知识点16--k8s资源配置清单入门
上一篇知识点是k8s使用方式的入门,主要对标的是非专业运营人员日常测试使用,比如Java开发测试运行后台程序等这些非正式使用场景。但是如果想要更深层的使用k8s仅仅的入门是不够的,本篇知识点来罗列k8s体系中“资源”的概念。
k8s体系中操作的主体统称叫做资源,常见的资源分为五种:
第一种:工作负载型资源,指的是Pod、Deployment、Job等
第二种:服务发现与负载均衡资源,指的是Service、Ingress等
第三种:配置与存储资源,指Volume、CSI、存储卷等
第四种:集群级的资源,Namespace、Node等
第五种:元数据资源,Pod模板等
当然这些只是常用的,还有一些使用频率很低的,大家在日后的使用中积累即可。不过无论那种资源,在k8s的正式使用中都不是像应用入门中那样使用命令草草了事的操作,而是普遍使用不同格式的配置文件。比如我们可以获取一个前面知识点用命令直接创建的资源它的配置文件,可以发现虽然是命令创建,但是它的配置是有默认值的,我们可以通过get命令查看,不要使用describe,该命令没有-o参数
[root@hdp1 ~]# kubectl get pod myapp-99f9c686c-npxtb -o yaml
apiVersion: v1
kind: Pod
metadata:creationTimestamp: "2023-03-17T14:20:31Z"generateName: myapp-99f9c686c-labels:pod-template-hash: 99f9c686crun: myappname: myapp-99f9c686c-npxtbnamespace: defaultownerReferences:- apiVersion: apps/v1blockOwnerDeletion: truecontroller: truekind: ReplicaSetname: myapp-99f9c686cuid: 647ab3e4-57f7-4d26-a56e-da43d06753bcresourceVersion: "101427"selfLink: /api/v1/namespaces/default/pods/myapp-99f9c686c-npxtbuid: 4b49dab2-ac98-42ad-8e56-85172cc03ef8
spec:containers:- image: nginx:1.14-alpineimagePullPolicy: IfNotPresentname: myappresources: {}terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilevolumeMounts:- mountPath: /var/run/secrets/kubernetes.io/serviceaccountname: default-token-q6zw8readOnly: truednsPolicy: ClusterFirstenableServiceLinks: truenodeName: hdp2priority: 0restartPolicy: AlwaysschedulerName: default-schedulersecurityContext: {}serviceAccount: defaultserviceAccountName: defaultterminationGracePeriodSeconds: 30tolerations:- effect: NoExecutekey: node.kubernetes.io/not-readyoperator: ExiststolerationSeconds: 300- effect: NoExecutekey: node.kubernetes.io/unreachableoperator: ExiststolerationSeconds: 300volumes:- name: default-token-q6zw8secret:defaultMode: 420secretName: default-token-q6zw8
status:conditions:- lastProbeTime: nulllastTransitionTime: "2023-03-17T14:20:31Z"status: "True"type: Initialized- lastProbeTime: nulllastTransitionTime: "2023-03-17T14:20:32Z"status: "True"type: Ready- lastProbeTime: nulllastTransitionTime: "2023-03-17T14:20:32Z"status: "True"type: ContainersReady- lastProbeTime: nulllastTransitionTime: "2023-03-17T14:20:31Z"status: "True"type: PodScheduledcontainerStatuses:- containerID: docker://c8b085d8e0962d308a3aa82c8fb24baa336f9d707872884611d2b1bbb1aa6a33image: nginx:1.14-alpineimageID: docker-pullable://nginx@sha256:485b610fefec7ff6c463ced9623314a04ed67e3945b9c08d7e53a47f6d108dc7lastState: {}name: myappready: truerestartCount: 0started: truestate:running:startedAt: "2023-03-17T14:20:31Z"hostIP: 192.168.88.187phase: RunningpodIP: 10.244.1.17podIPs:- ip: 10.244.1.17qosClass: BestEffortstartTime: "2023-03-17T14:20:31Z"
这些配置中有一些我们要特别关注,apiVersion是资源所处的组别和版本,默认为V1,既最核心的一级且版本为V1,组名省略。kind是资源类别。metadata是资源的元数据信息。spec是这个资源的希望拥有规格或者说是特性。status是该资源当前的状态,k8s会将status无限向spec靠拢,我们一般不对status做操作。大部分的资源均由这五个基础一级配置以及一级配置下的必备资源配置所构成。其中包含的详细配置后面会说道,大家这里只需要知道构成配置的大架子有那几块就行。
上面的用例中获取的是yaml格式的文件,但是资源的创建并不是全部依靠yaml格式的配置文件。比如apiVersion仅支持json格式,只是我们配置的时候k8s会把相关配置无损转换为yaml而已。我们可以查询当前集群支持那些组。
[root@hdp1 ~] kubectl api-versions
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
apiextensions.k8s.io/v1
apiextensions.k8s.io/v1beta1
apiregistration.k8s.io/v1
apiregistration.k8s.io/v1beta1
apps/v1
authentication.k8s.io/v1
authentication.k8s.io/v1beta1
authorization.k8s.io/v1
authorization.k8s.io/v1beta1
autoscaling/v1
autoscaling/v2beta1
autoscaling/v2beta2
batch/v1
batch/v1beta1
certificates.k8s.io/v1beta1
coordination.k8s.io/v1
coordination.k8s.io/v1beta1
discovery.k8s.io/v1beta1
events.k8s.io/v1beta1
extensions/v1beta1
networking.k8s.io/v1
networking.k8s.io/v1beta1
node.k8s.io/v1beta1
policy/v1beta1
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1
scheduling.k8s.io/v1
scheduling.k8s.io/v1beta1
storage.k8s.io/v1
storage.k8s.io/v1beta1
v1
分组的好处是方便操作多个资源,但是尽量不要使用beta版本,这类组别非稳定版,常常会导致不同版本的组别允许的配置可能不一样。而稳定版会一致存在且不再做大的变动。
当然,对于整个k8s体系中资源应该有那些配置,也为我们提供了查询的文档
[root@hdp1 ~] kubectl explain pod
KIND: Pod
