k8s之Pod配置
Pod配置
查看pod.spec.containers属性:
[root@master ~]# kubectl explain pod.spec.containers
KIND: Pod
VERSION: v1
RESOURCE: containers <[]Object>
DESCRIPTION:
List of containers belonging to the pod. Containers cannot currently be
added or removed. There must be at least one container in a Pod. Cannot be
updated.
A single application container that you want to run within a pod.
FIELDS:
args <[]string>
Arguments to the entrypoint. The docker image's CMD is used if this is not
provided. Variable references $(VAR_NAME) are expanded using the
container's environment. If a variable cannot be resolved, the reference in
the input string will be unchanged. The $(VAR_NAME) syntax can be escaped
with a double $$, ie: $$(VAR_NAME). Escaped references will never be
expanded, regardless of whether the variable exists or not. Cannot be
updated. More info:
https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
command <[]string>
Entrypoint array. Not executed within a shell. The docker image's
ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME)
are expanded using the container's environment. If a variable cannot be
resolved, the reference in the input string will be unchanged. The
$(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME).
Escaped references will never be expanded, regardless of whether the
variable exists or not. Cannot be updated. More info:
https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
env <[]Object>
List of environment variables to set in the container. Cannot be updated.
envFrom <[]Object>
List of sources to populate environment variables in the container. The
keys defined within a source must be a C_IDENTIFIER. All invalid keys will
be reported as an event when the container is starting. When a key exists
in multiple sources, the value associated with the last source will take
precedence. Values defined by an Env with a duplicate key will take
precedence. Cannot be updated.
image <string>
Docker image name. More info:
https://kubernetes.io/docs/concepts/containers/images This field is
optional to allow higher level config management to default or override
container images in workload controllers like Deployments and StatefulSets.
imagePullPolicy <string>
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always
if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
More info:
https://kubernetes.io/docs/concepts/containers/images#updating-images
lifecycle <Object>
Actions that the management system should take in response to container
lifecycle events. Cannot be updated.
livenessProbe <Object>
Periodic probe of container liveness. Container will be restarted if the
probe fails. Cannot be updated. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
name <string> -required-
Name of the container specified as a DNS_LABEL. Each container in a pod
must have a unique name (DNS_LABEL). Cannot be updated.
ports <[]Object>
List of ports to expose from the container. Exposing a port here gives the
system additional information about the network connections a container
uses, but is primarily informational. Not specifying a port here DOES NOT
prevent that port from being exposed. Any port which is listening on the
default "0.0.0.0" address inside a container will be accessible from the
network. Cannot be updated.
readinessProbe <Object>
Periodic probe of container service readiness. Container will be removed
from service endpoints if the probe fails. Cannot be updated. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
resources <Object>
Compute Resources required by this container. Cannot be updated. More info:
https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
securityContext <Object>
Security options the pod should run with. More info:
https://kubernetes.io/docs/concepts/policy/security-context/ More info:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
startupProbe <Object>
StartupProbe indicates that the Pod has successfully initialized. If
specified, no other probes are executed until this completes successfully.
If this probe fails, the Pod will be restarted, just as if the
livenessProbe failed. This can be used to provide different probe
parameters at the beginning of a Pod's lifecycle, when it might take a long
time to load data or warm a cache, than during steady-state operation. This
cannot be updated. This is an alpha feature enabled by the StartupProbe
feature flag. More info:
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
stdin <boolean>
Whether this container should allocate a buffer for stdin in the container
runtime. If this is not set, reads from stdin in the container will always
result in EOF. Default is false.
stdinOnce <boolean>
Whether the container runtime should close the stdin channel after it has
been opened by a single attach. When stdin is true the stdin stream will
remain open across multiple attach sessions. If stdinOnce is set to true,
stdin is opened on container start, is empty until the first client
attaches to stdin, and then remains open and accepts data until the client
disconnects, at which time stdin is closed and remains closed until the
container is restarted. If this flag is false, a container processes that
reads from stdin will never receive an EOF. Default is false
terminationMessagePath <string>
Optional: Path at which the file to which the container's termination
message will be written is mounted into the container's filesystem. Message
written is intended to be brief final status, such as an assertion failure
message. Will be truncated by the node if greater than 4096 bytes. The
total message length across all containers will be limited to 12kb.
Defaults to /dev/termination-log. Cannot be updated.
terminationMessagePolicy <string>
Indicate how the termination message should be populated. File will use the
contents of terminationMessagePath to populate the container status message
on both success and failure. FallbackToLogsOnError will use the last chunk
of container log output if the termination message file is empty and the
container exited with an error. The log output is limited to 2048 bytes or
80 lines, whichever is smaller. Defaults to File. Cannot be updated.
tty <boolean>
Whether this container should allocate a TTY for itself, also requires
'stdin' to be true. Default is false.
volumeDevices <[]Object>
volumeDevices is the list of block devices to be used by the container.
