图片

对POD进行深度认识,让我们再次进入POD的世界。

图片

1

POD的几种状态

1、Pendding  # 等待
2、containerCreating  # 创建
3、Running  # 运行
4、Success  # 成功
5、Failed  # 失败
6、Ready  # 准备
7、CrashLoopBackoff  # 长期失败
8、Unknown  # 未知

2

ProjectedVolume

作用:将指定的文件内容放置到容器中,常见的使用方式有以下三种;

1、Secret
2、ConfigMap
3、DownwardApi

3

Secret

加密方式,我们先看下默认的是怎样的吧;

[root@node1 ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-77rbc   kubernetes.io/service-account-token   3      29d
[root@node1 ~]# kubectl get secret default-token-77rbc -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4RENDQXF5Z0F3SUJBZ0lVZUJ0Wi93ZzUwUzYvN0l6eUFmTmpDOHNxSktNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJeU1ETXhOekF5TlRZd01Gb1hEVEkzTURNeE5qQXlOVFl3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEvY2h2YnJjdDBmU3UKWXhhQjYzWFhMZ2I2VFBkb1c5aGk5bWtURTROdnFacEpYSFFSRHdNSmN3SUtSZjRQcDBYcnNDR3R2QmRQUWFKYQpNaWFaY0RJQ1RRdlRIWUdBMmFkMVJqL0x3dnlUZUVPTlorVkdsNlBKNTZzaVR0dkpGblZSYk9ydW9WRTlUdEhNCjJ5VU94VDdaVWk2NmFuWUVlUmZLL1BXdmJLMlNzUXpqYUNRWWwzV1BhOGdzd1JyRnBRQVNiL3pSZ0FpbU1KR24KSTF5RjkxK2NZS1VsQlVSdmh5QWNrVEFlWVNEKzNCWjMxaWkwaStLdEYxSERNVDIvRGhFRFgxWkFpSlNVeE41egpjQ1pQdUhCc2pSZE02NVdkOFJWMFNqbWI4aHFnY1drRzVKeEdGR0trYXB1empxTlJpaW45RUNpZVpNMDc3cjBEClBQcVFyUXB5RndJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKL3dJQkFqQWRCZ05WSFE0RUZnUVVvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3SHdZRFZSMGpCQmd3Rm9BVQpvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVjdzduRFVrOGxjCmNzUWFNNTVMclRKSzVQcWZWdUdubmozOWFWbFYzZTc1VXcxYU9mNDJvRE5KTm1pdllvKzhkRDlscFV0L0UvN0MKTVYwcjNROEtLQXJwV3dWSlFkeno1R0hZQWEzajYzS2lnb1FvaEF3dDY3SjJiVlcwTHFOQzNjV1ZHbC82QXhBVwpzYlRldnZUTEVaUjlKT0ZFMEg5RmxhcGgxcTQzWDEyMEZGTVVnV24zK2ZyZWRkRGJCVlNRUlJHU1ZkTnpXenpHClJrMzY1Q3N5eFAzUzZrd1ZVS0NrLzdPcDZNVllHRmljV3R6Wm9tUXF3UE1IU3p4Rk5vSDF2YzZ3cW5xSTk1bCsKOXNJMTdneHI2MEdoK3lkVzkwYjZ1eHZNR0lidU51aVYzdzJlMW5ZeG03NmZNZFhXWHlqRzk0Q3U2dHgyd2FZMgpxTS96aE1XeWRvTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  namespace: ZGVmYXVsdA==
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpMW5kWGRxUjFCM1ZWRTVZbTl1WjA1V1ZWVmxlVzh0U3pWWE1EUlRiaTFXWDJGMlUxZFlaM2RrZGtraWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE56ZHlZbU1pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamcwTkdWaE9HSm1MV1l6T0dVdE5HSTJZeTFpTURsbExXRTVaRGsyTUdRek1HSTROU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuTFRqS1plekpELXhpOFo5NnpvcXM3bUhJTjQxYlFBQ0txRXplZmVaUlY2cTFVN0N2VFVscHo1anU2bjBsUnpmaEdwZ2tYdzV2dkx6cThFQ2FMTDJJckJyNHA4M29kb3p5ZnE1bDFxTlBXTTZ0TDN1N3ZMQzg0S2JVY0RoLUNET0c0Vm1GNnZfbXJnSWp3Qi0wUm1OOTVsdUo2eWpaVDNNbHJ3ZmpGMEZOTVp5LWJobWt4bnFIVlNoQTI2d3UwTm1MSC1BUUItX1J0MldzTk5sYmwtc3Nua3hlb0NrdzJYR25YSjVGMC1sN0ZDVGs1SmhaMDVQQkJvQ2NBY1dVZmthaVZCOExGeXh3Q3JPb01wRXJzTnNBZTdRZVhNZFh6NllyeWp6WElfcmlNYlBwb2xZSjNpOGdoT2ptMW5Hd2F0WU96b3R5MUpsNDJNdTFuT0p3ZzQzYmdR
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: 844ea8bf-f38e-4b6c-b09e-a9d960d30b85
  creationTimestamp: "2022-03-19T13:35:06Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:ca.crt: {}
        f:namespace: {}
        f:token: {}
      f:metadata:
        f:annotations:
          .: {}
          f:kubernetes.io/service-account.name: {}
          f:kubernetes.io/service-account.uid: {}
      f:type: {}
    manager: kube-controller-manager
    operation: Update
    time: "2022-03-19T13:35:06Z"
  name: default-token-77rbc
  namespace: default
  resourceVersion: "313"
  uid: fd3f793e-6406-4c3c-abab-072459322d92
type: kubernetes.io/service-account-token
[root@node1 ~]#

