User Tools
система_kubernetes
This is an old revision of the document!
Table of Contents
Система Kubernetes
Инструмент командной строки kubectl
Установка
# curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl # chmod +x kubectl # mv kubectl /usr/local/bin/
Подключение к кластеру
$ kubectl config get-contexts $ kubectl config use-context kubernetes-admin@kubernetes gitlab-runner@server:~$ mkdir .kube gitlab-runner@server:~$ scp root@node1:.kube/config .kube/config gitlab-runner@server:~$ kubectl get all -o wide --all-namespaces
Установка minikube
root@server:~# apt install -y curl wget apt-transport-https root@server:~# wget https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 root@server:~# mv minikube-linux-amd64 /usr/local/bin/minikube root@server:~# chmod +x /usr/local/bin/minikube
- Технология Docker Предоставление прав непривилегированным пользователям
gitlab-runner@server:~$ ### minikube delete gitlab-runner@server:~$ ### rm -rv .minikube/ gitlab-runner@server:~$ time minikube start --driver=docker --insecure-registry "server.corpX.un:5000" real 5m8.320s ... gitlab-runner@server:~$ minikube status gitlab-runner@server:~$ minikube ip gitlab-runner@server:~$ minikube kubectl -- get pods -A gitlab-runner@server:~$ minikube addons list gitlab-runner@server:~$ minikube addons configure registry-creds ... Do you want to enable Docker Registry? [y/n]: y -- Enter docker registry server url: http://server.corpX.un:5000 -- Enter docker registry username: student -- Enter docker registry password: ... gitlab-runner@server:~$ minikube addons enable registry-creds
Кластер Kubernetes
Развертывание
Установка ПО и подготовка узлов
server# ssh-keygen server# ssh-copy-id node1 server# ssh-copy-id node2 server# ssh-copy-id node3
server# bash -c ' ssh node1 http_proxy=http://proxy.isp.un:3128/ apt install -y docker.io ssh node2 http_proxy=http://proxy.isp.un:3128/ apt install -y docker.io ssh node3 http_proxy=http://proxy.isp.un:3128/ apt install -y docker.io ' server# bash -c ' ssh node1 http_proxy=http://proxy.isp.un:3128/ apt -y install apt-transport-https curl ssh node2 http_proxy=http://proxy.isp.un:3128/ apt -y install apt-transport-https curl ssh node3 http_proxy=http://proxy.isp.un:3128/ apt -y install apt-transport-https curl ' server# bash -c ' ssh node1 "curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add" ssh node2 "curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add" ssh node3 "curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add" ' server# bash -c ' ssh node1 apt-add-repository \"deb http://apt.kubernetes.io/ kubernetes-xenial main\" ssh node2 apt-add-repository \"deb http://apt.kubernetes.io/ kubernetes-xenial main\" ssh node3 apt-add-repository \"deb http://apt.kubernetes.io/ kubernetes-xenial main\" ' server# bash -c ' ssh node1 http_proxy=http://proxy.isp.un:3128/ apt -y install kubeadm kubelet kubectl kubernetes-cni ssh node2 http_proxy=http://proxy.isp.un:3128/ apt -y install kubeadm kubelet kubectl kubernetes-cni ssh node3 http_proxy=http://proxy.isp.un:3128/ apt -y install kubeadm kubelet kubectl kubernetes-cni ' server# bash -c ' ssh node1 swapoff -a ssh node2 swapoff -a ssh node3 swapoff -a ' server# bash -c ' ssh node1 sed -i"" -e "/swap/s/^/#/" /etc/fstab ssh node2 sed -i"" -e "/swap/s/^/#/" /etc/fstab ssh node3 sed -i"" -e "/swap/s/^/#/" /etc/fstab '
Инициализация master
root@node1:~# kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.X.201 root@node1:~# mkdir -p $HOME/.kube root@node1:~# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config root@node1:~# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml root@node1:~# kubectl get pod -o wide --all-namespaces root@node1:~# kubectl get --raw='/readyz?verbose'