This is a beta feature.
volumeMounts <[]Object>
Pod volumes to mount into the container's filesystem. Cannot be updated.
workingDir <string>
Container's working directory. If not specified, the container runtime's
default will be used, which might be configured in the container image.
Cannot be updated.
基本配置
创建pod-base.yaml文件,内容如下:
apiVersion: v1
kind: Pod
metadata:
name: pod-base
namespace: dev
labels:
user: ayanami
spec:
containers:
- name: nginx
image: nginx:1.17.1
- name: busybox
image: busybox:1.30
上面定义了一个比较简单的Pod的配置,里面有两个容器:
- nginx:用1.17.1版本的nginx镜像创建(nginx是一个轻量级web容器)
- busybox:用1.30版本的busybox镜像创建(busybox是一个小巧的linux命令集合)
运行配置文件
[root@master ~]# vim pod-base.yaml
[root@master ~]# kubectl create -f pod-base.yaml
pod/pod-base created
[root@master ~]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
pod-base 0/2 ContainerCreating 0 14s
[root@master ~]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
pod-base 1/2 Running 1 33s
[root@master ~]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
pod-base 1/2 CrashLoopBackOff 2 63s
[root@master ~]# kubectl get pod -n dev
NAME READY STATUS RESTARTS AGE
pod-base 1/2 CrashLoopBackOff 4 2m30s
发现pod一直在重新创建容器
镜像拉取
创建pod-imagepullpolicy.yaml文件,内容如下:
apiVersion: v1
kind: Pod
metadata:
name: pod-imagepullpolicy
namespace: dev
labels:
user: ayanami
spec:
containers:
- name: nginx
image: nginx:1.17.1
imagePullPolicy: Always #用于设置镜像拉取策略
- name: busybox
image: busybox:1.30
imagePullPolicy,用于设置镜像拉取策略,k8s支持配置三种拉取策略:
- Always:总是从远程仓库拉取镜像(一直用远程)
- IfNotPresent:本地有则使用本地镜像,本地没有则从远程仓库拉取镜像(本地有则本地,本地没有则远程)
- Never:只使用本地镜像,从不去远程仓库拉取,本地没有就报错(一直使用本地)
默认值说明:
- 如果镜像TAG为具体版本号,默认策略是IfNotPresent
- 如果镜像TAG为:latest(最终版本),默认策略是always
使用配置文件
[root@master ~]# vim pod-imagepullpolicy.yaml [root@master ~]# kubectl create -f pod-imagepullpolicy.yaml pod/pod-imagepullpolicy created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 11 32m pod-imagepullpolicy 0/2 ContainerCreating 0 12s
启动命令
在前面的案例中,一直有一个问题没有解决,就是busybox容器一直没有成功运行,那么到底是什么原因导致这个容器的故障呢
这是因为busybox并不是一个程序,而是类似于一个工具类的集合,k8s集群启动管理后,它会自动关闭。解决方法就是让其一直在运行,这就用到了command配置
创建pod-command.yaml文件,内容如下:
apiVersion: v1 kind: Pod metadata: name: pod-command namespace: dev spec: containers: - name: nginx image: nginx:1.17.1 imagePullPolicy: Always #用于设置镜像拉取策略 - name: busybox image: busybox:1.30 command: ["/bin/sh","-c","touch /tmp/hello.txt;while true;do /bin/echo $(date +%T) >> /tmp/hello.txt;sleep 3;done;"]
对上面命令的解释:
"/bin/sh","-c",使用sh执行命令
touch /tmp/hello.txt;创建一个/tmp/hello.txt文件
while true;do /bin/echo $(data +%T) >> /tmp/hello.txt;sleep 3;done; 每隔三秒向文件中写入当前时间
使用配置文件
[root@master ~]# vim pod-imagepullpolicy.yaml [root@master ~]# kubectl create -f pod-imagepullpolicy.yaml pod/pod-imagepullpolicy created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 15 53m pod-command 2/2 Running 0 21s pod-imagepullpolicy 1/2 CrashLoopBackOff 8 20m
进入容器查看文件
[root@master ~]# kubectl exec pod-command -n dev -it -c busybox /bin/sh / # tail -f /tmp/hello.txt 13:27:57 13:28:00 13:28:03 13:28:06 13:28:09 13:28:12 13:28:15 13:28:18 13:28:21 13:28:24 13:28:27
特别说明:
通过上面发现command已经可以完成启动命令和传递参数的功能,为什么这里还要提供一个args选项,用于传递参数呢?
