簡介#
Kubernetes 是一個可移植,擴展的開源容器,服務管理平臺,可以通過聲明式配置文件自動部署,擴容縮容。
- 傳統部署
傳統部署無法定義資源邊界,當多個應用同時部署在一臺物理機器上時,有的應用可能會佔用絕大的系統資源
- 虛擬化部署
虛擬化部署通過虛擬機將不同的應用隔離開來,但是應用之間互相訪問的難度增加
- 容器化部署
容器化部署相比與虛擬化部署量級更輕,可以移植在雲或者其他OS上
安裝 Kubernetes#
安裝kubernetes之前確保你已經安裝了相關的依賴,kubernetes是一個容器管理平臺
安裝Docker
<code>https://docs.docker.com/install/<code>
安裝 minikube
<code>curl -Lo minikube http://kubernetes.oss-cn-hangzhou.aliyuncs.com/minikube/releases/v1.3.0/minikube-darwin-amd64 && chmod +x minikube && sudo cp minikube /usr/local/bin/ && rm minikube/<code>
啟動 kubernetes
<code>--vm-driver: hyperkit/virtualbox/none
minikube start --vm-driver=virtualbox --registry-mirror=https://dockerhub.azk8s.cn --memory=4096 disk-size=60000MB --mount --mount-string=/Users/jet/kubernetes/:/data/kubernetes --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers
使用--vm-driver=none直接使用宿主機安裝
minikube start --vm-driver=hyperkit --registry-mirror=https://dockerhub.azk8s.cn --memory=8192ß --cpus=4 disk-size=60000MB --mount --mount-string=/Users/jet/kubernetes/:/data/kubernetes --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers/<code>
集群安裝#
Download KubeSphere to your Linux machine, move to the KubeSphere directory. For example, if the created directory is kubesphere-all-v2.1.1:
<code>$ curl -L https://kubesphere.io/download/stable/latest > installer.tar.gz
$ tar -xzf installer.tar.gz
$ cd kubesphere-all-v2.1.1/scripts/<code>
使用密碼demo1/Demo123登錄preview url
Kubernetes 對象#
- Pods#Pod是一個封裝了應用的容器,包括了應用所需要的存儲,網絡IP和其他運行所需要的一切資源,是Kubernetes中一個最小的執行單元
- Deployments#Deployment控制器可以通過聲明更新Pods和備份。可以通過Deployment控制器切換其狀態,也可以定義新的副本集合
- Services#將一系列Pod暴露給外部作為一個服務,kubernetes為Pod分配了IP和DNS,可以通過他們來實現負載均衡
Kubernetes 集群#
Kubernetes集群包括了一系列的物理和虛擬機節點,這些節點包括分為兩類,包括master節點和Node節點
- Master#
Master 節點維護著kubernetes集群狀態,kubectl就是通過與Master節點的交互獲取到Pod,Deployment,Service的信息
- Node#
Node 節點用來運行容器應用
部署一個Nginx服務#
部署有兩種方式,一種是通過命令行按Pod,Deployment,Service按順序部署,也可以通過yaml文件根據文件一次性部署
- 第一種方式
創建Pod
<code>kubectl create pod nginx --image=nginx /<code>
創建Deployment
<code>kubectl create deployment nginx/<code>
上述兩條命令等於
<code>kubectl run nginx --image=nginx --port=80/<code>
創建service
<code>kubectl expose deployment nginx --port=80 --type=NodePort/<code>
獲取磁盤列表
<code>kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-0ed527f4-7e74-4a1d-9bed-52db1d4ffc36 8Gi RWO Delete Terminating development/data-zookeeper-0 standard 11h
pvc-d9e60428-0559-4885-8cf5-57389307ad52 8Gi RWO Delete Bound development/data-redis-kafka-0 standard 11h
pvc-ead7dc2c-4bb5-45a1-b2b5-38f18ba7f5e7 8Gi RWO Delete Bound development/data-redis-zookeeper-0 standard 11h
pvc-f12fd689-8216-453b-b7be-08ae2fdec863 10Gi RWO Delete Terminating default/data-eerie-rodent-redis-ha-server-0 standard 12h
pvc-f3827108-df93-4bec-a15e-13073fa088a7 8Gi RWO Delete Terminating development/data-kafka-zookeeper-0 standard 11h
pvc-fa387209-36c7-4225-ba61-b240723dc3c3 8Gi RWO Delete Terminating development/data-kafka-0 standard 11h
/<code>
創建磁盤
<code>kubectl delete pv pvc-0ed527f4-7e74-4a1d-9bed-52db1d4ffc36/<code>
- 第二種方式