Подключение worker
root@node2_3:~# curl -k https://node1:6443/livez?verbose
root@node2_3:~# kubeadm join 192.168.X.201:6443 --token NNNNNNNNNNNNNNNNNNNN \
--discovery-token-ca-cert-hash sha256:NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
Проверка состояния
root@node1:~# kubectl cluster-info root@node1:~# kubectl get nodes -o wide
Настройка доступа к Insecure Private Registry
- Docker Insecure Private Registry
server# bash -c ' scp /etc/docker/daemon.json node1:/etc/docker/daemon.json scp /etc/docker/daemon.json node2:/etc/docker/daemon.json scp /etc/docker/daemon.json node3:/etc/docker/daemon.json ' server# bash -c ' ssh node1 service docker restart ssh node2 service docker restart ssh node3 service docker restart ' # don't work in cri-tools 1.25, need public project ### server# docker login http://server.corpX.un:5000 ### server# bash -c ' ssh node1 mkdir -p .docker ssh node2 mkdir -p .docker ssh node3 mkdir -p .docker scp ~/.docker/config.json node1:.docker/config.json scp ~/.docker/config.json node2:.docker/config.json scp ~/.docker/config.json node3:.docker/config.json ' root@node1:~# cat /etc/containerd/config.toml
version = 2
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."server.corpX.un:5000"]
endpoint = ["http://server.corpX.un:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."server.corpX.un:5000".tls]
insecure_skip_verify = true
# don't work in cri-tools 1.25, need public project
#[plugins."io.containerd.grpc.v1.cri".registry.configs."server.corpX.un:5000".auth]
# auth = "c3R1ZGVudDpwYXNzd29yZA=="
server# bash -c ' scp -3 node1:/etc/containerd/config.toml node2:/etc/containerd/config.toml scp -3 node1:/etc/containerd/config.toml node3:/etc/containerd/config.toml ssh node1 systemctl restart containerd ssh node2 systemctl restart containerd ssh node3 systemctl restart containerd ' root@nodeN:~# containerd config dump
Проверка
root@nodeN:~# crictl -r unix:///run/containerd/containerd.sock pull server.corpX.un:5000/student/webd
Базовые объекты k8s
Deployment, Replica Sets, Pods
$ kubectl create deployment my-debian --image=debian -- "sleep" "3600" $ kubectl get all $ kubectl get deployments $ kubectl get pods -o wide $ kubectl attach my-debian-NNNNNNNNN-NNNNN $ kubectl exec -ti my-debian-NNNNNNNNN-NNNNN -- bash Ctrl-D $ kubectl get deployment my-debian -o yaml $ kubectl edit deployment my-debian $ kubectl delete deployment my-debian
$ cat my-debian-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-debian
spec:
selector:
matchLabels:
app: my-debian
template:
metadata:
labels:
app: my-debian
spec:
containers:
- name: my-debian
image: debian
command: ["/bin/sh"]
args: ["-c", "while true; do echo hello; sleep 3;done"]
restartPolicy: Always
$ kubectl create -f my-debian-deployment.yaml ... $ kubectl delete -f my-debian-deployment.yaml
namespace для своего приложения
$ kubectl create namespace my-ns $ kubectl get namespaces $ ### kubectl create deployment my-webd --image=server.corpX.un:5000/student/webd:latest --replicas=2 -n my-ns $ ### kubectl delete deployment my-webd -n my-ns $ cd webd/ $ cat my-webd-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-webd
namespace: my-ns
spec:
selector:
matchLabels:
app: my-webd
replicas: 2
template:
metadata:
labels:
app: my-webd
spec:
containers:
- name: my-webd
# image: server.corpX.un:5000/student/webd
# image: server.corpX.un:5000/student/webd:ver1.N
livenessProbe:
httpGet:
port: 80
# volumeMounts:
# - name: nfs-volume
# mountPath: /var/www
# volumes:
# - name: nfs-volume
# nfs:
# server: server.corpX.un
# path: /var/www
$ kubectl apply -f my-webd-deployment.yaml $ kubectl get all -n my-ns -o wide $ kubectl describe -n my-ns pod/my-webd-NNNNNNNNNN-NNNNN $ kubectl scale deployment my-webd --replicas=3 -n my-ns $ kubectl delete pod/my-webd-NNNNNNNNNN-NNNNN -n my-ns
