Pod配置
查看pod.spec.containers屬性:
[root@master ~]# kubectl explain pod.spec.containers
KIND: Pod
VERSION: v1
RESOURCE: containers <[]Object> DESCRIPTION: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. A single application container that you want to run within a pod. FIELDS: args <[]string> Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell command <[]string> Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell env <[]Object> List of environment variables to set in the container. Cannot be updated. envFrom <[]Object> List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. image <string> Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets. imagePullPolicy <string> Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images lifecycle <Object> Actions that the management system should take in response to container lifecycle events. Cannot be updated. livenessProbe <Object> Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes name <string> -required- Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. ports <[]Object> List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. readinessProbe <Object> Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes resources <Object> Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ securityContext <Object> Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ startupProbe <Object> StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes stdin <boolean> Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. stdinOnce <boolean> Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false terminationMessagePath <string> Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated. terminationMessagePolicy <string> Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. tty <boolean> Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. volumeDevices <[]Object> volumeDevices is the list of block devices to be used by the container. This is a beta feature. volumeMounts <[]Object> Pod volumes to mount into the container's filesystem. Cannot be updated. workingDir <string> Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.
基本配置
創建pod-base.yaml文件,內容如下:
apiVersion: v1
kind: Pod
metadata:
name: pod-base
namespace: dev labels: user: ayanami spec: containers: - name: nginx image: nginx:1.17.1 - name: busybox image: busybox:1.30
上面定義了一個比較簡單的Pod的配置,里面有兩個容器:
- nginx:用1.17.1版本的nginx鏡像創建(nginx是一個輕量級web容器)
- busybox:用1.30版本的busybox鏡像創建(busybox是一個小巧的linux命令集合)
運行配置文件
[root@master ~]# vim pod-base.yaml
[root@master ~]# kubectl create -f pod-base.yaml pod/pod-base created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 0/2 ContainerCreating 0 14s [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 Running 1 33s [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 2 63s [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 4 2m30s
發現pod一直在重新創建容器
鏡像拉取
創建pod-imagepullpolicy.yaml文件,內容如下:
apiVersion: v1
kind: Pod
metadata:
name: pod-imagepullpolicy namespace: dev labels: user: ayanami spec: containers: - name: nginx image: nginx:1.17.1 imagePullPolicy: Always #用於設置鏡像拉取策略 - name: busybox image: busybox:1.30
imagePullPolicy,用於設置鏡像拉取策略,k8s支持配置三種拉取策略:
- Always:總是從遠程倉庫拉取鏡像(一直用遠程)
- IfNotPresent:本地有則使用本地鏡像,本地沒有則從遠程倉庫拉取鏡像(本地有則本地,本地沒有則遠程)
- Never:只使用本地鏡像,從不去遠程倉庫拉取,本地沒有就報錯(一直使用本地)
默認值說明:
- 如果鏡像TAG為具體版本號,默認策略是IfNotPresent
- 如果鏡像TAG為:latest(最終版本),默認策略是always
使用配置文件
[root@master ~]# vim pod-imagepullpolicy.yaml [root@master ~]# kubectl create -f pod-imagepullpolicy.yaml pod/pod-imagepullpolicy created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 11 32m pod-imagepullpolicy 0/2 ContainerCreating 0 12s
啟動命令
在前面的案例中,一直有一個問題沒有解決,就是busybox容器一直沒有成功運行,那么到底是什么原因導致這個容器的故障呢
這是因為busybox並不是一個程序,而是類似於一個工具類的集合,k8s集群啟動管理后,它會自動關閉。解決方法就是讓其一直在運行,這就用到了command配置
創建pod-command.yaml文件,內容如下:
apiVersion: v1 kind: Pod metadata: name: pod-command namespace: dev spec: containers: - name: nginx image: nginx:1.17.1 imagePullPolicy: Always #用於設置鏡像拉取策略 - name: busybox image: busybox:1.30 command: ["/bin/sh","-c","touch /tmp/hello.txt;while true;do /bin/echo $(date +%T) >> /tmp/hello.txt;sleep 3;done;"]
對上面命令的解釋:
"/bin/sh","-c",使用sh執行命令
touch /tmp/hello.txt;創建一個/tmp/hello.txt文件
while true;do /bin/echo $(data +%T) >> /tmp/hello.txt;sleep 3;done; 每隔三秒向文件中寫入當前時間
使用配置文件
[root@master ~]# vim pod-imagepullpolicy.yaml [root@master ~]# kubectl create -f pod-imagepullpolicy.yaml pod/pod-imagepullpolicy created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 15 53m pod-command 2/2 Running 0 21s pod-imagepullpolicy 1/2 CrashLoopBackOff 8 20m
進入容器查看文件
[root@master ~]# kubectl exec pod-command -n dev -it -c busybox /bin/sh / # tail -f /tmp/hello.txt 13:27:57 13:28:00 13:28:03 13:28:06 13:28:09 13:28:12 13:28:15 13:28:18 13:28:21 13:28:24 13:28:27
特別說明:
通過上面發現command已經可以完成啟動命令和傳遞參數的功能,為什么這里還要提供一個args選項,用於傳遞參數呢?
