欢迎关注我的公众号：

 目前刚开始写一个月，一共写了18篇原创文章，文章目录如下：

istio多集群探秘，部署了50次多集群后我得出的结论

istio多集群链路追踪，附实操视频

istio防故障利器，你知道几个,istio新手不要读，太难！

istio业务权限控制，原来可以这么玩

istio实现非侵入压缩，微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

 

————————————————

daemonset：

DaemonSet用于再集群中的全部节点上同时运行一份指定的pod资源副本，后续新加入的工作节点也会自动创建一个相关的pod对象，当从集群中移除节点时，此类pod对象也将被自动回收而无须重建。也可以使用节点选择器及节点标签指定仅在部分具有特定特征的节点上运行指定的pod对象。

通常运行那些执行系统级操作任务的应用，具体如下：

•1、运行集群存储的守护进程，如在各个节点上运行glusterfs或ceph

•2、在各个节点上运行日志收集守护进程，如fluentd和logstash

•3、在各个节点上运行监控系统的代理守护进程，如Prometheus Node Exporter、collectd、Datadog agent、New Relic agent或Ganlia gmond等

常用命令：

•kubectl create -f nginx-daemonset.yaml

•kubectl apply -f nginx-daemonset.yaml

•kubectl delete -f nginx-daemonset.yaml

•kubectl replace -f nginx-daemonset.yaml

•kubectl edit ds test-daemon

•kubectl get ds

•kubectl label ds test-daemon stage=test

•kubectl get ds -l stage=test

•kubectl label ds test-daemon stage-

•kubectl annotate ds test-daemon myanno=test

•kubectl annotate ds test-daemon myanno-

•kubectl patch ds test-daemon  -p '{"metadata":{"labels":{"aa":"bb"}}}‘

•kubectl diff -f nginx-daemonset.yaml

•kubectl describe ds test-daemon

•kubectl set image ds test-daemon nginx=nginx:1.16

•kubectl rollout history ds test-daemon

•kubectl rollout undo ds test-daemon

•kubectl rollout restart ds test-daemon

•kubectl rollout status ds test-daemon

•kubectl rollout undo ds test-daemon --to-revision=4

updateStrategy：

•OnDelete

•RollingUpdate

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: test-daemon
spec:
  selector:
    matchLabels:
      name: test-daemon
  template:
    metadata:
      labels:
        name: test-daemon
    spec:
      containers:
      - name: nginx
        image: nginx 

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: test-daemon
spec:
  selector:
    matchLabels:
      name: test-daemon
  template:
    metadata:
      labels:
        name: test-daemon
    spec:
      nodeSelector:
        app: ds
      containers:
      - name: nginx
        image: nginx 

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: test-daemon
spec:
  updateStrategy:
    type: OnDelete
  selector:
    matchLabels:
      name: test-daemon
  template:
    metadata:
      labels:
        name: test-daemon
    spec:
      containers:
      - name: nginx
        image: nginx 

ingress：

•k8s 对外暴露服务（service）主要有两种方式：NotePort, LoadBalance， 此外externalIPs也可以使各类service对外提供服务，但是当集群服务很多的时候，NodePort方式最大的缺点是会占用很多集群机器的端口；LB方式最大的缺点则是每个service一个LB又有点浪费和麻烦，并且需要k8s之外的支持； 而ingress则只需要一个NodePort或者一个LB就可以满足所有service对外服务的需求。

helm：

•Releases · helm/helm · GitHub

•Chmod +x helm && mv helm /usr/local/bin

•helm repo add stable https://kubernetes-charts.storage.googleapis.com/

•helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com/

常用命令：

•kubectl delete -f ingress.yaml

• kubectl create -f ingress.yaml

•kubectl apply -f ingress.yaml

• kubectl replace -f ingress.yaml

•Kubectl get ingress

•Kubectl patch ingress ingress-myapp –p ‘{“matadata”:{“labels”:{“aa”:”bb”}}}’

•Kubectl label ingress ingerss-myapp stage=test

•Kubectl label ingress ingress-myapp stage-

•Kubectl annotate ingress ingress-myapp anno=test

•Kubectl annotate ingress ingress-myapp anno-

•kubectl get ingress ingress-myapp -o yaml

•Kuebctl get ingerss –l stage=test

http：

apiVersion: v1
kind: Service
metadata:
  name: myapp-svc
  namespace: default
spec:
  selector:
    app: myapp
    env: test
  ports:
  - name: http
    port: 80
    targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: myapp-test
spec:
  replicas: 2
  selector: 
    matchLabels:
      app: myapp
      env: test
  template:
    metadata:
      labels:
        app: myapp
        env: test
    spec:
      containers:
      - name: myapp
        image: nginx:1.15-alpine 
        ports:
        - name: httpd
          containerPort: 80

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations: 
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: www.test.top 
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp-svc
          servicePort: 80

https：

•openssl genrsa -out tls.key 2048

•openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=GuangDong/L=Guangzhou/O=DevOps/CN=mynginx.test

•kubectl create secret tls nginx-ingress-secret --cert=tls.crt --key=tls.key

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations: 
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts: 
    - mynginx.test
    secretName: nginx-ingress-secret
  rules:
  - host: mynginx.test 
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp-svc
          servicePort: 80