創建nginx-deployment.yaml
<code>apiVersion: v1
kind: Service
metadata:
name: nginx-service
labels:
app: nginx-service
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 80
nodePort: 30000
protocol: TCP
type: NodePort
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80/<code>
通過配置文件部署
<code>kubectl apply -f nginx-deployment.yaml/<code>
部署完成後可以在dashboard中查看相關的Pod,Deployment以及Service
如何訪問服務#
查看集群信息
<code>kubectl cluster-info
Kubernetes master is running at https://192.168.99.101:8443
KubeDNS is running at https://192.168.99.101:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'./<code>
此時發現kubernetes的master ip 192.168.99.101地址與Nginx服務集群ip地址10.101.230.215 不在同一地址段,此時你無法通過Nginx ip地址直接訪問Nginx服務
- 查看service列表
<code>kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2d2h
nginx NodePort 10.101.230.215 <none> 80:31248/TCP 20h/<none>/<none>/<code>
- 查看service 訪問地址
<code>minikube service nginx
|-----------|-------|-----------------------------|
| NAMESPACE | NAME | URL |
|-----------|-------|-----------------------------|
| default | nginx | http://192.168.99.101:31248 |
|-----------|-------|-----------------------------|
Opening kubernetes service default/nginx in default browser.../<code>
還有一種方式可以通過kubectl的端口映射,將宿主機端口映射到服務地址端口也可以達到相同的效果
<code># nginx-7c45b84548-ws9c9 nginx 服務名
kubectl port-forward nginx-7c45b84548-ws9c9 9090:80
Forwarding from 127.0.0.1:9090 -> 80
Forwarding from [::1]:9090 -> 80/<code>
創建用戶#
- 生成證書
<code>openssl genrsa -out jetqin.key 2048
openssl req -new -key jetqin.key -out jetqin.csr -subj "/CN=jetqin/O=dev"\\n
cat jetqin.csr | base64 | tr -d '\\n'/<code>
- 根據kubernete cluster證書籤名生成一個csr文件
<code>openssl x509 -req \\
-in jetqin.csr \\
-CA ~/.minikube/ca.crt\\
-CAkey ~/.minikube/ca.key\\
-CAcreateserial \\
-out jetqin.crt \\
-days 500/<code>
- 添加user
<code>kubectl config set-credentials jetqin \\
--client-certificate=jetqin.csr \\
--client-key=jetqin.key/<code>
- 創建證書籤名請求
<code>cat <apiVersion: certificates.k8s.io/v1beta1 /<code>
kind: CertificateSigningRequest
metadata:
name: jetqin-csr
spec:
request: $(cat jetqin.csr | base64 | tr -d '\\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
kubectl get csr
- 批准證書籤名請求
<code>kubectl certificate approve jetqin-csr/<code>
- 檢查創建用戶權限
<code>kubectl auth can-i list pods --namespace ns-test --as jetqin/<code>
- 創建角色
<code>cat <apiVersion: rbac.authorization.k8s.io/v1 /<code>
kind: Role
metadata:
namespace: ns-test
name: ns-reader
rules:
- apiGroups: [""]
resources: ["pods", "services", "nodes"]
verbs: ["get","watch","list"]
EOF
- 創建角色綁定
<code>cat <apiVersion: rbac.authorization.k8s.io/v1 /<code>
kind: RoleBinding
metadata:
name: read-pods
namespace: ns-test
subjects:
- kind: User
name: jetqin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: ns-reader
apiGroup: rbac.authorization.k8s.io
EOF
- 添加context
<code>kubectl config set-context dev-context \\
--cluster=minikube \\
--namespace=default \\
--user=jetqin
kubectl config use-context dev-context
kubectl config current-context/<code>
閱讀更多 JetQin90 的文章