K8S创建pod--三
K8S如何运行容器的,k8s内操作最小单元为pod,容器等资源是配置在pod中的.
[root@k8s-master k8s]# cat nginx_pod.yaml apiVersion: v1 #apisever版本 kind: Pod #类型,这是一个pod,还有service\deployment metadata: #记录了pod自身的元数据,比如pod的名字、属于哪个namespace name: nginx labels: app: web spec: #记录了pod内部所有资源的详细信息 containers: #记录了pod内的容器信息。包含了容器名字,容器镜像地址 - name: nginx image: nginx:1.13 下面如果配置好私有仓库的话就可以写192.168.23.146:5000/nginx:1.13 ports: - containerPort: 80
[root@k8s-master k8s]# kubectl create -f nginx_pod.yaml
Error from server (ServerTimeout): error when creating "nginx_pod.yaml": No API token found for service account "default", retry after the token is automatically created and added to the service account
这个报错是因为一个组件,vim /etc/kubernetes/apiserver ,把Service Account干掉就行了或者配置ServiceAccount
# default admission control policies
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota" 把ServiceAccount去掉
[root@k8s-master k8s]# systemctl restart kube-apiserver.service
[root@k8s-master k8s]# kubectl create -f nginx_pod.yaml 但是还是一直处于creting状态中,需要查看下
[root@k8s-master k8s]# kubectl describe pod nginx(pod名字)
kubectl get pod podA -o nginx 查看任务调度到了哪个node上
kubectl describe pod nginx 查看某个pod创建动态信息,常用于排错 这里面也可以查任务调度到了哪个节点
我createpod为什么会pull这个镜像,这是在/etc/kubernetes/kubelet中的配置;;调度在哪个节点,就修改哪个配置
[root@k8s-master k8s]# cat /etc/kubernetes/kubelet | grep INFRA #这个镜像是k8s构建pod必备镜像 KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest" [root@k8s-master k8s]# [root@k8s-master k8s]# docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest pull不下来 Trying to pull repository registry.access.redhat.com/rhel7/pod-infrastructure ... open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directorysystemctl restart kubelet.service
可以先search查下,然后把可用地址替换下
sed -i 's#registry.access.redhat.com/rhel7/pod-infrastructure#docker.io/tianyebj/pod-infrastructure#' /etc/kubernetes/kubelet
通过describe描述报错,把该pod所在node节点镜像源都下载下来就行了,这样不会报错.但是存在一个问题,就是说每次新建一个pod,都会随机在一个node上创建,我们不能每次都要在node节点挨个配置,这样太麻烦了,也比较慢.我们可以考虑配置个私有仓库,这样所有节点都可以从私有仓库去取,这样快
下载私有仓库镜像显示超时:
[root@k8s-master k8s]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com","http://hub-mirror.c.163.com","https://docker.mirrors.ustc.edu.cn"]
}
[root@k8s-master k8s]# systemctl restart docker
[root@k8s-master k8s]# docker pull registry:2.6.0 把这个下载下来作为私有仓库用
master节点做个私有仓库,仓库IP是192.168.23.146
运行registry容器
[root@k8s-master k8s]# docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry:2.6.0
参数说明
-d:在后台运行;
-v:把宿主机的/opt/registry目录绑定 到 容器/var/lib/registry目录(这个目录是registry容器中存放镜像文件的目录),来实现数据的持久化;
-p:映射端口;访问宿主机的5000端口就访问到registry容器的服务了;
--restart=always:这是重启的策略,假如这个容器异常退出会自动重启容器;
--name registry:创建容器命名为registry,你可以随便命名;
registry:2.6.0:这个是刚才pull下来的镜像;
要把nginx镜像上传到registry私有仓库中
[root@k8s-master k8s]# docker tag docker.io/nginx:1.13 192.168.23.146:5000/nginx:1.13 打标签
docker.io/nginx:1.13 这是源镜像,也是刚才pull下来的镜像文件;
192.168.23.146:5000/nginx:1.13:这是目标镜像,也是registry私有镜像服务器的IP地址和端口
[root@k8s-master k8s]# docker push 192.168.23.146:5000/nginx:1.13 --上传镜像到私有仓库
The push refers to a repository [192.168.23.146:5000/nginx]
Get https://192.168.23.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client
[root@k8s-master k8s]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com","http://hub-mirror.c.163.com","https://docker.mirrors.ustc.edu.cn"],
"insecure-registries": ["192.168.23.146:5000"] //关键配置项,将仓库将入到不安全的仓库列表中
}
[root@k8s-master k8s]#systemctl restart docker
[root@k8s-master k8s]# docker push 192.168.23.146:5000/nginx:1.13
The push refers to a repository [192.168.23.146:5000/nginx]
7ab428981537: Retrying in 1 second
82b81d779f83: Retrying in 1 second
d626a8ad97a1: Retrying in 1 second
received unexpected HTTP status: 500 Internal Server Error --解决方案就是setenforce 0
在node1上往私有仓库推镜像,也要在/etc/docker/daemon.conf----所有node节点都配置上,否则push或者pull私有仓库镜像会报错
[root@docker02 ~]# cat /etc/docker/daemon.json 配置镜像加速
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["192.168.23.146:5000"] 私有仓库的地址和端口
}
[root@docker01 ~]# docker push 192.168.23.146:5000/centos69:v1
The push refers to a repository [192.168.23.146:5000/centos69]
Get https://192.168.23.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client
在其他node节点查看私有仓库镜像有哪些:
[root@docker02 ~]# curl http://192.168.23.146:5000/v2/_catalog
{"repositories":["centos69","nginx","pod-infrastructure"]}
我们验证下私有镜像,我们在node2节点上pull私有镜像仓库的镜像
我们发现原先[root@docker02 ~]# cat /etc/kubernetes/kubelet 这个配置文件下有个下载镜像源的地址,配置默认用的是红帽的,我们就可以改成我们刚才私有仓库的地址.所有node节点都把这个改了,起pod的时候依赖pod-infrastructure:latest这个镜像
# pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"改成
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=192.168.23.146:5000/pod-infrastructure:latest" 这个镜像要先传到私有仓库中
systemctl restart kubelt
私有仓库配置好之后,我们重启起个pod:这个pod落到了docker01的node节点
我们在docker01查看容器:
查看docker私有仓库有哪些镜像,镜像分别有哪些标签
[root@docker01 ~]# curl 192.168.23.146:5000/v2/_catalog
{"repositories":["centos69","nginx","pod-infrastructure"]}
[root@docker01 ~]# curl 192.168.23.146:5000/v2/nginx/tags/list
{"name":"nginx","tags":["1.13"]}
私有仓库上传镜像后缓存的地方
