1.連接上etcd服務器,查看etcd證書的存放路徑
root 12392 1 3 Feb13 ? 6-08:37:00 /usr/local/bin/etcd --data-dir=/var/lib/etcd --name=kube-node1 --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem --trusted-ca-file=/etc/kubernetes/cert/ca.pem --peer-cert-file=/etc/etcd/cert/etcd.pem --peer-key-file=/etc/etcd/cert/etcd-key.pem --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem --peer-client-cert-auth --client-cert-auth --listen-peer-urls=https://10.80.154.143:2380 --initial-advertise-peer-urls=https://10.80.154.143:2380 --listen-client-urls=https://10.80.154.143:2379,http://127.0.0.1:2379 --advertise-client-urls=https://10.80.154.143:2379 --initial-cluster-token=etcd-cluster-0 --initial-cluster=kube-node1=https://10.80.154.143:2380 --initial-cluster-state=new
2.在etcd服務器上執行
ETCDCTL_API=3 /usr/local/bin/etcdctl \
--endpoints=https://10.80.154.143:2379 \
--cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem get / --prefix --keys-only
[root@iZbp14qk2dtp82q129jrzqZ ~]# ETCDCTL_API=3 /usr/local/bin/etcdctl \
> --endpoints=https://10.80.154.143:2379 \
> --cacert=/etc/kubernetes/cert/ca.pem \
> --cert=/etc/etcd/cert/etcd.pem \
> --key=/etc/etcd/cert/etcd-key.pem get / --prefix --keys-only | grep zxy-log
/registry/configmaps/bjyd/zxy-log
/registry/configmaps/coscoshipping/zxy-log
/registry/configmaps/default/zxy-log
/registry/configmaps/ln-otc/zxy-log
/registry/configmaps/neimenggu-pro/zxy-log
/registry/configmaps/tianma/zxy-log
/registry/configmaps/yjzfz-test/zxy-log
/registry/configmaps/zhongjian/zxy-log
/registry/controllers/bjyd/zxy-log-async-service
/registry/controllers/bjyd/zxy-log-service
3.查看具體k8s對象
ETCDCTL_API=3 /usr/local/bin/etcdctl \
--endpoints=https://10.80.154.143:2379 \
--cacert=/etc/kubernetes/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem get /registry/controllers/bjyd/zxy-log-service
[root@iZbp14qk2dtp82q129jrzqZ ~]# ETCDCTL_API=3 /usr/local/bin/etcdctl \
> --endpoints=https://10.80.154.143:2379 \
> --cacert=/etc/kubernetes/cert/ca.pem \
> --cert=/etc/etcd/cert/etcd.pem \
> --key=/etc/etcd/cert/etcd-key.pem get /registry/controllers/bjyd/zxy-log-service
/registry/controllers/bjyd/zxy-log-service
k8s
1ReplicationController?
i
zxy-log-servicebjyd"*$e64305f5-9991-11e9-a5e2-00163e0502072????Z
appzxy-log-servicez?
appzxy-log-service?
*
"*28BZ
appzxy-log-servicez?
!
zxy-log-service-log
R
logs?
zxy-log-service>docker.zhixueyun.com:5000/zxy-log-service:v201905251656-master/bin/sh-cs/opt/jdk1.8.0_101/bin/java -jar -Xms${MIN_HEAP} -Xmx${MAX_HEAP} /work/${PROJECT}-*.jar > /dev/stdout 2> /dev/stderr*2
??"TCP*B=
cpu
5
memory
2Gi
cpu
100m
memory
1GiJ
zxy-log-service-log/log"j/dev/termination-logr
IfNotPresent????
common?
zxy-log?FileAlways 2
ClusterFirst:
bjydnodeBJRX`hr???default-scheduler?"
10.46.230.77zxy9.zhixueyun.com?