从上面可以看到都是base64加密的内容,且名字为:default-token-77rbc,我们可以将想知道的内容进行解密即可,然后我们再看看我们之前的服务,在没有指定的情况下,是不是采用了该种方式呢?

[root@node1 ~]# kubectl get pod -o wide
NAME             READY   STATUS    RESTARTS   AGE   IP              NODE    NOMINATED NODE   READINESS GATES
nginx-ds-q2pjt   1/1     Running   30         22d   10.200.135.16   node3   <none>           <none>
nginx-ds-zc5qt   1/1     Running   35         29d   10.200.104.56   node2   <none>           <none>
[root@node1 ~]# 
[root@node1 ~]# kubectl get pod nginx-ds-q2pjt -o yaml
---省略部分内容---
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-77rbc
      readOnly: true
  volumes:
  - name: default-token-77rbc
    secret:
      defaultMode: 420
      secretName: default-token-77rbc      
---省略部分内容---
[root@node1 ~]#

从上面内容我们也能看到,即使你没有指定,k8s默认也会给你加上的,且我们可以看到secrteName是一致的,然后我们再登录进容器中,看下具体映射了哪些内容;

[root@node3 ~]# crictl ps
CONTAINER           IMAGE               CREATED             STATE               NAME                      ATTEMPT             POD ID
78ca6e18974ff       c0c6672a66a59       28 minutes ago      Running             calico-kube-controllers   43                  33c0a0b75241f
273ba708edd9b       67da37a9a360e       28 minutes ago      Running             coredns                   34                  a34ca428cc614
8fcc0c4531411       b5af743e59849       28 minutes ago      Running             default-http-backend      5                   982ff71d6c2e1
73c804f73c93a       b5af743e59849       28 minutes ago      Running             default-http-backend      2                   2e89678bba973
8a14f1f4ef1a1       f2f70adc5d89a       28 minutes ago      Running             my-nginx                  30                  70fd05dbd43ec
821a24040dfbd       7a71aca7b60fc       28 minutes ago      Running             calico-node               34                  8ca1b324e528a
d5cce8aa38d0a       90f9d984ec9a3       29 minutes ago      Running             node-cache                34                  1d0b674530896
5f6ecb863500d       f2f70adc5d89a       29 minutes ago      Running             nginx-proxy               35                  7335063a5e517
[root@node3 ~]# 
[root@node3 ~]# crictl ps | grep q2pjt
[root@node3 ~]# crictl exec -it 8a14f1f4ef1a1 /bin/bash
root@nginx-ds-q2pjt:/# cd /var/run/secrets/kubernetes.io/serviceaccount/
root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt  namespace  token
root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# ls -l
total 0
lrwxrwxrwx 1 root root 13 Apr 18 13:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Apr 18 13:02 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Apr 18 13:02 token -> ..data/token
root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# cat namespace 
default
root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# 
root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# exit
exit
[root@node3 ~]#

