k8s4部署

configMap

configmap概述：
  数据会存储在etcd数据库，其应用场景主要在应用程序的配置
configmap支持的类型
   （1）键值对
   （2）多行数据
pod使用configmap资源有两种常见的方式
   （1）变量注入
   （2）数据卷挂载
推荐阅读
https://kubernetes.io/docs/concepts/storage/volumes/#configmap	
https://kubernetes.io/docs/concepts/configuration/configmap/


声明式创建cm资源
[root@master231 configmaps]# cat 01-cm-demo.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: game-demo
# 指定cm资源的数据
data:
  # 类属性键；每一个键都映射到一个简单的值，对应的键值对。
  player_initial_lives: "3"
  ui_properties_file_name: "user-interface.properties"
  school: oldboyedu
  class: linux94

  # 类文件键，对应的是多行数据，注意缩进格式
  game.properties: |      # |表示换行，一行写不下
    enemy.types=aliens,monsters
    player.maximum-lives=5    
  user-interface.properties: |
    color.good=purple
    color.bad=yellow
    allow.textmode=true  
  my.cnf: |
    [mysqld]
    datadir=/var/lib/mysql
    basedir=/usr/local/mysql
    socket=/tpm/mysql.sock
    skip-name-resolve=1
    port=3306
    [client]
    username=admin
    password=oldboyedu 

创建
root@ubuntu0:~/manifests/configmap# kubectl apply -f 01-cm-demo.yaml 
configmap/game-demo created

查看
root@ubuntu0:~/manifests/configmap# kubectl get cm 
NAME               DATA   AGE
game-demo          7      29s
kube-root-ca.crt   1      23d
root@ubuntu0:~/manifests/configmap# kubectl get cm game-demo 
NAME        DATA   AGE
game-demo   7      33s   #7代表有七个键值对


删除
root@ubuntu0:~/manifests/configmap# kubectl delete -f 01-cm-demo.yaml 
configmap "game-demo" deleted


响应式创建
root@ubuntu0:~/manifests/configmap# kubectl create configmap xp --from-literal=school=oldboyedu --from-literal=class=linux94 
configmap/xp created
root@ubuntu0:~/manifests/configmap# kubectl get cm 
NAME               DATA   AGE
kube-root-ca.crt   1      23d
xp                 2      6s
root@ubuntu0:~/manifests/configmap# kubectl get cm xp
NAME   DATA   AGE
xp     2      8s

root@ubuntu0:~/manifests/configmap# kubectl describe cm xp 
Name:         xp
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
class:
----
linux94
school:
----
oldboyedu

BinaryData
====

Events:  <none>


 基于配置文件创建cm
 [root@master231 configmaps]# ll /root/kube-flannel.yml 
-rw-r--r-- 1 root root 4406 Nov 15 17:40 /root/kube-flannel.yml
[root@master231 configmaps]# 
[root@master231 configmaps]# kubectl create configmap oldboyedu-cni --from-file=cni.yml=/root/kube-flannel.yml
configmap/oldboyedu-cni created

		3.3 查看cm资源 
[root@master231 configmaps]# kubectl get cm oldboyedu-cni 
NAME            DATA   AGE
oldboyedu-cni   1      8s
[root@master231 configmaps]# 
[root@master231 configmaps]# kubectl describe cm oldboyedu-cni 
[root@master231 configmaps]# 
[root@master231 configmaps]# kubectl get cm oldboyedu-cni -o yaml
[root@master231 configmaps]# 
[root@master231 configmaps]# kubectl get cm oldboyedu-cni -o json

		3.3 删除cm资源 
[root@master231 configmaps]# kubectl get cm
NAME                DATA   AGE
kube-root-ca.crt    1      4d16h
oldboyedu-cni       1      2m27s
oldboyedu-linux94   2      4m38s
[root@master231 configmaps]# 
[root@master231 configmaps]# kubectl delete cm oldboyedu-cni 
configmap "oldboyedu-cni" deleted
[root@master231 configmaps]# 
[root@master231 configmaps]# kubectl get cm
NAME                DATA   AGE
kube-root-ca.crt    1      4d16h
oldboyedu-linux94   2      5m9s
[root@master231 configmaps]# 

root@ubuntu0:~/manifests/configmap# kubectl get cm xp -o yaml
apiVersion: v1
data:
  class: linux94
  school: oldboyedu
kind: ConfigMap
metadata:
  creationTimestamp: "2025-05-02T10:49:39Z"
  name: xp
  namespace: default
  resourceVersion: "670826"
  uid: b129e625-7733-4b80-9d9f-55227b473f51

那如何在声明式中引用这个key：vlaue呢
root@ubuntu0:~/manifests/configmap# cat 01-cm-demo.yaml  
apiVersion: v1
kind: ReplicationController 
metadata:
  name: xp-configmap
spec:
  replicas: 1
  selector:
    apps: v1
  template:
    metadata:
      labels:
        apps: v1
    spec:
      nodeName: ubuntu1
      containers:
      - name: xiuxian-v1
        image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
        env:
        - name: SCHOOL
          # 指定值从哪里来，一点定义了valueFrom字段，则不能定义value字段。
          # 换句话说，定义了valueFrom字段，则value字段必须为空，省略不写!
          valueFrom:
            # 表示数据从一个cm资源引用
            configMapKeyRef:
            # 指定cm的名称
               name: "xp"
            # 指定引用cm的KEY
               key: "school"
        - name: CLass
          valueFrom:
            configMapKeyRef:
              name: "xp"
              key: "class"
root@ubuntu0:~/manifests/configmap# kubectl apply -f 01-cm-demo.yaml 
replicationcontroller/xp-configmap created
root@ubuntu0:~/manifests/configmap# kubectl exec -it xp-configmap-vvtch -- env|grep -Ei 'school|class'
SCHOOL=oldboyedu
CLass=linux94

