Kubernetes Pod介绍
1.简介
Pod是kubenetes 系统的基础单元,是由用户创建的或部署的最小组件
2/.Pod容器分类
Infrastructure Container: 基础容器
InitContainers:初始化容器
Containers:业务容器
3.镜像拉取策略
IfNotPresent::默认值,镜像在宿主机上不存在时才拉去
Always:每次创建Pod都会重新拉去一次镜像
Never:Pod永远不会主动拉去这个镜像
例子:通过yaml文件创建一个pod
编写pod的yaml文件
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod1.yaml apiVersion: v1 kind: Pod metadata: name: myod spec: containers: - name: nginx image: nginx:1.14 imagePullPolicy: Always
创建pod
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl create -f pod1.yaml pod/myod created [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE myod 1/1 Running 1 101s
访问查看头信息
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES myod 1/1 Running 1 3m21s 172.30.40.5 m7-autocv-gpu01 <none> <none> [root@m7-autocv-gpu01 demo]# curl -I 172.30.40.5 HTTP/1.1 200 OK Server: nginx/1.14.2 ###nginx版本时1.14 Date: Sun, 27 Oct 2019 13:46:31 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 04 Dec 2018 14:44:49 GMT Connection: keep-alive ETag: "5c0692e1-264" Accept-Ranges: bytes
修改镜像,可直接通过修改yaml文件
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# vi pod1.yaml apiVersion: v1 kind: Pod metadata: name: myod spec: containers: - name: nginx image: nginx:1.15 #重新定义了镜像的版本 imagePullPolicy: Always
更新Pod
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl apply -f pod1.yaml pod/myod configured [root@m7-autocv-gpu01 demo]# kubectl get pod myod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES myod 1/1 Running 2 23m 172.30.40.5 m7-autocv-gpu01 <none> <none> [root@m7-autocv-gpu01 demo]# curl -I 172.30.40.5 HTTP/1.1 200 OK Server: nginx/1.15.12 ###此时的nginx版本已经升级到1.15 Date: Sun, 27 Oct 2019 14:06:53 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 16 Apr 2019 13:08:19 GMT Connection: keep-alive ETag: "5cb5d3c3-264" Accept-Ranges: bytes
4.镜像在自定义的仓库中拉取
例子:
配置harbor地址为:10.10.100.36
首先验证docker登陆harbor
注意:修改/etc/docker/daemon.json文件,将自己的仓库地址添加到可信任列表中,而且每一个节点都要配置,否则,在后面为kubernetes配置凭据拉取私有仓库竟像是会提示连接错误
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"], "insecure-registries": ["docker02:35000","10.10.100.36"],##在中括号中加入自己的仓库地址 "max-concurrent-downloads": 20, "live-restore": true, "max-concurrent-uploads": 10, "debug": true, "data-root": "/data/k8s/docker/data", "exec-root": "/data/k8s/docker/exec", "log-opts": { "max-size": "100m", "max-file": "5" } }
登陆
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# docker login 10.10.100.36 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
推送测试镜像
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
首先下载一个测试镜像 [root@m7-autocv-gpu01 demo]# docker pull tomcat Using default tag: latest latest: Pulling from library/tomcat 9a0b0ce99936: Pull complete db3b6004c61a: Pull complete f8f075920295: Pull complete 6ef14aff1139: Pull complete 962785d3b7f9: Pull complete 631589572f9b: Pull complete c55a0c6f4c7b: Pull complete 379605d88e88: Pull complete e056aa10ded8: Pull complete 6349a1c98d85: Pull complete Digest: sha256:77e41dbdf7854f03b9a933510e8852c99d836d42ae85cba4b3bc04e8710dc0f7 Status: Downloaded newer image for tomcat:latest 为要上传的镜像打tag [root@m7-autocv-gpu01 demo]# docker tag tomcat:latest 10.10.100.36/project/tomcat:latest 上传镜像 [root@m7-autocv-gpu01 demo]# docker push 10.10.100.36/project/tomcat:latest The push refers to repository [10.10.100.36/project/tomcat] 65e5e74a1404: Pushed 38d8d468142f: Pushed 08579474bb30: Pushed a8902d6047fe: Pushed 99557920a7c5: Pushed 7e3c900343d0: Pushed b8f8aeff56a8: Pushed 687890749166: Pushed 2f77733e9824: Pushed 97041f29baff: Pushed latest: digest: sha256:8aee1001456a722358557b9b1f6ee8eecad675b36e4be10f9238ccd8293bc856 size: 2422 [root@m7-autocv-gpu01 demo]#
此时在其他节点通过docker pull 拉镜像时,会提示需要登陆,而此时kubernetes 也是无法直接拉取到的
