Pod--k8s最基础的资源
我们想要的是单个容器只运行一个进程
然而有时我们需要多个进程协同工作,所以我们需要另外一种更加高级的结构将容器组合在一起---pod
Pod
-
我们来看一个最基本的pod
这个pod的image是我根据centos:7的镜像构建的,很简单,镜像的Dockerfile如下:
FROM 192.168.80.84:5000/centos:7 entrypoint ["sleep"] cmd ["999"] # 一个容器必须要有一个守护进程才能够运行起来 # 换言之,把Dockerfile中的sleep命令去掉,单纯的一个centos是无法运行的
我们将这个镜像作为pod的image运行起来:
kubectl run my-cmd --image=192.168.80.84:5000/centos_cmd:v1
使用-o yaml来看一下对应的yaml文件:
[root@k8s-master01 centos]# kubectl get pod my-cmd -o yaml apiVersion: v1 # 指定apiVersion版本 kind: Pod # 对应的资源类型,这里为pod metadata: # 实例的元数据 creationTimestamp: "2021-01-13T02:36:02Z" labels: # 自动给实例打的标签 run: my-cmd managedFields: # 为了方便内部管理的一组字段 - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:run: {} f:spec: f:containers: k:{"name":"my-cmd"}: .: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} manager: kubectl-run # 写明该pod的启动方式 operation: Update time: "2021-01-13T02:36:02Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.40.0.4"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update time: "2021-01-13T02:36:11Z" name: my-cmd # pod名 namespace: default # pod所处的命名空间 resourceVersion: "418695" # pod的版本数字,用于乐观并发控制的,详细信息请见之后的k8s核心原理 uid: 12e3b858-f79f-4378-8ea0-1103ea120c34 # pod实例的uid spec: # pod的实际说明 containers: # 定义pod中的容器,这里只有一个 - image: 192.168.80.84:5000/centos_cmd:v1 # 镜像地址 imagePullPolicy: IfNotPresent # 镜像的pull规则,指的是是否在创建pod的时候要pull镜像,IdNotPresent表示本地不存在时才会去仓库pull name: my-cmd # 容器名,即镜像转化为容器后的名字 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: # 挂载卷 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount # 挂载路径 name: default-token-s9dfj # 卷名,这里挂载的其实是每个pod都会挂载的secret卷,用来进行身份验证的 readOnly: true # 只读 dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node02 # 分配到的节点,由调度器指定 preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always # 指定当pod重启时,该容器是否还会启动,其实也就是制定该容器随Pod的启动而启动 schedulerName: default-scheduler # 指定调度器,k8s中可以运行多个调度器实例,如果未指定则是默认调度器 securityContext: {} serviceAccount: default # 服务帐号 serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: # 卷 - name: default-token-s9dfj secret: defaultMode: 420 secretName: default-token-s9dfj status: # pod运行时的状态 conditions: - lastProbeTime: null lastTransitionTime: "2021-01-13T02:36:02Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2021-01-13T02:36:10Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2021-01-13T02:36:10Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2021-01-13T02:36:02Z" status: "True" type: PodScheduled containerStatuses: - containerID: docker://965a9b86cc334705d3fbaac15d28ef6b0a20de8f00915c1ffdf4c025b1c29206 image: 192.168.80.84:5000/centos_cmd:v1 imageID: docker-pullable://192.168.80.84:5000/centos_cmd@sha256:948479967390e7a98979d4b98beec6dfa3fc92c6ce832ece882e8b1843e0779f lastState: {} name: my-cmd ready: true restartCount: 0 started: true state: running: startedAt: "2021-01-13T02:36:09Z" hostIP: 192.168.80.83 phase: Running podIP: 10.40.0.4 podIPs: - ip: 10.40.0.4 qosClass: BestEffort startTime: "2021-01-13T02:36:02Z"可以发现其中的东西有些多,然而我们使用yaml文件创建pod时并不需要编写这么多的东西,因为API server会帮我们添加其余的默认值
使用yaml文件手动创建一个pod:
apiVersion: v1 kind: Pod metadata: name: my-cmd spec: containers: - image: 192.168.80.84:5000/centos_cmd:v1 name: centos-cmd # 需要注意的是spec.containers中的name字段,这里的命名规则和pod的命名规则是一样的,也就是如果"my_cmd"则会报错 # 其次注意"Pod"的“P”要大写我们来看一下这样创建的pod的yaml文件:
