kubernetes笔记(七)

发布于:2024-10-12 ⋅ 阅读:(137) ⋅ 点赞:(0)

一、service管理

1.clusterIP

1)创建服务

# 资源对象模板
[root@master ~]# kubectl create service clusterip mysvc --tcp=80:80 --dry-run=client -o yaml
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:
  name: mysvc
spec:
  type: ClusterIP
  selector:
    app: web
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

[root@master ~]# kubectl apply -f mysvc.yaml 

[root@master ~]# kubectl get service

2)解析域名

# 安装工具软件包
[root@master ~]# dnf install -y bind-utils

# 查看 DNS 服务地址
[root@master ~]# kubectl -n kube-system get service kube-dns
可以获取CLUSTER-IP的值

# 域名解析测试
[root@master ~]# host mysvc.default.svc.cluster.local <CLUSTER-IP字段的值>

3)创建后端应用

[root@master ~]# vim myweb.yaml 
---
kind: Pod
apiVersion: v1
metadata:
  name: web1
  labels:
    app: web   # 服务靠标签寻找后端
spec:
  containers:
  - name: apache
    image: myos:httpd

[root@master ~]# kubectl apply -f myweb.yaml

[root@master ~]# curl http://<host命令解析域名后获取的ip地址>

4)负载均衡

[root@master ~]# sed 's,web1,web2,' myweb.yaml |kubectl apply -f -

[root@master ~]# sed 's,web1,web3,' myweb.yaml |kubectl apply -f -

[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host:       web1
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host:       web2
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host:       web3

5)固定IP服务

[root@master ~]# vim mysvc.yaml 
---
kind: Service
apiVersion: v1
metadata:
  name: mysvc
spec:
  type: ClusterIP
  clusterIP: 10.245.1.80    # 可以设置 ClusterIP
  selector:
    app: web
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

[root@master ~]# kubectl delete service mysvc

[root@master ~]# kubectl apply -f mysvc.yaml 

[root@master ~]# kubectl get service

6)端口别名

[root@master ~]# kubectl delete pod --all
pod "web1" deleted
pod "web2" deleted
pod "web3" deleted
[root@master ~]# vim mysvc.yaml 
---
kind: Service
apiVersion: v1
metadata:
  name: mysvc
spec:
  type: ClusterIP
  clusterIP: 10.245.1.80
  selector:
    app: web
  ports:
  - protocol: TCP
    port: 80
    targetPort: myhttp    # 使用别名查找后端服务端口

[root@master ~]# kubectl apply -f mysvc.yaml 


[root@master ~]# vim myweb.yaml 
---
kind: Pod
apiVersion: v1
metadata:
  name: web1
  labels:
    app: web
spec:
  containers:
  - name: apache
    image: myos:httpd
    ports:               # 配置端口规范
    - name: myhttp       # 端口别名
      protocol: TCP      # 协议
      containerPort: 80  # 端口号

[root@master ~]# kubectl apply -f myweb.yaml

[root@master ~]# curl http://10.245.1.80

2.nodePort

kind ->Service

spec->type: NodePort

使用kubectl create service nodeport --help查看帮助

1)对外发布服务

[root@master ~]# cp -a mysvc.yaml mysvc1.yaml
[root@master ~]# vim mysvc1.yaml
---
kind: Service
apiVersion: v1
metadata:
  name: mysvc1
spec:
  type: NodePort            # 服务类型
  selector:
    app: web
  ports:
  - protocol: TCP
    port: 80
    nodePort: 30080         # 映射端口号
    targetPort: myhttp

[root@master ~]# kubectl apply -f mysvc1.yaml 
service/mysvc configured
[root@master ~]# kubectl get service
NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)
kubernetes   ClusterIP   10.245.0.1    <none>        443/TCP
mysvc        ClusterIP   10.245.1.80   <none>        80/TCP
mysvc1       NodePort    10.245.1.88   <none>        80:30080/TCP

[root@master ~]# curl http://node-0001:30080

[root@master ~]# curl http://node-0002:30080

[root@master ~]# curl http://node-0003:30080

[root@master ~]# curl http://node-0004:30080

[root@master ~]# curl http://node-0005:30080

3.Ingress

1)安装控制器

[root@master ~]# cd plugins/ingress
[root@master ingress]# docker load -i ingress.tar.xz
[root@master ingress]# docker images|while read i t _;do
    [[ "${t}" == "TAG" ]] && continue
    [[ "${i}" =~ ^"harbor:443/".+ ]] && continue
    docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}
    docker push harbor:443/plugins/${i##*/}:${t}
    docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master ingress]# sed -ri 's,^(\s*image: )(.*/)?(.+)@.*,\1harbor:443/plugins/\3,' deploy.yaml