Service
$ ### kubectl expose deployment my-webd --type=NodePort --port=80 -n my-ns $ ### kubectl delete svc my-webd -n my-ns $ cat my-webd-service.yaml
apiVersion: v1
kind: Service
metadata:
name: my-webd
namespace: my-ns
spec:
type: NodePort
selector:
app: my-webd
ports:
- protocol: TCP
port: 80
# nodePort: 30111
$ kubectl apply -f my-webd-service.yaml $ kubectl get svc my-webd -n my-ns NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-webd-svc NodePort 10.102.135.146 <none> 80:NNNNN/TCP 18h $ kubectl describe svc my-webd -n my-ns $ curl http://node1,2,3:NNNNN $ minikube service list $ minikube service my-webd -n my-ns --url http://192.168.49.2:NNNNN $ curl $(minikube service my-webd -n my-ns --url) $ kubectl logs -l app=my-webd -n my-ns (доступны опции -f, --tail=2000, --previous)
Удаление объектов
$ kubectl delete -n my-ns -f my-webd-deployment.yaml,my-webd-service.yaml или $ kubectl delete namespace my-ns
Ingress
server# host webd webd.corpX.un has address 192.168.49.2 или webd.corpX.un has address 192.168.X.201 gitlab-runner@server:~$ minikube addons enable ingress
root@node1:~# kubectl port-forward --namespace=ingress-nginx --address 0.0.0.0 service/ingress-nginx-controller 80:80 gitlab-runner@server:~/webd$ ### kubectl create ingress my-webd --class=nginx --rule="webd.corpX.un/*=my-webd:80" -n my-ns gitlab-runner@server:~/webd$ cat my-webd-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-webd
namespace: my-ns
spec:
ingressClassName: nginx
rules:
- host: webd.corpX.un
http:
paths:
- backend:
service:
name: my-webd
port:
number: 80
path: /
pathType: Prefix
status:
loadBalancer: {}
$ kubectl apply -f my-webd-ingress.yaml $ kubectl get ingress -n my-ns NAME CLASS HOSTS ADDRESS PORTS AGE my-webd nginx webd.corpX.un 80 11s $ curl webd.corpX.un $ ### kubectl delete ingress my-webd -n my-ns
Пример с multi container pod
gitlab-runner@gate:~/webd$ cat my-webd-ssh-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-webd-ssh
namespace: my-ns
spec:
selector:
matchLabels:
app: my-webd-ssh
replicas: 1
template:
metadata:
labels:
app: my-webd-ssh
spec:
containers:
- name: my-webd
image: server.corp13.un:5000/student/webd:latest
volumeMounts:
- name: html
mountPath: /var/www
- name: my-ssh
image: atmoz/sftp
args: ["user3:password3:10003"]
volumeMounts:
- name: html
mountPath: /home/user3/www
volumes:
- name: html
emptyDir: {}
... $ kubectl describe pod my-webd-NNNNNNNNNN-NNNNN -n my-ns $ kubectl exec -ti -n my-ns my-webd-NNNNNNNNNN-NNNNN -c my-ssh -- bash $ ### kubectl expose deployment my-webd-ssh --type=NodePort --port=80,22 -n my-ns $ cat my-webd-ssh-service.yaml
apiVersion: v1
kind: Service
metadata:
name: my-webd-ssh
namespace: my-ns
spec:
type: NodePort
selector:
app: my-webd-ssh
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: ssh
protocol: TCP
port: 22
targetPort: 22
Helm
Установка Helm
server# wget https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz # tar -zxvf helm-v3.9.0-linux-amd64.tar.gz # mv linux-amd64/helm /usr/local/bin/helm
Работа с готовыми Charts
$ curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml $ kubectl delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml $ helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace $ helm list --namespace ingress-nginx $ ### helm delete ingress-nginx --namespace ingress-nginx
Развертывание своего приложения
$ helm create webd-chart $ cat webd-chart/Chart.yaml
... description: A Helm chart WebD for Kubernetes ... version: 0.1.1 ... appVersion: "latest"
$ cat webd-chart/values.yaml
...