kubectl create -f my-cmd.yaml,我们可以通过kubectl get pod my-cmd -o yaml来查看一下该pod[root@k8s-master01 centos]# kubectl get pod my-cmd -o yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: "2021-01-13T03:32:42Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:spec: f:containers: k:{"name":"my-cmd"}: .: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} manager: kubectl-create # 这里的启动方式有所不同,因为我们是通过create的方式创建的pod operation: Update time: "2021-01-13T03:32:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.40.0.4"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update time: "2021-01-13T04:39:23Z" name: my-cmd namespace: default resourceVersion: "429073" uid: 15d9f4f2-1fc8-4595-a00e-f96f52038ef9 spec: containers: - image: 192.168.80.84:5000/centos_cmd:v1 imagePullPolicy: IfNotPresent name: my-cmd resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-s9dfj readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node02 preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: default-token-s9dfj secret: defaultMode: 420 secretName: default-token-s9dfj status: conditions: - lastProbeTime: null lastTransitionTime: "2021-01-13T03:32:42Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2021-01-13T04:39:23Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2021-01-13T04:39:23Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2021-01-13T03:32:42Z" status: "True" type: PodScheduled containerStatuses: - containerID: docker://d7fee9118b0d5d2ccaa346d4cd97130a9f744e9bf6ee1b1ae32dfa0e583c2b41 image: 192.168.80.84:5000/centos_cmd:v1 imageID: docker-pullable://192.168.80.84:5000/centos_cmd@sha256:948479967390e7a98979d4b98beec6dfa3fc92c6ce832ece882e8b1843e0779f lastState: terminated: containerID: docker://0e6a82fe9e50924b7254fe06f131e43f3f66d8007de5524e31af38c6abd05d51 exitCode: 0 finishedAt: "2021-01-13T04:39:21Z" reason: Completed startedAt: "2021-01-13T04:22:42Z" name: my-cmd ready: true restartCount: 4 started: true state: running: startedAt: "2021-01-13T04:39:22Z" hostIP: 192.168.80.83 phase: Running podIP: 10.40.0.4 podIPs: - ip: 10.40.0.4 qosClass: BestEffort startTime: "2021-01-13T03:32:42Z" # 对一个字段的含义不清楚的话,可以使用"kubectl explain"来查看某一字段的含义 -
将本地网络中的端口转发给pod中的端口
首先我们可以使用一个nginx镜像:
# 我已经先将nginx:alpine的镜像推到了本地仓库 关于alpine版本 早先的alpine版本的镜像还有这段注释,但是后来大多数都给删掉了,特此记录 ``` postgres:<version>-alpine This image is based on the popular Alpine Linux project, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general. This variant is highly recommended when final image size being as small as possible is desired. The main caveat to note is that it does use musl libc instead of glibc and friends, so certain software might run into issues depending on the depth of their libc requirements. However, most software doesn't have an issue with this, so this variant is usually a very safe choice. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images. To minimize image size, it's uncommon for additional related tools (such as git or bash) to be included in Alpine-based images. Using this image as a base, add the things you need in your own Dockerfile (see the alpine image description for examples of how to install packages if you are unfamiliar). ```
kubectl port-forward mynginx 8000:8080
这里设置的是端口转发,允许我们不通过service的方式来和某个特定的pod进行通信
3. 停止和移除Pod
```kubectl delete <podName>```
***
### 使用标签组织pod
> 标签同样是k8s资源中最重要的概念之一,很多功能的实现都需要依靠标签选择器
1. yaml文件中指定标签
```yaml
apiVersion: v1
kind: Pod
metadata:
name: mynginx
labels: # 一个资源可以分配多个标签
app: nginx
rel: alpine
spec:
......