Pod基于存储卷引用cm资源

root@ubuntu0:~/manifests/configmap# cat 02-rc-configmaps-volumes.yaml 
apiVersion: v1
kind: ReplicationController 
metadata:
  name: xpxp
spec:
  replicas: 1
  selector: 
    apps: xpxp-v1
  template:
    metadata:
      labels:
        apps: xpxp-v1
    spec:
      nodeName: ubuntu1
      volumes:
      - name: data
       # 指定存储卷类型是cm资源
        configMap:
         # 指定cm的名称
          name: "xp"
         # 定义需要引用具体的KEY，若不定义，则默认引用所有的KEY
          items:
          # 表示引用指定的KEY
          - key: school 
          # 可以暂时理解为将来的文件名称
            path: school.txt
      containers:
      - name: nginx
        image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
        volumeMounts:
        - name: data
          mountPath: /oldboyedu

root@ubuntu0:~/manifests/configmap# kubectl apply -f 02-rc-configmaps-volumes.yaml 
replicationcontroller/xpxp created
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME         READY   STATUS    RESTARTS   AGE   IP            NODE      NOMINATED NODE   READINESS GATES
xpxp-25pwf   1/1     Running   0          25m   10.100.2.19   ubuntu1   <none>           <none>
root@ubuntu0:~/manifests/configmap# kubectl exec xpxp-25pwf -- ls /oldboyedu
school.txt
root@ubuntu0:~/manifests/configmap# kubectl exec xpxp-25pwf -- more /oldboyedu/school.txt
oldboyeduroot@ubuntu0:~/manifests/configmap# 



将"registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1"镜像的80端口修改为81端口，要求在不重新打镜像的情况下，使用cm存储卷的方式挂载。

1.找到nginx的配置文件
root@ubuntu0:~/manifests/configmap# kubectl exec -it xp-configmap-pgc6z -- sh
/ # vi /etc/nginx/nginx.conf 
/ # ls /etc/nginx/conf.d/default.conf 
/etc/nginx/conf.d/default.conf
/ # vi /etc/nginx/conf.d/default.conf 
server {                   
    listen       80;       
    listen  [::]:80;                                  
    server_name  localhost;                                                               
    location / {                     
        root   /usr/share/nginx/html;
        index  index.html index.htm;        
    }                                              
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {           
        root   /usr/share/nginx/html;                          
    }  
  }  
2.编写资源清单
 root@ubuntu0:~/manifests/configmap# cat 02-rc-configmaps-volumes.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: game-cm
data:
  port.conf: |
    server {                   
        listen       81;       
        listen  [::]:81;                                  
        server_name  localhost;                                                               
        location / {                     
            root   /usr/share/nginx/html;
            index  index.html index.htm;        
        }                                              
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {           
            root   /usr/share/nginx/html;                          
        }  
      }  
---
apiVersion: v1
kind: ReplicationController 
metadata:
  name: xiuxian-cm
spec:
  replicas: 1
  selector: 
    apps: xpxp-v1
  template:
    metadata:
      labels:
        apps: xpxp-v1
    spec:
      nodeName: ubuntu1
      volumes:
      - name: data
       # 指定存储卷类型是cm资源
        configMap:
         # 指定cm的名称
          name: "game-cm"
         # 定义需要引用具体的KEY，若不定义，则默认引用所有的KEY
          items:
          # 表示引用指定的KEY
          - key: port.conf
          # 可以暂时理解为将来的文件名称
            path: default.conf
      containers:
      - name: nginx
        image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
        volumeMounts:
        - name: data
          mountPath: /etc/nginx/conf.d/
---
apiVersion: v1
kind: Service
metadata:
  name: svc-mysql
spec:
  type: NodePort
  selector:
     apps: xpxp-v1
  ports:
  - port: 80
    targetPort: 81
    nodePort: 30081
root@ubuntu0:~/manifests/configmap# kubectl apply -f 02-rc-configmaps-volumes.yaml 
configmap/game-cm created
replicationcontroller/xiuxian-cm created
service/svc-mysql created
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME               READY   STATUS    RESTARTS   AGE   IP            NODE      NOMINATED NODE   READINESS GATES
xiuxian-cm-b52m2   1/1     Running   0          7s    10.100.2.21   ubuntu1   <none>           <none>
root@ubuntu0:~/manifests/configmap# kubectl describe svc 
kubernetes  svc-mysql   
root@ubuntu0:~/manifests/configmap# kubectl describe svc svc-mysql 
Name:                     svc-mysql
Namespace:                default
Labels:                   <none>
Annotations:              <none>
Selector:                 apps=xpxp-v1
Type:                     NodePort
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       192.168.116.228
IPs:                      192.168.116.228
Port:                     <unset>  80/TCP
TargetPort:               81/TCP
NodePort:                 <unset>  30081/TCP
Endpoints:                10.100.2.21:81
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>
root@ubuntu0:~/manifests/configmap# curl 10.100.2.21:81
<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8"/>
    <title>yinzhengjie apps v1</title>
    <style>
       div img {
          width: 900px;
          height: 600px;
          margin: 0;
       }
    </style>
  </head>

  <body>
    <h1 style="color: green">凡人修仙传 v1 </h1>
    <div>
      <img src="1.jpg">
    <div>
  </body>