这其实跟docker有关系,k8s中的command,arg两项其实是实现覆盖DockerFile中的ENTRYPOINT的功能
- 如果command和args均没有写,那么用DockerFile的配置
- 如果command写了,但args没有写,那么DockerFile默认的配置会被忽略,执行输入的command
- 如果command没写,但args写了,那么DockerFile中配置的ENTRYPOINT的命令会被执行,使用当前args的参数
- 如果command和args都写了,那么DockerFile的配置被忽略,执行command并追加上args参数
环境变量
创建pod-env.yaml文件,内容如下:
apiVersion: v1 kind: Pod metadata: name: pod-env namespace: dev spec: containers: - name: busybox image: busybox:1.30 command: ["/bin/sh","-c","while true;do /bin/echo $(date +%T) sleep 60;done;"] env: #设置环境变量列表 - name: "username" value: "admin" - name: "password" value: "123456"
使用配置文件
[root@master ~]# vim pod-env.yaml [root@master ~]# kubectl create -f pod-env.yaml pod/pod-env created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 24 102m pod-command 2/2 Running 0 49m pod-env 1/1 Running 0 23s pod-imagepullpolicy 1/2 CrashLoopBackOff 18 69m
进入容器
[root@master ~]# kubectl exec -it pod-env -n dev -c busybox /bin/sh / # echo $username admin / # echo $password 123456 / # exit
但不推荐这种做法,推荐放在配置文件中执行
端口设置
查看端口资源
[root@master ~]# kubectl explain pod.spec.containers.ports KIND: Pod VERSION: v1 RESOURCE: ports <[]Object> DESCRIPTION: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. ContainerPort represents a network port in a single container. FIELDS: containerPort <integer> -required- Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. hostIP <string> What host IP to bind the external port to. hostPort <integer> Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. name <string> If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. protocol <string> Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
接下来,创建pod-ports.yaml
apiVersion: v1 kind: Pod metadata: name: pod-ports namespace: dev spec: containers: - name: nginx image: nginx:1.17.1 ports: - name: nginx-port containerPort: 80 protocol: TCP
使用配置文件
[root@master ~]# vim pod-ports.yaml [root@master ~]# kubectl create -f pod-ports.yaml pod/pod-ports created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 28 123m pod-command 2/2 Running 0 70m pod-env 1/1 Running 0 21m pod-imagepullpolicy 1/2 CrashLoopBackOff 22 90m pod-ports 1/1 Running 0 22s [root@master ~]# kubectl get pod pod-ports -n dev -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-ports 1/1 Running 0 48s 10.244.2.14 node1 <none> <none>
查看详情
[root@master ~]# kubectl get pod pod-ports -n dev -o yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: "2021-07-03T14:35:34Z" name: pod-ports namespace: dev resourceVersion: "211552" selfLink: /api/v1/namespaces/dev/pods/pod-ports uid: 10cfe547-7401-4f09-b86f-0d077a0e2492 spec: containers: - image: nginx:1.17.1 imagePullPolicy: IfNotPresent name: nginx ports: - containerPort: 80 name: nginx-port protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-cd422 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: node1 priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: default-token-cd422 secret: defaultMode: 420 secretName: default-token-cd422 status: conditions: - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:34Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:36Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:36Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:34Z" status: "True" type: PodScheduled containerStatuses: - containerID: docker://2b9d56ea17e1fa4deb89dfd971309bf99e9210947c740aa84d0c761968b42dd0 image: nginx:1.17.1 imageID: docker-pullable://nginx@sha256:b4b9b3eee194703fc2fa8afa5b7510c77ae70cfba567af1376a573a967c03dbb lastState: {} name: nginx ready: true restartCount: 0 started: true state: running: startedAt: "2021-07-03T14:35:35Z" hostIP: 192.168.145.132 phase: Running podIP: 10.244.2.14 podIPs: - ip: 10.244.2.14 qosClass: BestEffort startTime: "2021-07-03T14:35:34Z"
可以看见有80端口
资源配额
容器中的程序要运行,肯定是要占用一定资源的,比如cpu和内存等,如果不对某个容器的资源做限制,那么它就可能吃掉大量资源,导致其他容器无法运行。
针对这种情况,k8s提供了对内存和cpu的资源进行配额的机制,这种机制主要通过resources选项实现,它有两个子选项:
- limits:用于限制运行时容器的最大占用资源,当容器占用资源超过limits时会被终止,并进行重启
- requests:用于设置容器需要的最小资源,如果环境资源不够,容器将无法启动
就可以通过上面两个选项设置资源的上下限
接下来,编写一个测试案例,创建pod-resources.yaml
apiVersion: v1 kind: Pod metadata: name: pod-resources namespace: dev spec: containers: - name: nginx image: nginx:1.17.1 resources: #资源配额 limits: #限制资源(上限) cpu: "2" #cpu限制 memory: "10Gi" #内存限制 requests: #请求资源(下限) cpu: "1" memory: "10Mi" #内存限制
使用配置文件
[root@master ~]# vim pod-resources.yaml [root@master ~]# kubectl create -f pod-resources.yaml pod/pod-resources created [root@master ~]# kubectl get pod pod-resources -n dev NAME READY STATUS RESTARTS AGE pod-resources 1/1 Running 0 16s
查看
[root@master ~]# kubectl describe pod pod-resources -n dev
#可以找到 Limits: cpu: 2 memory: 10Gi Requests: cpu: 1 memory: 10Mi