-
查看资源时显示标签
正常查看资源时是不显示标签的,通过-o wide我们可以看到pod所在的节点和pod的ip,而通过“--show labels”参数,我们可以看到资源的标签
[root@k8s-master01 centos]# kubectl get po --show-labels NAME READY STATUS RESTARTS AGE LABELS getname-deploy-68bd4cc6b4-j7gxz 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 getname-deploy-68bd4cc6b4-pt2cb 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 getname-deploy-68bd4cc6b4-srqfn 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 my-cmd-labels 1/1 Running 0 11s app=nginx,rel=alpine # 这里是刚才我所打标签的pod # 可能会发现我前面还有三个带标签的pod,这三个pod不是我使用这种方法创建的 # 实际上这三个pod是我创建的一个rs创建的 # 所以说标签在k8s管理资源中的用处很大 -
查看指定标签
我们可能只对一些标签感兴趣,那么我们可以通过“-L <标签键名>”来只显示指定标签
[root@k8s-master01 centos]# kubectl get po -L app NAME READY STATUS RESTARTS AGE APP getname-deploy-68bd4cc6b4-j7gxz 1/1 Running 4 6d21h getname getname-deploy-68bd4cc6b4-pt2cb 1/1 Running 4 6d21h getname getname-deploy-68bd4cc6b4-srqfn 1/1 Running 4 6d21h getname my-cmd-labels 1/1 Running 0 6m46s nginx -
修改现有标签
# 使用 kubectl label <resourceName> <instanceName> <labelKey>=<labelValue>,<labelKey>=<labelValue> 来添加新的标签 [root@k8s-master01 centos]# kubectl label po my-cmd-labels node=node1 pod/my-cmd-labels labeled [root@k8s-master01 centos]# kubectl get po --show-labels NAME READY STATUS RESTARTS AGE LABELS my-cmd-labels 1/1 Running 0 11m app=nginx,node=node1,rel=alpine # 发现已经增加了新标签 # 需要修改旧标签,要添加“--overwrite”参数 [root@k8s-master01 centos]# kubectl label po my-cmd-labels rel=stable --overwrite pod/my-cmd-labels labeled [root@k8s-master01 centos]# kubectl get po --show-labels NAME READY STATUS RESTARTS AGE LABELS fortune-env 2/2 Running 8 7d4h <none> my-cmd-labels 1/1 Running 0 13m app=nginx,node=node1,rel=stable # 发现rel标签已经重写完成 -
使用标签选择器列出期望Pod
我们可不可以只显示特定标签的pod呢
# 我们可以使用"-l"参数,来使用标签选择器 [root@k8s-master01 centos]# kubectl get po -l rel=stable --show-labels NAME READY STATUS RESTARTS AGE LABELS my-cmd-labels 1/1 Running 1 20m app=nginx,node=node1,rel=stable 标签选择器当然不会只能根据特定的标签对来筛选资源 # 我们可以光指定标签的key,这样就会显示所有包含该标签的资源 [root@k8s-master01 centos]# kubectl get po -l app --show-labels NAME READY STATUS RESTARTS AGE LABELS getname-deploy-68bd4cc6b4-j7gxz 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 getname-deploy-68bd4cc6b4-pt2cb 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 getname-deploy-68bd4cc6b4-srqfn 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 my-cmd-labels 1/1 Running 1 24m app=nginx,node=node1,rel=stable # 我们可以使用!=或!来筛选不包含某标签或某标签对的资源 # 需要注意的是,当你在筛选器中使用符号时,你应该在两边加上引号,否则shell无法理解你想要做什么 [root@k8s-master01 centos]# kubectl get po -l '!node' --show-labels NAME READY STATUS RESTARTS AGE LABELS fortune-env 2/2 Running 8 7d4h <none> getname-deploy-68bd4cc6b4-j7gxz 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 getname-deploy-68bd4cc6b4-pt2cb 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 getname-deploy-68bd4cc6b4-srqfn 1/1 Running 4 6d21h app=getname,pod-template-hash=68bd4cc6b4 [root@k8s-master01 centos]# kubectl get po -l "app!