1.连接上etcd服务器,查看etcd证书的存放路径
root 12392 1 3 Feb13 ? 6-08:37:00 /usr/local/bin/etcd --data-dir=/var/lib/etcd --name=kube-node1 --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem --trusted-ca-file=/etc/kubernetes/cert/ca.pem --peer-cert-file=/etc/etcd/cert/etcd.pem --peer-key-file=/etc/etcd/cert/etcd-key.pem --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem --peer-client-cert-auth --client-cert-auth --listen-peer-urls=https://10.80.154.143:2380 --initial-advertise-peer-urls=https://10.80.154.143:2380 --listen-client-urls=https://10.80.154.143:2379,http://127.0.0.1:2379 --advertise-client-urls=https://10.80.154.143:2379 --initial-cluster-token=etcd-cluster-0 --initial-cluster=kube-node1=https://10.80.154.143:2380 --initial-cluster-state=new
2.在etcd服务器上执行
ETCDCTL_API=3 /usr/local/bin/etcdctl \
--endpoints=https://10.80.154.143:2379 \
--cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem get / --prefix --keys-only
[root@iZbp14qk2dtp82q129jrzqZ ~]# ETCDCTL_API=3 /usr/local/bin/etcdctl \
> --endpoints=https://10.80.154.143:2379 \
> --cacert=/etc/kubernetes/cert/ca.pem \
> --cert=/etc/etcd/cert/etcd.pem \
> --key=/etc/etcd/cert/etcd-key.pem get / --prefix --keys-only | grep zxy-log
/registry/configmaps/bjyd/zxy-log
/registry/configmaps/coscoshipping/zxy-log
/registry/configmaps/default/zxy-log
/registry/configmaps/ln-otc/zxy-log
/registry/configmaps/neimenggu-pro/zxy-log
/registry/configmaps/tianma/zxy-log
/registry/configmaps/yjzfz-test/zxy-log
/registry/configmaps/zhongjian/zxy-log
/registry/controllers/bjyd/zxy-log-async-service
/registry/controllers/bjyd/zxy-log-service
3.查看具体k8s对象
ETCDCTL_API=3 /usr/local/bin/etcdctl \
--endpoints=https://10.80.154.143:2379 \
--cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem get /registry/controllers/bjyd/zxy-log-service
[root@iZbp14qk2dtp82q129jrzqZ ~]# ETCDCTL_API=3 /usr/local/bin/etcdctl \
> --endpoints=https://10.80.154.143:2379 \
> --cacert=/etc/kubernetes/cert/ca.pem \
> --cert=/etc/etcd/cert/etcd.pem \
> --key=/etc/etcd/cert/etcd-key.pem get /registry/controllers/bjyd/zxy-log-service
/registry/controllers/bjyd/zxy-log-service
k8s
1ReplicationController?
i
zxy-log-servicebjyd"*$e64305f5-9991-11e9-a5e2-00163e0502072????Z
appzxy-log-servicez?
appzxy-log-service?
*
"*28BZ
appzxy-log-servicez?
!
zxy-log-service-log
R
logs?
zxy-log-service>docker.zhixueyun.com:5000/zxy-log-service:v201905251656-master/bin/sh-cs/opt/jdk1.8.0_101/bin/java -jar -Xms${MIN_HEAP} -Xmx${MAX_HEAP} /work/${PROJECT}-*.jar > /dev/stdout 2> /dev/stderr*2
??"TCP*B=
cpu
5
memory
2Gi
cpu
100m
memory
1GiJ
zxy-log-service-log/log"j/dev/termination-logr
IfNotPresent????
common?
zxy-log?FileAlways 2
ClusterFirst:
bjydnodeBJRX`hr???default-scheduler?"
10.46.230.77zxy9.zhixueyun.com?