看到了这些之后,有没有想过他的作用是什么呢?他的作用就是和kubeapi进行交互,鉴权所使用的。

那么我们当然也可以自己创建secrte,如下:

[root@node1 ~]# cd namespace/
[root@node1 namespace]# mkdir projectedvalume
[root@node1 namespace]# cd projectedvalume/
[root@node1 projectedvalume]# vim secret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: dbpass
type: Opaque
data:
  username: eXVud2VpamlhCg==
  passwd:  eXVud2VpamlhMTIzCg==
[root@node1 projectedvalume]# 
[root@node1 projectedvalume]# kubectl create -f secret.yaml 
secret/dbpass created

[root@node1 projectedvalume]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
dbpass                Opaque                                2      13s
default-token-77rbc   kubernetes.io/service-account-token   3      30d
[root@node1 projectedvalume]#

然后我们将这个secrte放入pod中,如下:

[root@node1 projectedvalume]# vim pod-secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret
spec:
  containers:
  - name: springboot-web
    image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1
    ports:
    - containerPort: 8080
    volumeMounts:
    - name: db-secret
      mountPath: /db-secret
      readOnly: true
  volumes:
  - name: db-secret
    projected:
      sources:
      - secret:
          name: dbpass

[root@node1 projectedvalume]# kubectl apply -f pod-secret.yaml 
pod/pod-secret created
[root@node1 projectedvalume]# kubectl get pod -o wide | grep secret
pod-secret       1/1     Running   0          13s   10.200.135.27   node3   <none>           <none>
[root@node1 projectedvalume]#

看到该pod运行在node3节点上,我们登录到node3上看一看;

[root@node3 ~]# crictl ps | grep springboot-web
2fc5df27f1877       8ad32427177e4       2 minutes ago       Running             springboot-web            0                   494e73cde04da
[root@node3 ~]# 
[root@node3 ~]# crictl exec -it 2fc5df27f1877 /bin/bash     
root@pod-secret:/# cd /db-secret/
root@pod-secret:/db-secret# ls -l
total 0
lrwxrwxrwx 1 root root 13 Apr 18 14:02 passwd -> ..data/passwd
lrwxrwxrwx 1 root root 15 Apr 18 14:02 username -> ..data/username
root@pod-secret:/db-secret# cat passwd 
yunweijia123
root@pod-secret:/db-secret# cat username 
yunweijia
root@pod-secret:/db-secret# exit
exit
[root@node3 ~]#

还有一点,如果说你创建了很多pod以后,如果你想换一下secret的值,可以直接换,那么就有同学要说了,那我的pod还可以和kubeapi交互嘛?是可以的哈,换完之后,你pod中和secret相关的值,也会随之改变,你可以试一下,这里就不做演示了。

4

ConfigMap

configMad是干嘛用的呢?是可以将不加密的文件放置到容器中的,下面我们来看下;

假如我们有一个配置文件,想放到pod中。

[root@node1 projectedvalume]# vim ceshi.properties 
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
[root@node1 projectedvalume]#

然后我们使该配置生效;

[root@node1 projectedvalume]# kubectl create configmap web-ceshi --from-file ceshi.properties 
configmap/web-ceshi created
[root@node1 projectedvalume]# kubectl get cm web-ceshi -o yaml
apiVersion: v1
data:
  ceshi.properties: |
    enemies=aliens
    lives=3
    enemies.cheat=true
    enemies.cheat.level=noGoodRotten
    secret.code.passphrase=UUDDLRLRBABAS
    secret.code.allowed=true
    secret.code.lives=30
kind: ConfigMap
metadata:
  creationTimestamp: "2022-04-18T14:13:44Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:ceshi.properties: {}
    manager: kubectl-create
    operation: Update
    time: "2022-04-18T14:13:44Z"
  name: web-ceshi
  namespace: default
  resourceVersion: "535574"
  uid: cbad79b1-b35d-4924-b1f9-43bab1f79953
[root@node1 projectedvalume]#