=getname" --show-labels NAME READY STATUS RESTARTS AGE LABELS my-cmd-labels 1/1 Running 1 27m app=nginx,node=node1,rel=stable # 我们还可以使用in ()和 notin()来对标签对进行更复杂的筛选 [root@k8s-master01 centos]# kubectl get po -l "app in (nginx)" --show-labels NAME READY STATUS RESTARTS AGE LABELS my-cmd-labels 1/1 Running 1 30m app=nginx,node=node1,rel=stable [root@k8s-master01 centos]# kubectl get po -l "app notin (getname)" --show-labels NAME READY STATUS RESTARTS AGE LABELS my-cmd-labels 1/1 Running 1 31m app=nginx,node=node1,rel=stable # 关于一次筛选多个条件,使用“,”分割 [root@k8s-master01 centos]# kubectl get po -l app=nginx,node=node1 --show-labels NAME READY STATUS RESTARTS AGE LABELS my-cmd-labels 1/1 Running 1 32m app=nginx,node=node1,rel=stable
使用标签选择器将pod调度到指定node
上一节中写了可以给资源打标签,而k8s中节点同样也是一种资源,我们可以通过给节点打标签的方式将pod运行到指定节点上
# 先给节点打上标签
[root@k8s-master01 centos]# kubectl label node k8s-node01 node=node1
node/k8s-node01 labeled
[root@k8s-master01 centos]# kubectl label node k8s-node02 node=node2
node/k8s-node02 labeled
# 来查看一下
[root@k8s-master01 centos]# kubectl get node -L node
NAME STATUS ROLES AGE VERSION NODE
k8s-master01 Ready control-plane,master 18d v1.20.1
k8s-node01 Ready <none> 18d v1.20.1 node1
k8s-node02 Ready <none> 18d v1.20.1 node2
# 现在节点已经成功给两个node打上标签了
接下来我们来编辑yaml文件,来将pod分配到指定节点上
apiVersion: v1
kind: Pod
metadata:
name: my-cmd-node1
spec:
nodeSelector: # 在这里设置一个节点选择器
node: "node1" # 只会被分配到节点标签含有“node=node1”的节点上
containers:
- name: my-cmd-node1
image: 192.168.80.84:5000/centos_cmd:v1
--- # 在一个yaml文件中可以使用“---”来一次创建多个资源
apiVersion: v1
kind: Pod
metadata:
name: my-cmd-node2
spec:
nodeSelector:
node: "node2"
containers:
- name: my-cmd-node2
image: 192.168.80.84:5000/centos_cmd:v1
来看一下执行结果
[root@k8s-master01 centos]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-cmd-node1 1/1 Running 0 12s 10.32.0.8 k8s-node01 <none> <none>
my-cmd-node2 1/1 Running 0 12s 10.40.0.6 k8s-node02 <none> <none>
# 发现预设的pod确实分配到了期望的node上
关于命名空间
命名空间是一种在资源之上更高层面的作用域
这样可以允许我们多次使用相同的资源名称,也可以将一些系统层面的资源和用户层面的相隔离
-
查看命名空间
命名空间也是一种资源,我们同样可以使用get来查看
# 可以使用ns来简写namespace [root@k8s-master01 centos]# kubectl get ns NAME STATUS AGE default Active 18d kube-node-lease Active 18d kube-public Active 18d kube-system Active 18d # 可以使用"-n <namespaceName>"来指定命名空间 [root@k8s-master01 centos]# kubectl get po -n kube-system NAME READY STATUS RESTARTS AGE coredns-7f89b7bc75-9z9g8 1/1 Running 13 18d coredns-7f89b7bc75-dmhjl 1/1 Running 13 18d etcd-k8s-master01 1/1 Running 26 18d kube-apiserver-k8s-master01 1/1 Running 26 18d kube-controller-manager-k8s-master01 1/1 Running 30 18d kube-proxy-s2rmh 1/1 Running 13 18d kube-proxy-wq2kz 1/1 Running 13 18d kube-proxy-wvcgk 1/1 Running 24 18d kube-scheduler-k8s-master01 1/1 Running 26 18d weave-net-9lhgf 2/2 Running 37 18d weave-net-dhv26 2/2 Running 36 18d weave-net-q95gm 2/2 Running 65 18d # 这里其实也可以看出k8s原理中的一条,即: # k8s中只用node的kubelet以实际进程的方式存在,其他的都是以pod的形式存在 # 这里可以看到 etcd、apiserver、proxy、schedule、controller等 -
创建命名空间
既可以使用命令
kubectl create namespace <namespaceName>来创建一个命名空间也可以通过编写yaml文件的方式
apiVersion: v1 kind: Namespace metadata: name: custom-namespace # 然后使用kubectl create -f 来创建 -
指定命名空间创建对象
默认情况下我们是在default中创建资源的,通过“-n
”来指定命名空间 -
使用标签选择器删除pod
# 仍然是通过"-l"来指定标签选择器 kubectl delete pod -l "app=nginx" -
删除整个命名空间
kubectl delete ns <namespaceName>删除命名空间后,会删除其内的所有资源
-
删除所有pod,保留命名空间
kubectl delete po -all -ns <namespaceName> -
删除命名空间内的所有资源,保留命名空间
kubectl delete all -all -ns <namespaceName>