:
      containers:
      - name: mysql
        image: kubeguide/tomcat-app:v1
        ports:
        - containerPort: 8080
        env:
        - {name: MYSQL_SERVICE_HOST,value: 'mysql'}
        - {name: MYSQL_SERVICE_PORT,value: '3306'}

发布Tomcat RC文件到集群中

[root@spareribs ~]# kubectl create -f myweb-rc.yaml
replicationcontroller "myweb" created

查询Tomcat RC信息

Tomcat RC

[root@spareribs ~]# kubectl get rc
NAME      DESIRED   CURRENT   READY     AGE
mysql     1         1         1         1h
myweb     5         5         5         30s

[root@spareribs ~]# kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
mysql-rfrvk   1/1       Running   0          1h
myweb-3zt4g   1/1       Running   0          33s
myweb-5d263   1/1       Running   0          33s
myweb-9p8nb   1/1       Running   0          33s
myweb-zgcvn   1/1       Running   0          33s
myweb-zvj9c   1/1       Running   0          33s

[root@spareribs ~]# docker ps | grep myweb

定义一个Service文件

• spec.type：NodePort和spec.ports.nodePort：30001，标明Service开启了NodePort方式的外网访问模式，可以通过30001这个端口访问myweb（对应到8080的虚拟端口上）

apiVersion: v1
kind: Service
metadata:
  name: myweb
spec:
  type: NodePort
  ports:
  - port: 8080
    nodePort: 30001
  selector:
    app: myweb

发布Tomcat SVC文件到集群中

[root@spareribs ~]# kubectl create -f myweb-svc.yaml
service "myweb" created

查询Tomcat SVC信息

[root@spareribs ~]# kubectl get svc
NAME         CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
kubernetes   10.254.0.1               443/TCP          23h
mysql        10.254.209.200           3306/TCP         1h
myweb        10.254.216.52           8080:30001/TCP   7s

访问测试(尚未成功，提示权限受限)

带我深入熟悉后再研究下这个怎么解决