k8s基础概念之十二

官网:https://v1-19.docs.kubernetes.io/zh/docs/concepts/workloads/pods/ephemeral-containers/

 

说明

涉及k8s所有组件添加参数,修改前建议停止etcd,并且备份数据,实验过程中,etcd崩过一次未解决,

--feature-gates="EphemeralContainers=true"
给所有组件添加这一个选项,放在参数存放目录,

注:放在最末尾,注意双引号("")、反斜线(\),

 

 

实验步骤

#第一步 查找服务启动参数存放文件
[root@master03 system]# cat `ls /usr/lib/systemd/system | grep kube` | grep conf
EnvironmentFile=/etc/kubernetes/cfg/kube-apiserver.conf
EnvironmentFile=/etc/kubernetes/cfg/kube-controller-manager.conf
EnvironmentFile=/etc/kubernetes/cfg/kubelet.conf
EnvironmentFile=/etc/kubernetes/cfg/kube-proxy.conf
EnvironmentFile=/etc/kubernetes/cfg/kube-scheduler.conf


#第二步 停止etcd(所有master节点操作)
systemctl stop etcd


#第三步 在所有(node节点只有kubelet、kube-proxy也要修改,一样的方式)节点参数文件 添加参数
#过滤了所有参数文件夹,具体根据实际情况而定
[root@master03 cfg]# cat `ls | grep -e conf$` 
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
--advertise-address=172.16.1.12 \
--default-not-ready-toleration-seconds=360 \
--default-unreachable-toleration-seconds=360 \
--max-mutating-requests-inflight=2000 \
--max-requests-inflight=4000 \
--default-watch-cache-size=200 \
--delete-collection-workers=2 \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--allow-privileged=true \
--service-cluster-ip-range=10.96.0.0/16 \
--service-node-port-range=10-52767 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/etc/kubernetes/cfg/token.csv \
--kubelet-client-certificate=/etc/kubernetes/ssl/server.pem \
--kubelet-client-key=/etc/kubernetes/ssl/server-key.pem \
--tls-cert-file=/etc/kubernetes/ssl/server.pem  \
--tls-private-key-file=/etc/kubernetes/ssl/server-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kubernetes/k8s-audit.log \
--etcd-servers=https://172.16.1.11:2379,https://172.16.1.12:2379,https://172.16.1.13:2379 \
--etcd-cafile=/etc/etcd/ssl/ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--feature-gates="EphemeralContainers=true""

KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
--leader-elect=true \
--cluster-name=kubernetes \
--bind-address=127.0.0.1 \
--allocate-node-cidrs=true \
--cluster-cidr=10.244.0.0/12 \
--service-cluster-ip-range=10.96.0.0/16 \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem  \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
--kubeconfig=/etc/kubernetes/cfg/kube-controller-manager.kubeconfig \
--tls-cert-file=/etc/kubernetes/ssl/kube-controller-manager.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kube-controller-manager-key.pem \
--experimental-cluster-signing-duration=87600h0m0s \
--controllers=*,bootstrapsigner,tokencleaner \
--use-service-account-credentials=true \
--node-monitor-grace-period=10s \
--horizontal-pod-autoscaler-use-rest-clients=true \
--feature-gates="EphemeralContainers=true""

KUBELET_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
--hostname-override=master03 \
--container-runtime=docker \
--kubeconfig=/etc/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/cfg/kubelet-bootstrap.kubeconfig \
--config=/etc/kubernetes/cfg/kubelet-config.yml \
--cert-dir=/etc/kubernetes/ssl \
--image-pull-progress-deadline=15m \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/k8sos/pause:3.2 \
--feature-gates="EphemeralContainers=true""

KUBE_PROXY_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
--config=/etc/kubernetes/cfg/kube-proxy-config.yml \
--feature-gates="EphemeralContainers=true""

KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
--kubeconfig=/etc/kubernetes/cfg/kube-scheduler.kubeconfig \
--leader-elect=true \
--master=http://127.0.0.1:8080 \
--bind-address=127.0.0.1 \
--feature-gates="EphemeralContainers=true""
 
 
 #第四步yml文件添加参数
 [root@master01 cfg]# vi kubelet-config.yml 
 ……
 featureGates:
  EphemeralContainers: true
  