</html>

在进入容器内，已经发生改变了
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME               READY   STATUS    RESTARTS   AGE     IP            NODE      NOMINATED NODE   READINESS GATES
xiuxian-cm-b52m2   1/1     Running   0          2m38s   10.100.2.21   ubuntu1   <none>           <none>
root@ubuntu0:~/manifests/configmap# kubectl exec -it xiuxian-cm-b52m2 -- sh
/ # cat /etc/nginx/conf.d/default.conf 
server {                   
    listen       81;       
    listen  [::]:81;                                  
    server_name  localhost;                                                               
    location / {                     
        root   /usr/share/nginx/html;
        index  index.html index.htm;        
    }                                              
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {           
        root   /usr/share/nginx/html;                          
    }  
  }  

kubectl logs查看Pod日志

	1.实时查看日志
[root@master231 ~]# kubectl get pods -o wide
NAME                         READY   STATUS    RESTARTS   AGE     IP            NODE        NOMINATED NODE   READINESS GATES
oldboyedu-xiuxian-cm-844zl   1/1     Running   0          4m47s   10.100.1.55   worker232   <none>           <none>
[root@master231 ~]# 
[root@master231 ~]# kubectl logs -f oldboyedu-xiuxian-cm-844zl 
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/11/20 03:10:00 [notice] 1#1: using the "epoll" event method
2024/11/20 03:10:00 [notice] 1#1: nginx/1.20.1
2024/11/20 03:10:00 [notice] 1#1: built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1) 
2024/11/20 03:10:00 [notice] 1#1: OS: Linux 5.15.0-119-generic
2024/11/20 03:10:00 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 524288:524288
2024/11/20 03:10:00 [notice] 1#1: start worker processes
2024/11/20 03:10:00 [notice] 1#1: start worker process 23
2024/11/20 03:10:00 [notice] 1#1: start worker process 24
10.100.0.0 - - [20/Nov/2024:03:10:08 +0000] "GET / HTTP/1.1" 200 357 "-" "curl/7.81.0" "-"
10.100.0.0 - - [20/Nov/2024:03:10:13 +0000] "GET / HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
10.100.0.0 - - [20/Nov/2024:03:10:13 +0000] "GET /1.jpg HTTP/1.1" 200 233472 "http://10.0.0.231:30080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
2024/11/20 03:10:13 [error] 24#24: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.100.0.0, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "10.0.0.231:30080", referrer: "http://10.0.0.231:30080/"
10.100.0.0 - - [20/Nov/2024:03:10:13 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://10.0.0.231:30080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"


	2.查看最近5min的日志
[root@master231 ~]# kubectl logs -f --since=5m oldboyedu-xiuxian-cm-844zl 
2024/11/20 03:16:22 [error] 24#24: *4 open() "/usr/share/nginx/html/oldboyedu.html" failed (2: No such file or directory), client: 10.100.0.0, server: localhost, request: "GET /oldboyedu.html HTTP/1.1", host: "10.100.1.55:81"
10.100.0.0 - - [20/Nov/2024:03:16:22 +0000] "GET /oldboyedu.html HTTP/1.1" 404 153 "-" "curl/7.81.0" "-"


	3.查看指定容器的日志（一般情况下是一个Pod有多个容器时才会使用）
[root@master231 ~]# kubectl logs -c c1 -f --since=5m oldboyedu-xiuxian-cm-844zl 
2024/11/20 03:16:22 [error] 24#24: *4 open() "/usr/share/nginx/html/oldboyedu.html" failed (2: No such file or directory), client: 10.100.0.0, server: localhost, request: "GET /oldboyedu.html HTTP/1.1", host: "10.100.1.55:81"
10.100.0.0 - - [20/Nov/2024:03:16:22 +0000] "GET /oldboyedu.html HTTP/1.1" 404 153 "-" "curl/7.81.0" "-"

cm资源存储nginx主配置文件值subPath案例

root@ubuntu0:~/manifests/configmap# cat 02-rc-configmaps-volumes.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: game-cm
data:
  main.conf: |
    user  nginx;
    worker_processes  auto;
    error_log  /var/log/nginx/error.log notice;
    pid        /var/run/nginx.pid;
    
    events {
        worker_connections  1024;
    }
    
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
    
        log_format oldboyedu_nginx_json '{"@timestamp":"$time_iso8601",'
                                  '"host":"$server_addr",'
                                  '"clientip":"$remote_addr",'
                                  '"SendBytes":$body_bytes_sent,'
                                  '"responsetime":$request_time,'
                                  '"upstreamtime":"$upstream_response_time",'
                                  '"upstreamhost":"$upstream_addr",'
                                  '"http_host":"$host",'
                                  '"uri":"$uri",'
                                  '"domain":"$host",'
                                  '"xff":"$http_x_forwarded_for",'
                                  '"referer":"$http_referer",'
                                  '"tcp_xff":"$proxy_protocol_addr",'
                                  '"http_user_agent":"$http_user_agent",'
                                  '"status":"$status"}';
    
        access_log  /var/log/nginx/access.log  oldboyedu_nginx_json;
    