VERSION: v1DESCRIPTION:Pod is a collection of containers that can run on a host. This resource iscreated by clients and scheduled onto hosts.FIELDS:apiVersion <string>APIVersion defines the versioned schema of this representation of anobject. Servers should convert recognized schemas to the latest internalvalue, and may reject unrecognized values. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourceskind <string>Kind is a string value representing the REST resource this objectrepresents. Servers may infer this from the endpoint the client submitsrequests to. Cannot be updated. In CamelCase. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsmetadata <Object>Standard object's metadata. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataspec <Object>Specification of the desired behavior of the pod. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusstatus <Object>Most recently observed status of the pod. This data may not be up to date.Populated by the system. Read-only. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status[root@hdp1 ~] kubectl explain pod.metadata
KIND: Pod
VERSION: v1RESOURCE: metadata <Object>DESCRIPTION:Standard object's metadata. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataObjectMeta is metadata that all persisted resources must have, whichincludes all objects users must create.FIELDS:annotations <map[string]string>Annotations is an unstructured key value map stored with a resource thatmay be set by external tools to store and retrieve arbitrary metadata. Theyare not queryable and should be preserved when modifying objects. Moreinfo: http://kubernetes.io/docs/user-guide/annotationsclusterName <string>The name of the cluster which the object belongs to. This is used todistinguish resources with same name and namespace in different clusters.This field is not set anywhere right now and apiserver is going to ignoreit if set in create or update request.creationTimestamp <string>CreationTimestamp is a timestamp representing the server time when thisobject was created. It is not guaranteed to be set in happens-before orderacross separate operations. Clients may not set this value. It isrepresented in RFC3339 form and is in UTC. Populated by the system.Read-only. Null for lists. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadatadeletionGracePeriodSeconds <integer>Number of seconds allowed for this object to gracefully terminate before itwill be removed from the system. Only set when deletionTimestamp is alsoset. May only be shortened. Read-only.deletionTimestamp <string>DeletionTimestamp is RFC 3339 date and time at which this resource will bedeleted. This field is set by the server when a graceful deletion isrequested by the user, and is not directly settable by a client. Theresource is expected to be deleted (no longer visible from resource lists,and not reachable by name) after the time in this field, once thefinalizers list is empty. As long as the finalizers list contains items,deletion is blocked. Once the deletionTimestamp is set, this value may notbe unset or be set further into the future, although it may be shortened orthe resource may be deleted prior to this time. For example, a user mayrequest that a pod is deleted in 30 seconds. The Kubelet will react bysending a graceful termination signal to the containers in the pod. Afterthat 30 seconds, the Kubelet will send a hard termination signal (SIGKILL)to the container and after cleanup, remove the pod from the API. In thepresence of network partitions, this object may still exist after thistimestamp, until an administrator or automated process can determine theresource is fully terminated. If not set, graceful deletion of the objecthas not been requested. Populated by the system when a graceful deletion isrequested. Read-only. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadatafinalizers <[]string>Must be empty before the object is deleted from the registry. Each entry isan identifier for the responsible component that will remove the entry fromthe list. If the deletionTimestamp of the object is non-nil, entries inthis list can only be removed. Finalizers may be processed and removed inany order. Order is NOT enforced because it introduces significant risk ofstuck finalizers. finalizers is a shared field, any actor with permissioncan reorder it. If the finalizer list is processed in order, then this canlead to a situation in which the component