然后我们看看如何在pod中使用它;

[root@node1 projectedvalume]# vim pod-ceshi.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-ceshi
spec:
  containers:
  - name: web
    image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1
    ports:
    - containerPort: 8080
    volumeMounts:
    - name: ceshi
      mountPath: /etc/config/ceshi
      readOnly: true
  volumes:
  - name: ceshi
    configMap:
      name: web-ceshi
[root@node1 projectedvalume]# kubectl apply -f pod-ceshi.yaml 
pod/pod-ceshi created
[root@node1 projectedvalume]#
[root@node1 projectedvalume]# kubectl get pod -o wide | grep ceshi
pod-ceshi        1/1     Running   0          34s   10.200.135.24   node3   <none>           <none>
[root@node1 projectedvalume]#

可以看到运行在node3上,我们去看下;

[root@node3 ~]# crictl ps | grep web
96e31e6be73c4       8ad32427177e4       About a minute ago   Running             web                       0                   1f4ef2c594229
[root@node3 ~]# crictl exec -it 96e31e6be73c4 /bin/bash
root@pod-ceshi:/# cd /etc/config/ceshi
root@pod-ceshi:/etc/config/ceshi# ls
ceshi.properties
root@pod-ceshi:/etc/config/ceshi# cat ceshi.properties 
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
root@pod-ceshi:/etc/config/ceshi# exit
exit
[root@node3 ~]#

同样的,我们一样可以修改该configmap,我们修改下试试;

[root@node1 projectedvalume]# kubectl edit cm web-ceshi
# 只改下面一个参数,然后我们保存退出
enemies.cheat=false

configmap/web-ceshi edited
[root@node1 projectedvalume]# 

# 我们登录到容器中看下
[root@node3 ~]# crictl exec -it 96e31e6be73c4 /bin/bash
root@pod-ceshi:/# cd /etc/config/ceshi/
root@pod-ceshi:/etc/config/ceshi# cat ceshi.properties 
enemies=aliens
lives=3
enemies.cheat=false
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
root@pod-ceshi:/etc/config/ceshi# exit
exit
[root@node3 ~]#

然后我们再看下configmap的第二种使用方式,配置成环境变量;

[root@node1 projectedvalume]# vim configmap.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: configs
data:
  JAVA_OPTS: -Xms1024m
  LOG_LEVEL: DEBUG
[root@node1 projectedvalume]# kubectl apply -f configmap.yaml 
configmap/configs created
[root@node1 projectedvalume]#

然后我们再看下如何使用;

[root@node1 projectedvalume]# vim pod-env.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-env
spec:
  containers:
  - name: web
    image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1
    ports:
    - containerPort: 8080
    env:
      - name: LOG_LEVEL_CONFIG
        valueFrom:
          configMapKeyRef:
            name: configs
            key: LOG_LEVEL
[root@node1 projectedvalume]# kubectl apply -f pod-env.yaml 
pod/pod-env created

[root@node1 projectedvalume]# kubectl get pod -o wide | grep pod-env
pod-env          1/1     Running   0          18s   10.200.135.28   node3   <none>           <none>
[root@node1 projectedvalume]#

看到运行在了node3上,我们登录上去看下;

剩余内容请转至VX公众号 “运维家” ,回复 “148” 查看。
------ 以下内容为防伪内容,忽略即可 ------
------ 以下内容为防伪内容,忽略即可 ------
------ 以下内容为防伪内容,忽略即可 ------

linux虚拟地址linux命令输出嵌入式linux版本linux内核编程入门linux怎么退出编辑linuxlib64linux查看分组虚拟机怎么访问linux将win刷成linux系统linux系统下的图形界面linux终端图形模式戴尔3669装linux系统Linux挂载光盘isolinux使用systemlinux系统开奖网源码鸟叔的linux的私房菜是什么linux怎么添加到引导linux红帽系统是什么linux命令那个难mini家用linux

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