        sendfile        on;
        keepalive_timeout  65;
        include /etc/nginx/conf.d/*.conf;
    }
  port.conf: |
    server {                   
        listen       81;       
        listen  [::]:81;                                  
        server_name  localhost;                                                               
        location / {                     
            root   /usr/share/nginx/html;
            index  index.html index.htm;        
        }                                              
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {           
            root   /usr/share/nginx/html;                          
        }  
      }  
---
apiVersion: v1
kind: ReplicationController 
metadata:
  name: xiuxian-cm
spec:
  replicas: 1
  selector: 
    apps: xpxp-v1
  template:
    metadata:
      labels:
        apps: xpxp-v1
    spec:
      nodeName: ubuntu1
      volumes:
      - name: data
       # 指定存储卷类型是cm资源
        configMap:
         # 指定cm的名称
          name: "game-cm"
         # 定义需要引用具体的KEY，若不定义，则默认引用所有的KEY
          items:
          # 表示引用指定的KEY
          - key: port.conf
          # 可以暂时理解为将来的文件名称
            path: default.conf
      - name: data1
        configMap:
          name: "game-cm"
          items:
          - key: main.conf
            path: nginx.conf 
      containers:
      - name: nginx
        image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
        volumeMounts:
        - name: data
          mountPath: /etc/nginx/conf.d/
        - name: data1
          mountPath: /etc/nginx/nginx.conf
        # 当subPath的值和cm的items的path值相同时，则mountPath表示的是文件而不是目录
          subPath: nginx.conf
---
apiVersion: v1
kind: Service
metadata:
  name: svc-mysql
spec:
  type: NodePort
  selector:
     apps: xpxp-v1
  ports:
  - port: 80
    targetPort: 81
    nodePort: 30081

root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME               READY   STATUS    RESTARTS   AGE   IP            NODE      NOMINATED NODE   READINESS GATES
xiuxian-cm-8q45n   1/1     Running   0          7s    10.100.2.22   ubuntu1   <none>           <none>
root@ubuntu0:~/manifests/configmap# curl 10.100.2.22:81
<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8"/>
    <title>yinzhengjie apps v1</title>
    <style>
       div img {
          width: 900px;
          height: 600px;
          margin: 0;
       }
    </style>
  </head>

  <body>
    <h1 style="color: green">凡人修仙传 v1 </h1>
    <div>
      <img src="1.jpg">
    <div>
  </body>

</html>

k8s部署mysql主从

root@ubuntu0:~/manifests/ReplicationController# cat 05-nfs-mysql.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: game-demo
# 指定cm资源的数据
data:
  master.cnf: |
    [mysqld]
    # 二进制日志
    log-bin=mysqllog-bin
    server_id=111
    skip-host-cache
    skip-name-resolve
    datadir=/var/lib/mysql
    socket=/var/run/mysqld/mysqld.sock
    secure-file-priv=/var/lib/mysql-files
    user=mysql
    pid-file=/var/run/mysqld/mysqld.pid
    
    [client]
    socket=/var/run/mysqld/mysqld.sock 
    !includedir /etc/mysql/conf.d/
  slave.cnf: |
    [mysqld]
    log-bin=mysqllog-bin
    server_id=222
    skip-host-cache
    skip-name-resolve
    datadir=/var/lib/mysql
    socket=/var/run/mysqld/mysqld.sock
    secure-file-priv=/var/lib/mysql-files
    user=mysql
    pid-file=/var/run/mysqld/mysqld.pid
    
    [client]
    socket=/var/run/mysqld/mysqld.sock 
    !includedir /etc/mysql/conf.d/
---
apiVersion: v1
kind: ReplicationController 
metadata:
  name: mysql-master
spec:
  replicas: 1
  selector:
    apps: v1 
  template:
    spec:
      nodeName: ubuntu1
      volumes:
      - name: data
        nfs:
          server: ubuntu0
          path: /oldboyedu/data/nfs-server/master-lib 
      - name: data1
        configMap:
          name: "game-demo"
          items:
          - key: master.cnf
            path: my.cnf 
      containers:
      - name: mysql-v1
        image: mysql:5.7.29
        ports:
        - containerPort: 3306
          name: mysqlport
        env:
        - name: MYSQL_ALLOW_EMPTY_PASSWORD
          value: "yes"
        - name: MYSQL_USER
          value: linux94
        - name: MYSQL_PASSWORD
          value: 'oldboyedu'
        volumeMounts:
        - name: data
          mountPath: /var/lib/mysql
        - name: data1
          mountPath: /etc/my.cnf
          subPath: my.cnf
        args:
        - --character-set-server=utf8
        - --collation-server=utf8_bin
        - --default-authentication-plugin=mysql_native_password
    metadata:
      labels:
        apps: v1  
---
apiVersion: v1
kind: Service
metadata:
  name: svc-mysql
spec:
  selector:
     apps: v1
  ports:
  - port: 3306 
    name: mysqlport
---

apiVersion: v1
kind: ReplicationController 
metadata:
  name: mysql-slave
spec:
  replicas: 1
  selector:
    apps: v2
  template:
    spec:
      nodeName: ubuntu1
      volumes:
      - name: data
        nfs:
          server: ubuntu0
          path: /oldboyedu/data/nfs-server/slave-lib 
      - name: data1
        configMap:
          name: "game-demo"
          items:
          - key: slave.cnf
            path: my.cnf 
      containers:
      - name: mysql-v2
        image: mysql:5.7.29
        env:
        - name: MYSQL_ALLOW_EMPTY_PASSWORD
          value: "yes"
        - name: MYSQL_MASTER_HOST
          value: 'svc-mysql'
        ports:
        - containerPort: 3306
        volumeMounts:
        - name: data
          mountPath: /var/lib/mysql
        - name: data1
          mountPath: /etc/my.cnf
          subPath: my.cnf
    metadata:
      labels:
        apps: v2  
---
apiVersion: v1
kind: Service
metadata:
  name: svc-slave
spec:
  selector:
     apps: v2
  ports:
  - port: 3306

进入主数据库查看
root@ubuntu0:~/manifests/ReplicationController# kubectl exec -it mysql-master-4zxp6 -- mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.29-log MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