  
  # 第五步 启动服务
  systemctl restart  kube-apiserver kube-controller-manager kubelet kube-proxy kube-scheduler etcd
  systemctl status  kube-apiserver kube-controller-manager kubelet kube-proxy kube-scheduler etcd | grep '(running)'
  
  #第六步 查看k8s集群状态
  [root@master01 cfg]# kubectl get nodes 
NAME       STATUS   ROLES    AGE   VERSION
master01   Ready    master   12d   v1.19.16
master02   Ready    master   12d   v1.19.16
master03   Ready    master   12d   v1.19.16
node01     Ready    <none>   12d   v1.19.16
node02     Ready    <none>   12d   v1.19.16

 

临时容器的使用

配置文件说明

cat ec.json
{
    "apiVersion": "v1",
    "kind": "EphemeralContainers",
    "metadata": {
            "name": "nginx-f89759699-pqbp7"  #被注入的容器名字
    },
    "ephemeralContainers": [{
        "command": [
            "sh"    #执行的命令
        ],
        "image": "busybox",   #注入容器名字
        "imagePullPolicy": "IfNotPresent",
        "name": "debug",
        "stdin": true,
        "tty": true,
        "terminationMessagePolicy": "File"
    }]
}

 

更新运行容器

[root@master01 yaml2]# kubectl replace --raw /api/v1/namespaces/default/pods/nginx-f89759699-pqbp7/ephemeralcontainers  -f ec.json
{"kind":"EphemeralContainers","apiVersion":"v1","metadata":{"name":"nginx-f89759699-pqbp7","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-f89759699-pqbp7/ephemeralcontainers","uid":"8ac26ecc-eb9c-463f-9f88-215a647dbae7","resourceVersion":"698000","creationTimestamp":"2021-12-08T03:05:08Z"},"ephemeralContainers":[{"name":"debug","image":"busybox","command":["sh"],"resources":{},"terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","stdin":true,"tty":true}]}

#参数详解:default 容器所在命名空间名字,
#         nginx-f89759699-pqbp7:被注入容器名字

查询更新结果

# 看不出任何变化
[root@master01 yaml2]# kubectl get pod
NAME                    READY   STATUS    RESTARTS   AGE
nginx-f89759699-pqbp7   1/1     Running   4          7d5h

[root@master01 yaml2]# kubectl describe pod nginx-f89759699-pqbp7
……
  Normal   SandboxChanged  60m    kubelet  Pod sandbox changed, it will be killed and re-created.
  Normal   Pulling         60m    kubelet  Pulling image "nginx"
  Normal   Pulled          60m    kubelet  Successfully pulled image "nginx"
  Normal   Created         60m    kubelet  Created container nginx
  Normal   Started         60m    kubelet  Started container nginx
  Warning  FailedMount     58m    kubelet  MountVolume.SetUp failed for volume "default-token-2mc48" : failed to sync secret cache: timed out waiting for the condition
  Normal   SandboxChanged  58m    kubelet  Pod sandbox changed, it will be killed and re-created.
  Normal   Pulling         58m    kubelet  Pulling image "nginx"
  Normal   Pulled          57m    kubelet  Successfully pulled image "nginx"
  Normal   Created         57m    kubelet  Created container nginx
  Normal   Started         57m    kubelet  Started container nginx
  Normal   SandboxChanged  28m    kubelet  Pod sandbox changed, it will be killed and re-created.
  Normal   Pulling         28m    kubelet  Pulling image "nginx"
  Normal   Pulled          28m    kubelet  Successfully pulled image "nginx" in 15.358856363s
  Normal   Created         28m    kubelet  Created container nginx
  Normal   Started         28m    kubelet  Started container nginx
  Normal   Pulling         4m50s  kubelet  Pulling image "busybox"
  Normal   Pulled          4m33s  kubelet  Successfully pulled image "busybox" in 16.452286802s
  Normal   Created         4m33s  kubelet  Created container debug
  Normal   Started         4m33s  kubelet  Started container debug

 

进入我们刚刚注入的容器

 kubectl exec -it nginx-f89759699-pqbp7 -c debug -- sh
 / # netstat -anptu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 :::80                   :::*                    LISTEN      -

 

 

 

 

上一篇:部署K8s


下一篇:CKS2021最新练习题解析02--修复kube-bench报告中异常项