k8s集群安装-pod创建
后续所有安装都基于上一篇文章的1个master和3个node的基础。
yaml文件:区分大小写、使用空格而不是tab、键值之间有空格
- apiVersion: #api版本
- kind: #资源类型,pod、service、deployment等
- matedata: #属性
- spec: #详细信息
创建一个nginx的yaml文件
[root@master ~ ]# mkdir -p k8s/pod [root@master ~ ]# cd k8s/pod [root@master pod ]# vi nginx_pod.yaml apiVersion: v1 kind: Pod metadata: name: nginx labels: app: web spec: containers: - name: nginx image: nginx:1.13 ports: - containerPort: 80
基于yaml文件创建pod,命令为kubectl create -f yaml文件
[root@master pod]# kubectl create -f nginx_pod.yaml Error from server (ServerTimeout): error when creating "nginx_pod.yaml": No API token found for service account "default", retry after the token is automatically created and added to the service account
但是会报错,根据报错需要修改master的apiserver配置文件,删除ServiceAccount,修改后重新创建pod
[root@master pod ]# vi /etc/kubernetes/apiserver #删除ServiceAccount # default admission control policies KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota" [root@master pod ]# systemctl restart kube-apiserver [root@master pod]# kubectl create -f nginx_pod.yaml pod "nginx" created
但是查看这个pod的状态一直是ContainerCreating,此时需要查看日志
[root@master pod]# kubectl get pods NAME READY STATUS RESTARTS AGE nginx 0/1 ContainerCreating 0 2m
通过kubectl describe pod nginx查看日志,显示该pod调度到node2上,并且在pull镜像pod-infrastructure:latest的时候报错,在node2上手动pull也显示没有该镜像
[root@master pod]# kubectl describe pod nginx Name: nginx Namespace: default Node: node2/192.168.85.32 Start Time: Sun, 30 Aug 2020 10:50:45 +0800 Labels: app=web Status: Pending IP: Controllers: <none> Containers: nginx: Container ID: Image: nginx:1.13 Image ID: Port: 80/TCP State: Waiting Reason: ContainerCreating Ready: False Restart Count: 0 Volume Mounts: <none> Environment Variables: <none> Conditions: Type Status Initialized True Ready False PodScheduled True No volumes. QoS Class: BestEffort Tolerations: <none> Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 3m 3m 1 {default-scheduler } Normal Scheduled Successfully assigned nginx to node2 3m 1m 4 {kubelet node2} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request. details: (open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory)" 2m 7s 10 {kubelet node2} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "POD" with ImagePullBackOff: "Back-off pulling image \"registry.access.redhat.com/rhel7/pod-infrastructure:latest\"" [root@node2 ~]# docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest Trying to pull repository registry.access.redhat.com/rhel7/pod-infrastructure ... open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory
查看node2上的kubelet配置文件,/etc/kubernetes/kubelet
# pod infrastructure container KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest" #修改为通过docker search pod-infrastructure查找到的镜像路径 KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=docker.io/tianyebj/pod-infrastructure:latest"
再重启node2的kubelet服务,在master上再次通过describe查看日志,pod-infrastructure:latest镜像的下载地址已经变为kubelet配置文件修改后的路径,但是还是timeout,因为镜像是在国外,下载会比较耗时。
配置镜像加速,修改docker配置文件/etc/sysconfig/docker,将原OPTIONS修改为如下,ip为master地址
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --registry-mirror=https://registry.docker-cn.com --insecure-registry=192.168.85.30:5000'
重启docker,可在/var/lib/docker/tmp镜像包临时存放目录查看下载进度,但是镜像包下载特别慢,建议将已经下载好的镜像包上传并通过load导入。
通过这种情况创建的pod,如果kubectl delete pod nginx,再kubectl apply -f nginx_pod.yaml创建pod时,就可能调度到node1,此时node1会再需要经过一遍node2修改kubelet配置文件、加速镜像并且镜像下载异常慢的过程。因此通常建议配置私有镜像仓库harbor,将基础镜像上传到harbor上,后续都通过内网到harbor上下载所需镜像。
为了节省资源,此处使用官方的registry仓库。
[root@master pod]# docker search registry INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED docker.io docker.io/registry The Docker Registry 2.0 implementation for... 3064 [OK] docker.io docker.io/distribution/registry WARNING: NOT the registry official image!!... 57 [OK] docker.io docker.io/stefanscherer/registry-windows Containerized docker registry for Windows ... 32 docker.io docker.io/budry/registry-arm Docker registry build for Raspberry PI 2 a... 18 docker.io docker.io/deis/registry Docker image registry for the Deis open so... 12 docker.io docker.io/jc21/registry-ui A nice web interface for managing your Doc... 12 …… [root@master pod]# docker pull docker.io/registry #下载官方registry [root@master pod]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/busybox latest 018c9d7b792b 4 weeks ago 1.22 MB docker.io/registry latest 2d4f4b5309b1 2 months ago 26.2 MB [root@master pod]# docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry #创建私有仓库 daf346fb2c98d11f8ac261d8568339723a6f5f7df40df907cbc07b5fe2166759 [root@master pod]# docker ps # CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES daf346fb2c98 registry "/entrypoint.sh /e..." 8 seconds ago Up 6 seconds 0.0.0.0:5000->5000/tcp registry
修改docker配置文件/etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --registry-mirror=https://registry.docker-cn.com --insecure-registry=192.168.85.30:5000' #ip为master
修改kubelet配置文件/etc/kubernetes/kubelet
# pod infrastructure container KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=192.168.85.30:5000/pod-infrastructure:latest"
重启docker和kubelet服务,然后将已经下载好的镜像push到私有仓库192.168.85.30:5000/上。
pod常用操作
创建pod:kubectl create -f yaml
更新pod:kubectl apply -f yaml
查看pod:kubectl get pods [-n namespace]
删除pod:kubectl delete pod podname [--force [--grace-period=0]]
查看pod创建:kubectl describe pod podname
容器常用操作
查看运行的容器:docker ps
查看指定的容器:docker inspect dockername