授权用户访问
mysql> GRANT Replication slave ON *.* TO linux94;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW MASTER STATUS\G
*************************** 1. row ***************************
             File: mysqllog-bin.000004
         Position: 353
     Binlog_Do_DB: 
 Binlog_Ignore_DB: 
Executed_Gtid_Set: 
1 row in set (0.00 sec)

mysql> SHOW GRANTS FOR linux94;
+-------------------------------------------------+
| Grants for linux94@%                            |
+-------------------------------------------------+
| GRANT REPLICATION SLAVE ON *.* TO 'linux94'@'%' |
+-------------------------------------------------+



从库配置
mysql> CHANGE MASTER TO MASTER_HOST='svc-mysql',MASTER_USER='linux94',MASTER_PASSWORD='oldboyedu',MASTER_PORT=3306,MASTER_LOG_FILE='mysqllog-bin.000004',MASTER_LOG_POS=353,MASTER_CONNECT_RETRY=3;
Query OK, 0 rows affected, 2 warnings (0.04 sec)

mysql> STOP SLAVE;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> START SLAVE;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW SLAVE STATUS\G
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: svc-mysql
                  Master_User: linux94
                  Master_Port: 3306
                Connect_Retry: 3
              Master_Log_File: mysqllog-bin.000004
          Read_Master_Log_Pos: 353
               Relay_Log_File: mysql-slave-2pgsd-relay-bin.000002
                Relay_Log_Pos: 323
        Relay_Master_Log_File: mysqllog-bin.000004
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes

secret概述

与ConfigMap类似，区别在于secret存储敏感数据，所有的数据都需要经过base64进行编码。
使用secret主要存储的是凭据信息。


参考链接:
	https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types

secret资源声明式两种创建方式
		2.1 方式一: 基于stringData方式（推荐）
root@ubuntu0:~/manifests/secret# cat 01-secrets-stringData.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: user-info
stringData:
  username: admin
  password: "1"

  my.cnf: |
    [mysqld]
    basedir=/oldboyedu/softwares/mysql80
    port=3306
    datadir=/oldboyedu/data/mysql80
    socket=/tmp/mysql80.sock
root@ubuntu0:~/manifests/secret# kubectl apply -f 01-secrets-stringData.yaml 
secret/user-info created
root@ubuntu0:~/manifests/secret# kubectl get secrets -o wide

NAME                  TYPE                                  DATA   AGE
default-token-hszqs   kubernetes.io/service-account-token   3      26d
user-info             Opaque                                3      7s
root@ubuntu0:~/manifests/secret# kubectl get secrets -o wide user-info
NAME        TYPE     DATA   AGE
user-info   Opaque   3      46s
root@ubuntu0:~/manifests/secret# kubectl describe secrets  user-info 
Name:         user-info
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
my.cnf:    113 bytes
password:  1 bytes
username:  5 bytes
root@ubuntu0:~/manifests/secret#  kubectl get secrets user-info -o yaml
apiVersion: v1
data:
  my.cnf: W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsODAuc29jawo=
  password: MQ==
  username: YWRtaW4=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"user-info","namespace":"default"},"stringData":{"my.cnf":"[mysqld]\nbasedir=/oldboyedu/softwares/mysql80\nport=3306\ndatadir=/oldboyedu/data/mysql80\nsocket=/tmp/mysql80.sock\n","password":"1","username":"admin"}}
  creationTimestamp: "2025-05-05T02:16:24Z"
  name: user-info
  namespace: default
  resourceVersion: "815355"
  uid: 90653274-1030-4208-a555-032c6484029f
type: Opaque

解密：
root@ubuntu0:~/manifests/secret# echo 'W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsO
DAuc29jawo='|base64 -d
[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock
root@ubuntu0:~/manifests/secret# echo 'MQ=='|base64 -d
1root@ubuntu0:~/manifests/secret# echo 'MQ=='|base64 -d|more
1


方式二: 基于方式（不推荐，编写时容易出错）
root@ubuntu0:~/manifests/secret# echo linux94 | base64 
bGludXg5NAo=
root@ubuntu0:~/manifests/secret#  echo oldboyedu | base64 
b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# cat 02-secrets-data.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: admin
data:
  # KEY无需做任何操作，VALUE进行BASE64手动编码
  username: bGludXg5NAo=
  password: b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# echo linux94 | base64 
bGludXg5NAo=
root@ubuntu0:~/manifests/secret#  echo oldboyedu | base64 
b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# cat 02-secrets-data.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: admin
data:
  # KEY无需做任何操作，VALUE进行BASE64手动编码
  username: bGludXg5NAo=
  password: b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# kubectl apply -f 02-secrets-data.yaml 
secret/admin created
root@ubuntu0:~/manifests/secret# kubectl get secrets admin 
NAME    TYPE     DATA   AGE
admin   Opaque   2      6s
root@ubuntu0:~/manifests/secret# kubectl get secrets admin -o yaml
apiVersion: v1
data:
  password: b2xkYm95ZWR1Cg==
  username: bGludXg5NAo=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"password":"b2xkYm95ZWR1Cg==","username":"bGludXg5NAo="},"kind":"Secret","metadata":{"annotations":{},"name":"admin","namespace":"default"}}
  creationTimestamp: "2025-05-05T02:21:09Z"
  name: admin
  namespace: default
  resourceVersion: "815756"
  uid: 4e62f0f6-1940-43f7-b81c-16278cda898d
type: Opaque