("
如上所示,有少量不可見字符,這是因為etcd中存儲的並不是json的原文,而是protocol buffer序列化后的數據,不過還是有部分內容是可讀的。
4.刪除某個對象
ETCDCTL_API=3 /usr/local/bin/etcdctl --endpoints=https://10.47.92.186:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem del /registry/serviceaccounts/mariadb1/default
[root@iZbp1at8fph52evh70atb1Z app]# ETCDCTL_API=3 /usr/local/bin/etcdctl --endpoints=https://10.47.92.186:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem del /registry/serviceaccounts/mariadb1/default
1
[root@iZbp1at8fph52evh70atb1Z app]#
5.由於該etcd中的listen-client-urls=https://10.80.154.143:2379,http://127.0.0.1:2379,所有在etcd服務器上可以不帶證書訪問,比如
export ETCDCTL_API=3
etcdctl get / --prefix --keys-only
etcdctl del /registry/serviceaccounts/mariadb1/default
6.操作etcd有命令行工具etcdctl,有兩個api版本互不兼容的,系統默認的v2版本,kubernetes集群使用的是v3版本,v2版本下是看不到v3版本的數據,比如下面這個/kubernetes/network/subnets,就需要通過ETCDCTL_API=2去查看,通過ETCDCTL_API=3無法查看
ETCDCTL_API=2 etcdctl \
--endpoints=https://10.47.92.186:2379 \
--ca-file=/etc/kubernetes/cert/ca.pem \
--cert-file=/etc/flanneld/cert/flanneld.pem \
--key-file=/etc/flanneld/cert/flanneld-key.pem \
ls /kubernetes/network/subnets
7.etcdctl的其中命令
etcdctl member listetcdctl --version
[root@iZbp1at8fph52evh70atb1Z app]# etcdctl --help
NAME:
etcdctl - A simple command line client for etcd3.
USAGE:
etcdctl
VERSION:
3.3.7
API VERSION:
3.3
COMMANDS:
get Gets the key or a range of keys
put Puts the given key into the store
del Removes the specified key or range of keys [key, range_end)
txn Txn processes all the requests in one transaction
compaction Compacts the event history in etcd
alarm disarm Disarms all alarms
alarm list Lists all alarms
defrag Defragments the storage of the etcd members with given endpoints
endpoint health Checks the healthiness of endpoints specified in `--endpoints` flag
endpoint status Prints out the status of endpoints specified in `--endpoints` flag
endpoint hashkv Prints the KV history hash for each endpoint in --endpoints
move-leader Transfers leadership to another etcd cluster member.
watch Watches events stream on keys or prefixes
version Prints the version of etcdctl
lease grant Creates leases
lease revoke Revokes leases
lease timetolive Get lease information
lease list List all active leases
lease keep-alive Keeps leases alive (renew)
member add Adds a member into the cluster
member remove Removes a member from the cluster
member update Updates a member in the cluster
member list Lists all members in the cluster
snapshot save Stores an etcd node backend snapshot to a given file
snapshot restore Restores an etcd member snapshot to an etcd directory
snapshot status Gets backend snapshot status of a given file
make-mirror Makes a mirror at the destination etcd cluster
migrate Migrates keys in a v2 store to a mvcc store
lock Acquires a named lock
elect Observes and participates in leader election
auth enable Enables authentication
auth disable Disables authentication
user add Adds a new user
user delete Deletes a user
user get Gets detailed information of a user
user list Lists all users
user passwd Changes password of user
user grant-role Grants a role to a user
user revoke-role Revokes a role from a user
role add Adds a new role
role delete Deletes a role
role get Gets detailed information of a role
role list Lists all roles
role grant-permission Grants a key to a role
role revoke-permission Revokes a key from a role
check perf Check the performance of the etcd cluster
help Help about any command
OPTIONS:
--cacert="" verify certificates of TLS-enabled secure servers using this CA bundle
--cert="" identify secure client using this TLS certificate file
--command-timeout=5s timeout for short running command (excluding dial timeout)
--debug[=false] enable client-side debug logging
--dial-timeout=2s dial timeout for client connections
-d, --discovery-srv="" domain name to query for SRV records describing cluster endpoints
--endpoints=[127.0.0.1:2379] gRPC endpoints
--hex[=false] print byte strings as hex encoded strings
--insecure-discovery[=true] accept insecure SRV records describing cluster endpoints
--insecure-skip-tls-verify[=false] skip server certificate verification
--insecure-transport[=true] disable transport security for client connections
--keepalive-time=2s keepalive time for client connections
--keepalive-timeout=6s keepalive timeout for client connections
--key="" identify secure client using this TLS key file
--user="" username[:password] for authentication (prompt if password is not supplied)
-w, --write-out="simple" set the output format (fields, json, protobuf, simple, table)