responsible for the firstfinalizer in the list is waiting for a signal (field value, externalsystem, or other) produced by a component responsible for a finalizer laterin the list, resulting in a deadlock. Without enforced ordering finalizersare free to order amongst themselves and are not vulnerable to orderingchanges in the list.generateName <string>GenerateName is an optional prefix, used by the server, to generate aunique name ONLY IF the Name field has not been provided. If this field isused, the name returned to the client will be different than the namepassed. This value will also be combined with a unique suffix. The providedvalue has the same validation rules as the Name field, and may be truncatedby the length of the suffix required to make the value unique on theserver. If this field is specified and the generated name exists, theserver will NOT return a 409 - instead, it will either return 201 Createdor 500 with Reason ServerTimeout indicating a unique name could not befound in the time allotted, and the client should retry (optionally afterthe time indicated in the Retry-After header). Applied only if Name is notspecified. More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotencygeneration <integer>A sequence number representing a specific generation of the desired state.Populated by the system. Read-only.labels <map[string]string>Map of string keys and values that can be used to organize and categorize(scope and select) objects. May match selectors of replication controllersand services. More info: http://kubernetes.io/docs/user-guide/labelsmanagedFields <[]Object>ManagedFields maps workflow-id and version to the set of fields that aremanaged by that workflow. This is mostly for internal housekeeping, andusers typically shouldn't need to set or understand this field. A workflowcan be the user's name, a controller's name, or the name of a specificapply path like "ci-cd". The set of fields is always in the version thatthe workflow used when modifying the object.name <string>Name must be unique within a namespace. Is required when creatingresources, although some resources may allow a client to request thegeneration of an appropriate name automatically. Name is primarily intendedfor creation idempotence and configuration definition. Cannot be updated.More info: http://kubernetes.io/docs/user-guide/identifiers#namesnamespace <string>Namespace defines the space within each name must be unique. An emptynamespace is equivalent to the "default" namespace, but "default" is thecanonical representation. Not all objects are required to be scoped to anamespace - the value of this field for those objects will be empty. Mustbe a DNS_LABEL. Cannot be updated. More info:http://kubernetes.io/docs/user-guide/namespacesownerReferences <[]Object>List of objects depended by this object. If ALL objects in the list havebeen deleted, this object will be garbage collected. If this object ismanaged by a controller, then an entry in this list will point to thiscontroller, with the controller field set to true. There cannot be morethan one managing controller.resourceVersion <string>An opaque value that represents the internal version of this object thatcan be used by clients to determine when objects have changed. May be usedfor optimistic concurrency, change detection, and the watch operation on aresource or set of resources. Clients must treat these values as opaque andpassed unmodified back to the server. They may only be valid for aparticular resource or set of resources. Populated by the system.Read-only. Value must be treated as opaque by clients and . More info:https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistencyselfLink <string>SelfLink is a URL representing this object. Populated by the system.Read-only. DEPRECATED Kubernetes will stop propagating this field in 1.20release and the field is planned to be removed in 1.21 release.uid <string>UID is the unique in time and space value for this object. It is typicallygenerated by the server on successful creation of a resource and is notallowed to change on PUT operations. Populated by the system. Read-only.More info: http://kubernetes.io/docs/user-guide/identifiers#uids