响应式创建secrets常用选项

root@ubuntu0:~/manifests/secret# kubectl create secret generic test01 --from-literal=SCHOOL=oldboyedu --from-literal=class=linux94
secret/test01 created
root@ubuntu0:~/manifests/secret# kubectl create secret generic test02 --from-file=stringData=01-secrets-stringData.yaml --from-file=Data=02-secrets-data.yaml
secret/test02 created
root@ubuntu0:~/manifests/secret#  kubectl get secrets test01  test02 
NAME     TYPE     DATA   AGE
test01   Opaque   2      20s
test02   Opaque   2      9s
root@ubuntu0:~/manifests/secret# kubectl get secrets test01  test02  -o yaml
apiVersion: v1
items:
- apiVersion: v1
  data:
    SCHOOL: b2xkYm95ZWR1
    class: bGludXg5NA==
  kind: Secret
  metadata:
    creationTimestamp: "2025-05-05T02:39:39Z"
    name: test01
    namespace: default
    resourceVersion: "817317"
    uid: 9255edec-24db-4490-a8b3-d0951b21c470
  type: Opaque
- apiVersion: v1
  data:
    Data: YXBpVmVyc2lvbjogdjEKa2luZDogU2VjcmV0Cm1ldGFkYXRhOgogIG5hbWU6IGFkbWluCmRhdGE6CiAgIyBLRVnml6DpnIDlgZrku7vkvZXmk43kvZzvvIxWQUxVRei/m+ihjEJBU0U2NOaJi+WKqOe8lueggQogIHVzZXJuYW1lOiBiR2x1ZFhnNU5Bbz0KICBwYXNzd29yZDogYjJ4a1ltOTVaV1IxQ2c9PQo=
    stringData: YXBpVmVyc2lvbjogdjEKa2luZDogU2VjcmV0Cm1ldGFkYXRhOgogIG5hbWU6IHVzZXItaW5mbwpzdHJpbmdEYXRhOgogIHVzZXJuYW1lOiBhZG1pbgogIHBhc3N3b3JkOiAiMSIKCiAgbXkuY25mOiB8CiAgICBbbXlzcWxkXQogICAgYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCiAgICBwb3J0PTMzMDYKICAgIGRhdGFkaXI9L29sZGJveWVkdS9kYXRhL215c3FsODAKICAgIHNvY2tldD0vdG1wL215c3FsODAuc29jawo=
  kind: Secret
  metadata:
    creationTimestamp: "2025-05-05T02:39:50Z"
    name: test02
    namespace: default
    resourceVersion: "817332"
    uid: b1476fdd-5182-426d-a784-7ee5b16342c1
  type: Opaque
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
root@ubuntu0:~/manifests/secret#  kubectl delete secrets test01  test02 
secret "test01" deleted
secret "test02" deleted

Pod引用secrets的两种方式

基于环境变量引入
   1.先查看一下user-info的变量
root@ubuntu0:~/manifests/secret# kubectl get secrets user-info 
NAME        TYPE     DATA   AGE
user-info   Opaque   3      4d21h
root@ubuntu0:~/manifests/secret# kubectl get secrets user-info -o yaml
apiVersion: v1
data:
  my.cnf: W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsODAuc29jawo=
  password: MQ==
  username: YWRtaW4=
kind: Secret

   2.基于环境变量引入
   root@ubuntu0:~/manifests/secret# cat 04-secret-env.yaml 
apiVersion: v1
kind: ReplicationController
metadata:
  name: secret-env
spec:
  replicas: 1
  selector:
    apps: v1
  template:
    metadata:
      labels:
        apps: v1
    spec:
      nodeName: ubuntu1
      containers:
      - name: xp
        image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
        env:
        - name: env_username
          valueFrom:
          #表示值从一个secrets资源中引用
            secretKeyRef:
          # 指定secrets资源的名称
              name: user-info
           # 引用secrets的key
              key: username
        - name: env_mycnf
          valueFrom:
          #表示值从一个secrets资源中引用
            secretKeyRef:
          # 指定secrets资源的名称
              name: user-info
           # 引用secrets的key
              key: my.cnf
root@ubuntu0:~/manifests/secret# kubectl apply -f 04-secret-env.yaml 
replicationcontroller/secret-env created
root@ubuntu0:~/manifests/secret# kubectl get pods -o wide
NAME                 READY   STATUS    RESTARTS   AGE   IP            NODE      NOMINATED NODE   READINESS GATES
mysql-master-4zxp6   1/1     Running   0          5d    10.100.2.30   ubuntu1   <none>           <none>
mysql-slave-2pgsd    1/1     Running   0          5d    10.100.2.29   ubuntu1   <none>           <none>
secret-env-78xjs     1/1     Running   0          29s   10.100.2.32   ubuntu1   <none>           <none>
查看环境变量，他会自动的解密
root@ubuntu0:~/manifests/secret# kubectl exec -it secret-env-78xjs -- env
env_username=admin
env_mycnf=[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock

 基于存储卷的方式引用
root@ubuntu0:~/manifests/secret# cat 03-secret.yaml 
apiVersion: v1
kind: ReplicationController
metadata:
  name: oldboyedu-rc-nfs-v1
spec:
  replicas: 1
  selector:
    apps: v1
  template:
    metadata:
      labels:
        apps: v1
    spec:
      nodeName: ubuntu1
      volumes:
       - name: data
      #表示存储卷的类型是secret
         secret: 
       # 指定secret的名称
           secretName: user-info
       # 指定要引用的键值对
           items:
       # 指定secrets的KEY 
           - key: username
      # 暂时理解为将来在Pod容器挂载时的文件名称
             path: username.txt
           - key: password
             path: password.txt
           - key: my.cnf
             path: my.cnf
      containers:
      - name: nginx
        image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 
        volumeMounts:
        - name: data
          mountPath: /oldboyedu

root@ubuntu0:~/manifests/secret# kubectl get pods -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP            NODE      NOMINATED NODE   READINESS GATES
mysql-master-4zxp6          1/1     Running   0          5d    10.100.2.30   ubuntu1   <none>           <none>
mysql-slave-2pgsd           1/1     Running   0          5d    10.100.2.29   ubuntu1   <none>           <none>
oldboyedu-rc-nfs-v1-5cx5d   1/1     Running   0          8s    10.100.2.33   ubuntu1   <none>           <none>
root@ubuntu0:~/manifests/secret# kubectl exec -it oldboyedu-rc-nfs-v1-5cx5d -- sh
/ # ls -l /oldboyedu/
total 0
lrwxrwxrwx    1 root     root            13 May 10 00:42 my.cnf -> ..data/my.cnf
lrwxrwxrwx    1 root     root            19 May 10 00:42 password.txt -> ..data/password.txt
lrwxrwxrwx    1 root     root            19 May 10 00:42 username.txt -> ..data/username.txt
/ # cat /oldboyedu/my.cnf 
[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock

基于响应式secret实现harbor登录认证案例

1.响应式创建harbor的认证信息
[root@master231 case-demo]# kubectl create secret docker-registry oldboyedu-harbor --docker-username=admin --docker-password=1 --docker-email=admin@oldboyedu.com --docker-server=harbor.oldboyedu.com
secret/oldboyedu-harbor created
[root@master231 case-demo]# kubectl get secrets oldboyedu-harbor 
NAME               TYPE                             DATA   AGE
oldboyedu-harbor   kubernetes.io/dockerconfigjson   1      9s

2.创建测试 
[root@master231 case-demo]# cat 16-rc-secrets-private-harbor-registry.yaml 
apiVersion: v1
kind: ReplicationController
metadata:
  name: oldboyedu-private-harbor
spec:
  replicas: 3
  selector:
    apps: linux
  template:
    spec:
      # 镜像拉取的认证凭据
      imagePullSecrets:
        # 指定访问harbor的认证信息
      - name: oldboyedu-harbor
      containers:
      - name: c1
        image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
        imagePullPolicy: Always
        stdin: true
    metadata:
      labels:
        apps: linux
[root@master231 case-demo]# 
[root@master231 case-demo]# kubectl apply -f 16-rc-secrets-private-harbor-registry.yaml 
replicationcontroller/oldboyedu-private-harbor created
[root@master231 case-demo]# 
[root@master231 case-demo]# kubectl get pods -o wide
NAME                             READY   STATUS        RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
oldboyedu-private-harbor-f7hmj   1/1     Running       0          4s    10.100.1.64    worker232   <none>           <none>
oldboyedu-private-harbor-gkmtm   1/1     Running       0          4s    10.100.2.120   worker233   <none>           <none>
oldboyedu-private-harbor-pmf5q   1/1     Running       0          4s    10.100.2.119   worker233   <none>           <none>
[root@master231 case-demo]# 

基于声明式secret实现harbor登录认证案例

1.harbor创建用户名和密码 
  用户名称: linux94 
  密码: Linux@2024
  邮箱: linux94@oldboyedu.com 

2.对认证信息进行base64编码
  [root@master231 case-demo]# echo -n linux94:Linux@2024 | base64 
  bGludXg5NDpMaW51eEAyMDI0
  [root@master231 case-demo]#
3.得到最终的认证信息:
  {"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"linux94@oldboyedu.com","auth":"bGludXg5NDpMaW51eEAyMDI0"}}} 

4.编写资源清单
[root@master231 case-demo]# cat 16-rc-secrets-private-harbor-registry.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: linux94-harbor
stringData:
  .dockerconfigjson: '{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"linux94@oldboyedu.com","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}'
type: kubernetes.io/dockerconfigjson

---

apiVersion: v1
kind: ReplicationController
metadata:
  name: oldboyedu-private-harbor
spec:
  replicas: 3
  selector:
    apps: linux
  template:
    spec:
      # 镜像拉取的认证凭据
      imagePullSecrets:
        # 指定访问harbor的认证信息
      - name: linux94-harbor
      containers:
      - name: c1
        image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
        imagePullPolicy: Always
        stdin: true
    metadata:
      labels:
        apps: linux
[root@master231 case-demo]# 
[root@master231 case-demo]# kubectl apply -f 16-rc-secrets-private-harbor-registry.yaml
secret/linux94-harbor created
replicationcontroller/oldboyedu-private-harbor created
[root@master231 case-demo]# 
[root@master231 case-demo]# kubectl get pods -o wide
NAME                             READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
oldboyedu-private-harbor-6kf6t   1/1     Running   0          3s    10.100.2.124   worker233   <none>           <none>
oldboyedu-private-harbor-prqnv   1/1     Running   0          3s    10.100.2.125   worker233   <none>           <none>
oldboyedu-private-harbor-tcp27   1/1     Running   0          3s    10.100.1.68    worker232   <none>           <none>
[root@master231 case-demo]# 

基于serviceaccounts绑定secret实现harbor认证

root@ubuntu0:/oldboyedu/softwares/harbor# kubectl api-resources |grep -w sa
serviceaccounts                   sa           v1                                     true         ServiceAccount

1.响应式创建账号
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl create sa xixi
serviceaccount/xixi created
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl get sa xixi        
NAME   SECRETS   AGE
xixi   1         61s
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl get sa xixi -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2025-05-18T12:03:44Z"
  name: xixi
  namespace: default
  resourceVersion: "1617334"
  uid: 8597121b-be87-4e33-a25b-d7f84a2fc43d
secrets:
- name: xixi-token-f4d9p