這其實跟docker有關系,k8s中的command,arg兩項其實是實現覆蓋DockerFile中的ENTRYPOINT的功能
- 如果command和args均沒有寫,那么用DockerFile的配置
- 如果command寫了,但args沒有寫,那么DockerFile默認的配置會被忽略,執行輸入的command
- 如果command沒寫,但args寫了,那么DockerFile中配置的ENTRYPOINT的命令會被執行,使用當前args的參數
- 如果command和args都寫了,那么DockerFile的配置被忽略,執行command並追加上args參數
環境變量
創建pod-env.yaml文件,內容如下:
apiVersion: v1 kind: Pod metadata: name: pod-env namespace: dev spec: containers: - name: busybox image: busybox:1.30 command: ["/bin/sh","-c","while true;do /bin/echo $(date +%T) sleep 60;done;"] env: #設置環境變量列表 - name: "username" value: "admin" - name: "password" value: "123456"
使用配置文件
[root@master ~]# vim pod-env.yaml [root@master ~]# kubectl create -f pod-env.yaml pod/pod-env created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 24 102m pod-command 2/2 Running 0 49m pod-env 1/1 Running 0 23s pod-imagepullpolicy 1/2 CrashLoopBackOff 18 69m
進入容器
[root@master ~]# kubectl exec -it pod-env -n dev -c busybox /bin/sh / # echo $username admin / # echo $password 123456 / # exit
但不推薦這種做法,推薦放在配置文件中執行
端口設置
查看端口資源
[root@master ~]# kubectl explain pod.spec.containers.ports KIND: Pod VERSION: v1 RESOURCE: ports <[]Object> DESCRIPTION: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. ContainerPort represents a network port in a single container. FIELDS: containerPort <integer> -required- Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. hostIP <string> What host IP to bind the external port to. hostPort <integer> Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. name <string> If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. protocol <string> Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
接下來,創建pod-ports.yaml
apiVersion: v1 kind: Pod metadata: name: pod-ports namespace: dev spec: containers: - name: nginx image: nginx:1.17.1 ports: - name: nginx-port containerPort: 80 protocol: TCP
使用配置文件
[root@master ~]# vim pod-ports.yaml [root@master ~]# kubectl create -f pod-ports.yaml pod/pod-ports created [root@master ~]# kubectl get pod -n dev NAME READY STATUS RESTARTS AGE pod-base 1/2 CrashLoopBackOff 28 123m pod-command 2/2 Running 0 70m pod-env 1/1 Running 0 21m pod-imagepullpolicy 1/2 CrashLoopBackOff 22 90m pod-ports 1/1 Running 0 22s [root@master ~]# kubectl get pod pod-ports -n dev -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-ports 1/1 Running 0 48s 10.244.2.14 node1 <none> <none>
查看詳情
[root@master ~]# kubectl get pod pod-ports -n dev -o yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: "2021-07-03T14:35:34Z" name: pod-ports namespace: dev resourceVersion: "211552" selfLink: /api/v1/namespaces/dev/pods/pod-ports uid: 10cfe547-7401-4f09-b86f-0d077a0e2492 spec: containers: - image: nginx:1.17.1 imagePullPolicy: IfNotPresent name: nginx ports: - containerPort: 80 name: nginx-port protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-cd422 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: node1 priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: default-token-cd422 secret: defaultMode: 420 secretName: default-token-cd422 status: conditions: - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:34Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:36Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:36Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2021-07-03T14:35:34Z" status: "True" type: PodScheduled containerStatuses: - containerID: docker://2b9d56ea17e1fa4deb89dfd971309bf99e9210947c740aa84d0c761968b42dd0 image: nginx:1.17.1 imageID: docker-pullable://nginx@sha256:b4b9b3eee194703fc2fa8afa5b7510c77ae70cfba567af1376a573a967c03dbb lastState: {} name: nginx ready: true restartCount: 0 started: true state: running: startedAt: "2021-07-03T14:35:35Z" hostIP: 192.168.145.132 phase: Running podIP: 10.244.2.14 podIPs: - ip: 10.244.2.14 qosClass: BestEffort startTime: "2021-07-03T14:35:34Z"
可以看見有80端口
資源配額
容器中的程序要運行,肯定是要占用一定資源的,比如cpu和內存等,如果不對某個容器的資源做限制,那么它就可能吃掉大量資源,導致其他容器無法運行。
針對這種情況,k8s提供了對內存和cpu的資源進行配額的機制,這種機制主要通過resources選項實現,它有兩個子選項:
- limits:用於限制運行時容器的最大占用資源,當容器占用資源超過limits時會被終止,並進行重啟
- requests:用於設置容器需要的最小資源,如果環境資源不夠,容器將無法啟動
就可以通過上面兩個選項設置資源的上下限
接下來,編寫一個測試案例,創建pod-resources.yaml
apiVersion: v1 kind: Pod metadata: name: pod-resources namespace: dev spec: containers: - name: nginx image: nginx:1.17.1 resources: #資源配額 limits: #限制資源(上限) cpu: "2" #cpu限制 memory: "10Gi" #內存限制 requests: #請求資源(下限) cpu: "1" memory: "10Mi" #內存限制
使用配置文件
[root@master ~]# vim pod-resources.yaml [root@master ~]# kubectl create -f pod-resources.yaml pod/pod-resources created [root@master ~]# kubectl get pod pod-resources -n dev NAME READY STATUS RESTARTS AGE pod-resources 1/1 Running 0 16s
查看
[root@master ~]# kubectl describe pod pod-resources -n dev
#可以找到 Limits: cpu: 2 memory: 10Gi Requests: cpu: 1 memory: 10Mi