测试在kubenetes 中通过指定镜像仓库拉取镜像
首先编写一个测试的应用的deplyment,servcie的yaml文件,本例以tomcat 为例
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat tomcat-deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: tomcat1027 name: tomecat1027 spec: replicas: 2 selector: matchLabels: app: tomcat1027 template: metadata: labels: app: tomcat1027 spec: containers: - image: tomcat:latest name: tomcat ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: tomcat1027-service labels: app: tomcat1027 spec: type: NodePort ports: - port: 80 targetPort: 8080 selector: app: tomcat1027 [root@m7-autocv-gpu01 demo]#
部署并验证
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl create -f tomcat-deployment.yaml deployment.apps/tomecat1027 created service/tomcat1027-service created [root@m7-autocv-gpu01 demo]# kubectl get deployment,pods,svc NAME READY UP-TO-DATE AVAILABLE AGE deployment.extensions/tomecat1027 2/2 2 2 118s NAME READY STATUS RESTARTS AGE pod/tomecat1027-5cbb8cc886-rgrjg 1/1 Running 0 118s pod/tomecat1027-5cbb8cc886-v4x6v 1/1 Running 0 118s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/tomcat1027-service NodePort 10.254.211.250 <none> 80:32593/TCP 118s
将拉取镜像的位置改为自己手动指定的地址
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat tomcat-deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: tomcat1027 name: tomecat1027 spec: replicas: 2 selector: matchLabels: app: tomcat1027 template: metadata: labels: app: tomcat1027 spec: containers: - image: 10.10.100.36/project/tomcat:latest ###镜像地址改为指定的地址 imagePullPolicy: Always ##测试中由于之前本地存在了该镜像,为测试从自定义仓库拉取,将拉取策略改为总是从镜像仓库拉取 name: tomcat ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: tomcat1027-service labels: app: tomcat1027 spec: type: NodePort ports: - port: 80 targetPort: 8080 selector: app: tomcat1027
此时没有验证,kubernetes 是无法从指定的仓库拉取镜像
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl apply -f tomcat-deployment.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply deployment.apps/tomecat1027 configured Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply service/tomcat1027-service configured [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE tomecat1027-5cbb8cc886-rgrjg 1/1 Running 0 26m tomecat1027-5cbb8cc886-v4x6v 1/1 Running 0 26m tomecat1027-6f7478578f-gvn9f 0/1 ErrImagePull 0 11s ###由于指定的仓库没有验证,所有下载镜像会是失败状态,无法进行滚动更新
为使用此自定义仓库,要为kubernetes 配置凭据
docker 登陆到私有仓库后,会在家目录生成一个隐藏配置~.docker/config.json文件,利用该隐藏文件编码后为kubernetes生成凭据
将该文件编码
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 ~]# cat .docker/config.json |base64 -w 0 ewoJImF1dGhzIjogewoJCSIxMC4xMC4xMDAuMzYiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuMCAobGludXgpIgoJfQp9
编写secret的yaml文件
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 ~]# cat registry-pull-secret.yaml apiVersion: v1 kind: Secret metadata: name: registry-pull-secret data: .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxMC4xMC4xMDAuMzYiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuMCAobGludXgpIgoJfQp9 type: kubernetes.io/dockerconfigjson [root@m7-autocv-gpu01 ~]#
生成secret凭据并验证
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 ~]# kubectl create -f registry-pull-secret.yaml secret/registry-pull-secret created [root@m7-autocv-gpu01 ~]# kubectl get secret NAME TYPE DATA AGE registry-pull-secret kubernetes.io/dockerconfigjson 1 12s [root@m7-autocv-gpu01 ~]#
利用生成的secret凭据,将其配置到应用的yaml拉取镜像的策略中
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat tomcat-deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: tomcat1027 name: tomecat1027 spec: replicas: 2 selector: matchLabels: app: tomcat1027 template: metadata: labels: app: tomcat1027 spec: imagePullSecrets: - name: registry-pull-secret ###配置拉取镜像的凭证 containers: - image: 10.10.100.36/project/tomcat:latest imagePullPolicy: Always name: tomcat ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: tomcat1027-service labels: app: tomcat1027 spec: type: NodePort ports: - port: 80 targetPort: 8080 selector: app: tomcat1027