当然要说明的是,用配置文件操作资源的时候不是每一项配置你都要写,只需要指定你需要的和必备的即可。比如我们创建一个pod你需要指定他必备的容器配置以及资源类别等
apiVersion: v1
kind: Pod
metadata:name: pod-demonamespace: defaultlabels:app: myapp-test
spec:containers:- name: myapp01image: nginx:1.14-alpine- name: myapp02image: busyboxcommand:- "/bin/sh"- "-c"- "echo $date >> /usr/share/nginx/html/index.html; sleep 5"
使用配置文件创建资源使用create命令
[root@hdp1 ~] kubectl create -f myapp.yaml
pod/pod-demo created
[root@hdp1 ~] kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-99f9c686c-npxtb 1/1 Running 1 17h
pod-demo 0/2 ContainerCreating 0 17s
[root@hdp1 ~] kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-99f9c686c-npxtb 1/1 Running 1 17h
pod-demo 1/2 ImagePullBackOff 0 4m4s
[root@hdp1 ~] kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-99f9c686c-npxtb 1/1 Running 1 17h
pod-demo 2/2 Running 0 4m5s
这样我们就创建了一个拥有两个容器的Pod,并且我们可以查询它的当前配置
[root@hdp1 ~] kubectl describe pods pod-demo
Name: pod-demo
Namespace: default
Priority: 0
Node: hdp3/192.168.88.188
Start Time: Sat, 18 Mar 2023 15:38:34 +0800
Labels: app=myapp-test
Annotations: <none>
Status: Running
IP: 10.244.2.20
IPs:IP: 10.244.2.20
Containers:myapp01:Container ID: docker://33821fb4d81fdf1f95d7ff4e92381f6b2b19d866e1035deaeac84f7f0c64c339Image: nginx:1.14-alpineImage ID: docker-pullable://nginx@sha256:485b610fefec7ff6c463ced9623314a04ed67e3945b9c08d7e53a47f6d108dc7Port: <none>Host Port: <none>State: RunningStarted: Sat, 18 Mar 2023 15:38:34 +0800Ready: TrueRestart Count: 0Environment: <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-q6zw8 (ro)myapp02:Container ID: docker://3e95096049b216435d64a1ca268cccd5b207c6be164db64f24d08dbd52c33368Image: busyboxImage ID: docker-pullable://busybox@sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678Port: <none>Host Port: <none>Command:/bin/sh-cecho $date >> /usr/share/nginx/html/index.html; sleep 5State: WaitingReason: CrashLoopBackOffLast State: TerminatedReason: CompletedExit Code: 0Started: Sat, 18 Mar 2023 15:47:16 +0800Finished: Sat, 18 Mar 2023 15:47:21 +0800Ready: FalseRestart Count: 5Environment: <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-q6zw8 (ro)
Conditions:Type StatusInitialized True Ready False ContainersReady False PodScheduled True
Volumes:default-token-q6zw8:Type: Secret (a volume populated by a Secret)SecretName: default-token-q6zw8Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300snode.kubernetes.io/unreachable:NoExecute for 300s
Events:Type Reason Age From Message---- ------ ---- ---- -------Normal Scheduled 10m default-scheduler Successfully assigned default/pod-demo to hdp3Normal Pulled 10m kubelet, hdp3 Container image "nginx:1.14-alpine" already present on machineNormal Created 10m kubelet, hdp3 Created container myapp01Normal Started 10m kubelet, hdp3 Started container myapp01Warning Failed 6m58s (x3 over 9m15s) kubelet, hdp3 Failed to pull image "busybox": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)Warning Failed 6m58s (x3 over 9m15s) kubelet, hdp3 Error: ErrImagePullNormal BackOff 6m18s (x5 over 9m15s) kubelet, hdp3 Back-off pulling image "busybox"Warning Failed 6m18s (x5 over 9m15s) kubelet, hdp3 Error: ImagePullBackOffNormal Pulling 6m3s (x4 over 10m) kubelet, hdp3 Pulling image "busybox"Normal Created 6m2s kubelet, hdp3 Created container myapp02Normal Pulled 5m4s (x3 over 6m2s) kubelet, hdp3 Successfully pulled image "busybox"[root@hdp1 ~] curl 10.244.2.20:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p>
</body>
</html>
上面的例子中第二个容器会报错,我们需要查看它的日志,使用前面提到的losgs命令,不过这里重点是想说明,你想在外部操作Pod下的容器时需要-c参数才可表示某个容器
[root@hdp1 ~] kubectl logs pod-demo -c myapp02
/bin/sh: can't create /usr/share/nginx/html/index.html: nonexistent directory
当你想要进入k8s的某个容器时不止要使用-c,还要使用exec进入并且需要--
[root@hdp1 ~]# kubectl exec -it pod-demo -c myapp01 -- /bin/sh
/ #
同时删除某个资源的时候,也不再需要像之前命令行那样delete后面根资源名,你可以通过指定配置文件,将对应由此配置文件生成的资源删掉,这样的好处就在于可以复用配置,不需要每次需要一个新的Pod时候都从头到尾的写一个run。并且当你删除Pod的时候不会被容灾,因为配置清单定义出的泡的资源,如果没有添加控制器相关配置时它是一个自主式pod,没有对应的控制器,所以k8s不会去管pod的死活。
[root@hdp1 ~] kubectl delete -f myapp.yaml
到此本篇知识点就结束了,虽然只以Pod资源为例,说明资源清单的定义,但希望大家明白其他的资源定义也是大同小异的。同时k8s整体上来说操作有三种方式,第一种是知识点15的纯命令行方式,第二种是本篇的命令式配置清单方式,第三种叫声明式配置清单方式。声明式的变动相当灵活,后面的知识点会讲到。这三种方式操作的时候,实际应用场景哪个方便用哪个即可。