("
如上所示,有少量不可见字符,这是因为etcd中存储的并不是json的原文,而是protocol buffer序列化后的数据,不过还是有部分内容是可读的。
4.删除某个对象
ETCDCTL_API=3 /usr/local/bin/etcdctl --endpoints=https://10.47.92.186:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem del /registry/serviceaccounts/mariadb1/default
[root@iZbp1at8fph52evh70atb1Z app]# ETCDCTL_API=3 /usr/local/bin/etcdctl --endpoints=https://10.47.92.186:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem del /registry/serviceaccounts/mariadb1/default
1
[root@iZbp1at8fph52evh70atb1Z app]#
5.由于该etcd中的listen-client-urls=https://10.80.154.143:2379,http://127.0.0.1:2379,所有在etcd服务器上可以不带证书访问,比如
export ETCDCTL_API=3
etcdctl get / --prefix --keys-only
etcdctl del /registry/serviceaccounts/mariadb1/default
6.操作etcd有命令行工具etcdctl,有两个api版本互不兼容的,系统默认的v2版本,kubernetes集群使用的是v3版本,v2版本下是看不到v3版本的数据,比如下面这个/kubernetes/network/subnets,就需要通过ETCDCTL_API=2去查看,通过ETCDCTL_API=3无法查看
ETCDCTL_API=2 etcdctl \
--endpoints=https://10.47.92.186:2379 \
--ca-file=/etc/kubernetes/cert/ca.pem \
--cert-file=/etc/flanneld/cert/flanneld.pem \
--key-file=/etc/flanneld/cert/flanneld-key.pem \
ls /kubernetes/network/subnets
7.etcdctl的其中命令
etcdctl member listetcdctl --version
[root@iZbp1at8fph52evh70atb1Z app]# etcdctl --help
NAME:
etcdctl - A simple command line client for etcd3.
USAGE:
etcdctl
VERSION:
3.3.7
API VERSION:
3.3
COMMANDS:
get Gets the key or a range of keys
put Puts the given key into the store
del Removes the specified key or range of keys [key, range_end)
txn Txn processes all the requests in one transaction
compaction Compacts the event history in etcd
alarm disarm Disarms all alarms
alarm list Lists all alarms
defrag Defragments the storage of the etcd members with given endpoints
endpoint health Checks the healthiness of endpoints specified in `--endpoints` flag
endpoint status Prints out the status of endpoints specified in `--endpoints` flag
endpoint hashkv Prints the KV history hash for each endpoint in --endpoints
move-leader Transfers leadership to another etcd cluster member.
watch Watches events stream on keys or prefixes
version Prints the version of etcdctl
lease grant Creates leases
lease revoke Revokes leases
lease timetolive Get lease information
lease list List all active leases
lease keep-alive Keeps leases alive (renew)
member add Adds a member into the cluster
member remove Removes a member from the cluster
member update Updates a member in the cluster
member list Lists all members in the cluster
snapshot save Stores an etcd node backend snapshot to a given file
snapshot restore Restores an etcd member snapshot to an etcd directory
snapshot status Gets backend snapshot status of a given file
make-mirror Makes a mirror at the destination etcd cluster
migrate Migrates keys in a v2 store to a mvcc store
lock Acquires a named lock
elect Observes and participates in leader election
auth enable Enables authentication
auth disable Disables authentication
user add Adds a new user
user delete Deletes a user
user get Gets detailed information of a user
user list Lists all users
user passwd Changes password of user
user grant-role Grants a role to a user
user revoke-role Revokes a role from a user
role add Adds a new role
role delete Deletes a role
role get Gets detailed information of a role
role list Lists all roles
role grant-permission Grants a key to a role
role revoke-permission Revokes a key from a role
check perf Check the performance of the etcd cluster
help Help about any command
OPTIONS:
--cacert="" verify certificates of TLS-enabled secure servers using this CA bundle
--cert="" identify secure client using this TLS certificate file
--command-timeout=5s timeout for short running command (excluding dial timeout)
--debug[=false] enable client-side debug logging
--dial-timeout=2s dial timeout for client connections
-d, --discovery-srv="" domain name to query for SRV records describing cluster endpoints
--endpoints=[127.0.0.1:2379] gRPC endpoints
--hex[=false] print byte strings as hex encoded strings
--insecure-discovery[=true] accept insecure SRV records describing cluster endpoints
--insecure-skip-tls-verify[=false] skip server certificate verification
--insecure-transport[=true] disable transport security for client connections
--keepalive-time=2s keepalive time for client connections
--keepalive-timeout=6s keepalive timeout for client connections
--key="" identify secure client using this TLS key file
--user="" username[:password] for authentication (prompt if password is not supplied)
-w, --write-out="simple" set the output format (fields, json, protobuf, simple, table)