[root@master ingress]# kubectl apply -f deploy.yaml
# 通过标签指定在那台机器上发布应用
[root@master ingress]# kubectl label nodes node-0001 ingress-ready="true"

[root@master ingress]# kubectl -n ingress-nginx get pods

2)验证后端服务

[[root@master ~]# kubectl get pods,services 

[root@master ~]# curl http://<CLUSTER-IP字段的ip地址>

3)对外发布服务

[root@master ~]# kubectl get ingressclasses.networking.k8s.io 

# 资源对象模板
[root@master ~]# kubectl create ingress mying --class=nginx --rule=ns.test.cn/*=mysvc:80 --dry-run=client -o yaml

[root@master ~]# vim mying.yaml
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: mying
spec:
  ingressClassName: nginx
  rules:
  - host:ns.test.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: mysvc
            port:
              number: 80

[root@master ~]# kubectl apply -f mying.yaml 

[root@master ~]# kubectl get ingress

[root@master ~]# curl -H "Host: ns.test.cn" http://<ADDRESS字段的ip地址>

二、web管理插件

1.安装Dashboard

[root@master ~]# cd plugins/dashboard
[root@master dashboard]# docker load -i dashboard.tar.xz
[root@master dashboard]# docker images|while read i t _;do
    [[ "${t}" == "TAG" ]] && continue
    [[ "${i}" =~ ^"harbor:443/".+ ]] && continue
    docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}
    docker push harbor:443/plugins/${i##*/}:${t}
    docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master dashboard]# sed -ri 's,^(\s*image: )(.*/)?(.+),\1harbor:443/plugins/\3,' recommended.yaml

[root@master dashboard]# kubectl apply -f recommended.yaml
[root@master dashboard]# kubectl -n kubernetes-dashboard get pods

2.发布服务

# 查看服务状态
[root@master dashboard]# kubectl -n kubernetes-dashboard get service

# 获取服务资源对象文件
[root@master dashboard]# sed -n '30,45p' recommended.yaml >dashboard-svc.yaml
[root@master dashboard]# vim dashboard-svc.yaml
---
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort
  ports:
    - port: 443
      nodePort: 30443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

[root@master dashboard]# kubectl apply -f dashboard-svc.yaml 

[root@master dashboard]# kubectl -n kubernetes-dashboard get service

三、服务账号与权限

1.创建服务账号

查看yaml对象文件

kubectl -n namespece1 create serviceaccount user1 --dry-run=client -o yaml

验证:kubectl -n namespce1 get serviceaccounts

# 资源对象模板
[root@master ~]# kubectl -n kubernetes-dashboard create serviceaccount kube-admin --dry-run=client -o yaml

[root@master ~]# vim admin-user.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: kube-admin
  namespace: kubernetes-dashboard

[root@master ~]# kubectl apply -f admin-user.yaml 

[root@master ~]# kubectl -n kubernetes-dashboard get serviceaccounts 

2.获取用户token

[root@master ~]# kubectl -n kubernetes-dashboard create token kube-admin

3.角色与鉴权

资源对象 描述 作用域
ServiceAccount 服务账号,为 Pod 中运行的进程提供了一个身份 单一名称空间
Role 角色,包含一组代表相关权限的规则 单一名称空间
ClusterRole 角色,包含一组代表相关权限的规则 全集群
RoleBinding 将权限赋予用户,Role、ClusterRole 均可使用 单一名称空间
ClusterRoleBinding 将权限赋予用户,只可以使用 ClusterRole 全集群

资源对象权限

create delete deletecollection get list patch update watch
创建 删除 删除集合 获取属性 获取列表 补丁 更新 监控

1)普通角色

查看帮助:

kubectl create role --help

kubectl create rolebinding --help

[root@master ~]# kubectl cluster-info dump |grep authorization-mode


# 资源对象模板
[root@master ~]# kubectl -n default create role myrole --resource=pods --verb=get,list --dry-run=client -o yaml

[root@master ~]# kubectl -n default create rolebinding kube-admin-role --role=myrole --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml

[root@master ~]# vim myrole.yaml 
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myrole
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-admin-role
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: myrole
subjects:
- kind: ServiceAccount
  name: kube-admin
  namespace: kubernetes-dashboard

[root@master ~]# kubectl apply -f myrole.yaml 

[root@master ~]# kubectl delete -f myrole.yaml 

2)集群管理员

kubectl create clusterrolebinding --help


Usage:
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]

[root@master ~]# kubectl get clusterrole


# 资源对象模板
[root@master ~]# kubectl create clusterrolebinding kube-admin-role --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml

[root@master ~]# vim admin-user.yaml 
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: kube-admin
  namespace: kubernetes-dashboard

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-admin-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kube-admin
  namespace: kubernetes-dashboard

[root@master ~]# kubectl apply -f admin-user.yaml 

网站公告

今日签到

点亮在社区的每一天
去签到