2.查看账号后端的Image pull secrets
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl describe sa xixi 
Name:                xixi
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   xixi-token-f4d9p
Tokens:              xixi-token-f4d9p
Events:              <none>
由于上面的镜像拉去策略为空，所以更新账号绑定的信息
[root@master231 serviceaccounts]# kubectl patch sa xixi -p '{"imagePullSecrets":[{"name":"oldboyedu-harbor"}]}'
serviceaccount/xixi patched
[root@master231 serviceaccounts]# 
[root@master231 serviceaccounts]# kubectl describe sa xixi 
Name:                xixi
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  oldboyedu-harbor
Mountable secrets:   xixi-token-nk9z4
Tokens:              xixi-token-nk9z4
Events:              <none>


	4.响应式更新账号的信息
[root@master231 serviceaccounts]# kubectl get secrets oldboyedu-harbor 
NAME               TYPE                             DATA   AGE
oldboyedu-harbor   kubernetes.io/dockerconfigjson   1      66m
[root@master231 serviceaccounts]# 
[root@master231 serviceaccounts]# kubectl describe sa xixi 
Name:                xixi
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   xixi-token-nk9z4
Tokens:              xixi-token-nk9z4
Events:              <none>
[root@master231 serviceaccounts]# 
[root@master231 serviceaccounts]# kubectl patch sa xixi -p '{"imagePullSecrets":[{"name":"oldboyedu-harbor"}]}'
serviceaccount/xixi patched
[root@master231 serviceaccounts]# 
[root@master231 serviceaccounts]# kubectl describe sa xixi 
Name:                xixi
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  oldboyedu-harbor
Mountable secrets:   xixi-token-nk9z4
Tokens:              xixi-token-nk9z4
Events:              <none>
[root@master231 serviceaccounts]# 


	5.Pod使用sa账号拉取镜像
[root@master231 case-demo]# cat 17-rc-secrets-sa-harbor.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: linux94-harbor
stringData:
  .dockerconfigjson: '{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"linux94@oldboyedu.com","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}'
type: kubernetes.io/dockerconfigjson

---

apiVersion: v1
# 将sa账号绑定secret的拉取镜像认证信息
imagePullSecrets:
- name: linux94-harbor
kind: ServiceAccount
metadata:
  name: linux94
  namespace: default


---

apiVersion: v1
kind: ReplicationController
metadata:
  name: oldboyedu-private-harbor
spec:
  replicas: 3
  selector:
    apps: linux
  template:
    spec:
      # 指定服务账号，基于该账号拉取镜像
      serviceAccount: linux94
      containers:
      - name: c1
        image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
        imagePullPolicy: Always
        stdin: true
    metadata:
      labels:
        apps: linux
[root@master231 case-demo]# 

pod创建流程

- Pod创建流程：
	Pod的创建，删除，修改流程:
		  1.执行kubectl命令时会加载"~/.kube/config"，从而识别到apiserver的地址，端口及认证证书;
		  2.apiserver进行证书认证，鉴权，语法检查，若成功则可以进行数据的读取或者写入;
		  3.若用户是写入操作(创建，修改，删除)则需要修改etcd数据库的信息;
		  4.如果创建Pod，此时scheduler负责Pod调度，将Pod调度到合适的worker节点，并将结果返回给ApiServer存储到etcd中;
		  5.kubelet组件会周期性上报给apiServer节点，包括Pod内的容器资源(cpu,memory,disk,gpu,...)及worker宿主机节点状态，apiServer并将结果存储到etcd中，若有该节点的任务也会直接返回给该节点进行调度;
		  6.kubelet开始调用CRI接口创建容器(依次创建pause，initContainers，containers);
		  7.在运行过程中，若Pod容器，正常或者异常退出时，kubelet会根据重启策略是否重启容器(Never,Always,OnFailure);
		  8.若一个节点怪掉，则需要controller manager介入维护，比如Pod副本数量缺失，则需要创建watch事件，要求控制器的副本数要达到标准，从而要创建新的Pod，此过程重复步骤4-6。

k8s部署jenkins

apiVersion: v1
kind: Namespace
metadata:
  name: devops

---

apiVersion: v1
kind: ReplicationController
metadata:
  name: oldboyedu-jenkins
  namespace: devops
spec:
  replicas: 1
  selector:
    apps: jenkins
  template:
    spec:
      nodeName: worker233
      volumes:
      - name: data
        nfs:
          server: 10.0.0.231
          path: /oldboyedu/data/nfs-server/volumes/devops/jenkins
      containers:
      - name: c1
        # image: jenkins/jenkins:2.479.1-alpine-jdk21
        image: harbor.oldboyedu.com/oldboyedu-devops/jenkins:2.479.1-alpine-jdk21
        #command: 
        #- tail
        #- -f
        #- /etc/hosts
        ports:
        - containerPort: 8080
        volumeMounts:
        - name: data
          mountPath: /var/jenkins_home/
    metadata:
      labels:
        apps: jenkins

---

apiVersion: v1
kind: Service
metadata:
  name: svc-jenkins
  namespace: devops
spec:
  type: NodePort
  selector:
     apps: jenkins
  ports:
  - port: 8080
    nodePort: 30083
[root@master231 case-demo]# 



	3.温馨提示:
		- 在使用资源清单之前，应该先将Jenkins运行起来，安装常用的插件;
		- 再将/var/jenkins_home/数据拷贝到"/oldboyedu/data/nfs-server/volumes/devops/jenkins"中。