此时利用指定的仓库跟新pods
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl apply -f tomcat-deployment.yaml deployment.apps/tomecat1027 created service/tomcat1027-service created [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE tomecat1027-67d6f5c689-dtwrv 1/1 Running 0 2s tomecat1027-67d6f5c689-xgnfx 0/1 ContainerCreating 0 2s [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE tomecat1027-67d6f5c689-dtwrv 1/1 Running 0 4s tomecat1027-67d6f5c689-xgnfx 1/1 Running 0 4s
此时已经可以
5.资源控制
pod和container的资源请求和限制
spec.containers[].resources.limits.cpu
spec.containers[].resources.limits.memory
spec.containers[].resources.requests.cpu
spec.contianers[].resources.requests.memory
配置位置示例:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
spec: containers: - name: db image: mysql resources: requests: memory: "32Mi" cpu: "250m" limits: memory: "64Mi" cpu: "500m" - name: wp image: wordpress resources: requests: memory: "32Mi" cpu: "250m" limits: memory: "64Mi" cpu: "500m"
完整例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod2.yaml apiVersion: v1 kind: Pod metadata: name: frontend spec: containers: - name: db image: mysql env: - name: MYSQL_ROOT_PASSWORD value: "password" resources: requests: memory: "32Mi" cpu: "250m" limits: memory: "64Mi" cpu: "500m" - name: wp image: wordpress resources: requests: memory: "32Mi" cpu: "250m" limits: memory: "64Mi" cpu: "500m"
6.重启策略
Always:当容器终止退出后,总是重启容器,默认策略
OnFailure:当容器异常退出(退出状态码非0)时,才会重启容器
Never:当容器终止退出,从不重启容器
配置位置示例:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
spec: containers: - name: xxx image: xxx restartPolicy: Always/OnFailure/Never
完整例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod3.yaml apiVersion: v1 kind: Pod metadata: name: pod3test spec: containers: - name: busybox image: busybox args: - /bin/sh - -c - sleep 10 restartPolicy: Never 检查结果 在大约10秒容器装态变成完成 [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE dnsutils-ds-8bqnn 1/1 Running 20 4d dnsutils-ds-dcq6x 1/1 Running 20 4d dnsutils-ds-p2t8h 1/1 Running 20 4d nginx-ds-c2dnb 1/1 Running 13 156d nginx-ds-pftz4 1/1 Running 5 4d nginx-ds-tsd2j 1/1 Running 14 156d pod3test 1/1 Running 0 11s [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE dnsutils-ds-8bqnn 1/1 Running 20 4d dnsutils-ds-dcq6x 1/1 Running 20 4d dnsutils-ds-p2t8h 1/1 Running 20 4d nginx-ds-c2dnb 1/1 Running 13 156d nginx-ds-pftz4 1/1 Running 5 4d nginx-ds-tsd2j 1/1 Running 14 156d pod3test 0/1 Completed 0 13s
7.健康检查
有两种类型:
livenessProbe:检查失败,将杀死容器,根据Pod的restartPolicy来操作
readinessProbe:检查失败,kubernetes会把Pod从service endpoints中剔除
支持方法:httpGet,exec,tcpScoket
配置位置示例:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
spec: containers: - name: xxx image: xxx lievenessProbe: exex/httpGet/tcpSocket ... initialDelaySeconds: n ##启动n秒后开始进行健康检查 periodSeconds: n ##执行周期,每n秒执行一次
完成例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod4.yaml apiVersion: v1 kind: Pod metadata: name: pod4test spec: containers: - name: busybox image: busybox args: - /bin/sh - -c - touch /tmp/healthy; sleep 20; rm -rf /tmp/healthy; sleep 100 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE pod4test 1/1 Running 1 83s
8.调度约束
nodeName 用于将Pod调度到指定的Node名称上
nodeSelector用于将Pod调度到匹配Label的Node上
nodeName配置位置示例:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
spec: nodeName: x.x.x.x containers: - name: xxx image: xxx 或者 spec: nodeSelector: env_role: lable containers: - name: xxx image: xxx