image:
repository: server.corpX.un:5000/student/webd
pullPolicy: Always
...
serviceAccount:
create: false
...
service:
type: NodePort
...
ingress:
enabled: true
className: "nginx"
...
hosts:
- host: webd.corp13.un
...
$ less webd-chart/templates/deployment.yaml
...
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
...
$ helm install my-webd webd-chart/ -n my-ns --create-namespace --wait $ export HELM_NAMESPACE=my-ns $ helm list $ helm upgrade my-webd webd-chart/ --set=image.tag=ver1.10 $ helm history my-webd $ helm rollback my-webd 1 $ helm uninstall my-webd
Работа со своим репозиторием
$ helm repo add --username student --password NNNNNN-NNNNNNNNNNNNN webd http://192.168.13.1/api/v4/projects/6/packages/helm/stable $ helm repo list $ helm package webd-chart $ ls *tgz $ helm plugin install https://github.com/chartmuseum/helm-push $ helm cm-push webd-chart-0.1.0.tgz webd ... С другого кластера подключаем (аналогично) наш репозиторий и ... $ helm search repo webd $ helm repo update webd $ helm install my-webd webd/webd-chart
Работа с публичными репозиториями
$ helm search hub -o json wordpress | jq '.' | less $ helm repo add bitnami https://charts.bitnami.com/bitnami $ helm show values bitnami/wordpress
Дополнительные материалы
bare-metal minikube
student@node2:~$ sudo apt install conntrack https://computingforgeeks.com/install-mirantis-cri-dockerd-as-docker-engine-shim-for-kubernetes/ ... wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.2/crictl-v1.24.2-linux-amd64.tar.gz ... student@node2:~$ minikube start --driver=none --insecure-registry "server.corp13.un:5000"
minikube dashboard
student@node1:~$ minikube dashboard & ... Opening http://127.0.0.1:NNNNN/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/ in your default browser ... /home/mobaxterm> ssh -L NNNNN:localhost:NNNNN student@192.168.X.10 Теперь, та же ссылка работает на win host системе
Подключение к minikube с другой системы
- Если не minikube, то достаточно только копию .kube/config
student@node1:~$ tar -cvzf kube-config.tar.gz .kube/config .minikube/ca.crt .minikube/profiles/minikube gitlab-runner@server:~$ scp student@node1:kube-config.tar.gz . gitlab-runner@server:~$ tar -xvf kube-config.tar.gz gitlab-runner@server:~$ cat .kube/config
...
certificate-authority: /home/gitlab-runner/.minikube/ca.crt
...
client-certificate: /home/gitlab-runner/.minikube/profiles/minikube/client.crt
client-key: /home/gitlab-runner/.minikube/profiles/minikube/client.key
...
kompose
root@gate.corp13.un:~# curl -L https://github.com/kubernetes/kompose/releases/download/v1.26.0/kompose-linux-amd64 -o kompose root@gate.corp13.un:~# chmod +x kompose root@gate.corp13.un:~# sudo mv ./kompose /usr/local/bin/kompose
gitlab-runner@gate:~/webd$ kompose convert gitlab-runner@gate:~/webd$ ls *yaml gitlab-runner@gate:~/webd$ kubectl apply -f sftp-deployment.yaml,vol1-persistentvolumeclaim.yaml,webd-service.yaml,sftp-service.yaml,webd-deployment.yaml gitlab-runner@gate:~/webd$ kubectl get all
система_kubernetes.1664242019.txt.gz · Last modified: 2022/09/27 04:26 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