完整例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod5.yaml apiVersion: v1 kind: Pod metadata: name: podtest5 labels: app: nginx spec: nodeName: m7-autocv-gpu02 containers: - name: nginx image: nginx [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE podtest5 1/1 Running 0 7s 查看调度到的节点 [root@m7-autocv-gpu01 demo]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES podtest5 1/1 Running 0 2m3s 172.30.88.4 m7-autocv-gpu02 <none> <none> [root@m7-autocv-gpu01 demo]# ##该过程是绕过了调度器,直接将pod 创建在指定的节点上
为资源设置标签
为每个node 配置标签:根据get node 显示的name配置,如果是节点名是ip 可以指定ip的标签
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl get nodes NAME STATUS ROLES AGE VERSION m7-autocv-gpu01 Ready <none> 160d v1.14.0 m7-autocv-gpu02 Ready <none> 160d v1.14.0 m7-autocv-gpu03 Ready <none> 160d v1.14.0 [root@m7-autocv-gpu01 demo]# kubectl label nodes m7-autocv-gpu02 team=aa node/m7-autocv-gpu02 labeled [root@m7-autocv-gpu01 demo]# kubectl label nodes m7-autocv-gpu03 team=bb node/m7-autocv-gpu03 labeled [root@m7-autocv-gpu01 demo]# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS m7-autocv-gpu01 Ready <none> 160d v1.14.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/fluentd-ds-ready=true,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=m7-autocv-gpu01,kubernetes.io/os=linux m7-autocv-gpu02 Ready <none> 160d v1.14.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=m7-autocv-gpu02,kubernetes.io/os=linux,team=aa m7-autocv-gpu03 Ready <none> 160d v1.14.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/fluentd-ds-ready=true,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=m7-autocv-gpu03,kubernetes.io/os=linux,team=bb [root@m7-autocv-gpu01 demo]#
nodeSelector配置位置示例:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
spec: nameSelector: key: value contariners: - name: xxx image: xxx
完整例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod6.yaml apiVersion: v1 kind: Pod metadata: name: podtest6 labels: app: nginx spec: nodeSelector: team: bb containers: - name: nginx image: nginx [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE podtest6 1/1 Running 0 9s [root@m7-autocv-gpu01 demo]# kubectl describe pod podtest6 Name: podtest6 Namespace: default Priority: 0 PriorityClassName: <none> Node: m7-autocv-gpu03/10.10.100.19 Start Time: Sat, 02 Nov 2019 14:21:53 +0800 Labels: app=nginx Annotations: <none> Status: Running IP: 172.30.192.4 Containers: nginx: Container ID: docker://eb6bd80f50800e74233a61245aed1dbb1addfca5575fb4fbc3850e2b22ffa665 Image: nginx Image ID: docker-pullable://nginx@sha256:922c815aa4df050d4df476e92daed4231f466acc8ee90e0e774951b0fd7195a4 Port: <none> Host Port: <none> State: Running Started: Sat, 02 Nov 2019 14:21:56 +0800 Ready: True Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-msftn (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: default-token-msftn: Type: Secret (a volume populated by a Secret) SecretName: default-token-msftn Optional: false QoS Class: BestEffort Node-Selectors: team=bb Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 47s default-scheduler Successfully assigned default/podtest6 to m7-autocv-gpu03 Normal Pulling 46s kubelet, m7-autocv-gpu03 Pulling image "nginx" Normal Pulled 44s kubelet, m7-autocv-gpu03 Successfully pulled image "nginx" Normal Created 44s kubelet, m7-autocv-gpu03 Created container nginx Normal Started 44s kubelet, m7-autocv-gpu03 Started container nginx
9.故障排查
Pod 的几种状态:
pending:pod创建已经提交到kubernetes,但是因为某种原因并没有顺利创建,例如:下载镜像慢,调度失败,由于资源请求不够导致的调度失败。通过kubectl describe 查看问题原因。
running:正常运行的pod ,启动成功。
successded:pod成功终止,不会再重启,完成任务执行。
failed:一个pod在故障中终止,即pod 在非0 状态下退出,pod 异常退出。通过pod日志查看故障原因。
unknown: apiserver 无法获得pod状态,通常情况是由于master 与pod所在主机的通信出现故障。