kubernetes笔记（七）

一、service管理

1.clusterIP

1）创建服务

# 资源对象模板
[root@master ~]# kubectl create service clusterip mysvc --tcp=80:80 --dry-run=client -o yaml
[root@master ~]# vim mysvc.yaml
---
kind: Service
apiVersion: v1
metadata:name: mysvc
spec:type: ClusterIPselector:app: webports:- protocol: TCPport: 80targetPort: 80[root@master ~]# kubectl apply -f mysvc.yaml [root@master ~]# kubectl get service

2）解析域名

# 安装工具软件包
[root@master ~]# dnf install -y bind-utils# 查看 DNS 服务地址
[root@master ~]# kubectl -n kube-system get service kube-dns
可以获取CLUSTER-IP的值# 域名解析测试
[root@master ~]# host mysvc.default.svc.cluster.local <CLUSTER-IP字段的值>

3）创建后端应用

[root@master ~]# vim myweb.yaml 
---
kind: Pod
apiVersion: v1
metadata:name: web1labels:app: web   # 服务靠标签寻找后端
spec:containers:- name: apacheimage: myos:httpd[root@master ~]# kubectl apply -f myweb.yaml[root@master ~]# curl http://<host命令解析域名后获取的ip地址>

4）负载均衡

[root@master ~]# sed 's,web1,web2,' myweb.yaml |kubectl apply -f -[root@master ~]# sed 's,web1,web3,' myweb.yaml |kubectl apply -f -[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host:       web1
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host:       web2
[root@master ~]# curl -s http://<host命令解析域名后获取的ip地址>/info.php |grep php_host
php_host:       web3

5）固定IP服务

[root@master ~]# vim mysvc.yaml 
---
kind: Service
apiVersion: v1
metadata:name: mysvc
spec:type: ClusterIPclusterIP: 10.245.1.80    # 可以设置 ClusterIPselector:app: webports:- protocol: TCPport: 80targetPort: 80[root@master ~]# kubectl delete service mysvc[root@master ~]# kubectl apply -f mysvc.yaml [root@master ~]# kubectl get service

6）端口别名

[root@master ~]# kubectl delete pod --all
pod "web1" deleted
pod "web2" deleted
pod "web3" deleted
[root@master ~]# vim mysvc.yaml 
---
kind: Service
apiVersion: v1
metadata:name: mysvc
spec:type: ClusterIPclusterIP: 10.245.1.80selector:app: webports:- protocol: TCPport: 80targetPort: myhttp    # 使用别名查找后端服务端口[root@master ~]# kubectl apply -f mysvc.yaml [root@master ~]# vim myweb.yaml 
---
kind: Pod
apiVersion: v1
metadata:name: web1labels:app: web
spec:containers:- name: apacheimage: myos:httpdports:               # 配置端口规范- name: myhttp       # 端口别名protocol: TCP      # 协议containerPort: 80  # 端口号[root@master ~]# kubectl apply -f myweb.yaml[root@master ~]# curl http://10.245.1.80

2.nodePort

kind ->Service

spec->type: NodePort

使用kubectl create service nodeport --help查看帮助

1）对外发布服务

[root@master ~]# cp -a mysvc.yaml mysvc1.yaml
[root@master ~]# vim mysvc1.yaml
---
kind: Service
apiVersion: v1
metadata:name: mysvc1
spec:type: NodePort            # 服务类型selector:app: webports:- protocol: TCPport: 80nodePort: 30080         # 映射端口号targetPort: myhttp[root@master ~]# kubectl apply -f mysvc1.yaml 
service/mysvc configured
[root@master ~]# kubectl get service
NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)
kubernetes   ClusterIP   10.245.0.1    <none>        443/TCP
mysvc        ClusterIP   10.245.1.80   <none>        80/TCP
mysvc1       NodePort    10.245.1.88   <none>        80:30080/TCP[root@master ~]# curl http://node-0001:30080[root@master ~]# curl http://node-0002:30080[root@master ~]# curl http://node-0003:30080[root@master ~]# curl http://node-0004:30080[root@master ~]# curl http://node-0005:30080

3.Ingress

1）安装控制器

[root@master ~]# cd plugins/ingress
[root@master ingress]# docker load -i ingress.tar.xz
[root@master ingress]# docker images|while read i t _;do[[ "${t}" == "TAG" ]] && continue[[ "${i}" =~ ^"harbor:443/".+ ]] && continuedocker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}docker push harbor:443/plugins/${i##*/}:${t}docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master ingress]# sed -ri 's,^(\s*image: )(.*/)?(.+)@.*,\1harbor:443/plugins/\3,' deploy.yaml[root@master ingress]# kubectl apply -f deploy.yaml
# 通过标签指定在那台机器上发布应用
[root@master ingress]# kubectl label nodes node-0001 ingress-ready="true"[root@master ingress]# kubectl -n ingress-nginx get pods

2）验证后端服务

[[root@master ~]# kubectl get pods,services [root@master ~]# curl http://<CLUSTER-IP字段的ip地址>

3）对外发布服务

[root@master ~]# kubectl get ingressclasses.networking.k8s.io # 资源对象模板
[root@master ~]# kubectl create ingress mying --class=nginx --rule=ns.test.cn/*=mysvc:80 --dry-run=client -o yaml[root@master ~]# vim mying.yaml
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:name: mying
spec:ingressClassName: nginxrules:- host:ns.test.cnhttp:paths:- path: /pathType: Prefixbackend:service:name: mysvcport:number: 80[root@master ~]# kubectl apply -f mying.yaml [root@master ~]# kubectl get ingress[root@master ~]# curl -H "Host: ns.test.cn" http://<ADDRESS字段的ip地址>

二、web管理插件

1.安装Dashboard

[root@master ~]# cd plugins/dashboard
[root@master dashboard]# docker load -i dashboard.tar.xz
[root@master dashboard]# docker images|while read i t _;do[[ "${t}" == "TAG" ]] && continue[[ "${i}" =~ ^"harbor:443/".+ ]] && continuedocker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t}docker push harbor:443/plugins/${i##*/}:${t}docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t}
done
[root@master dashboard]# sed -ri 's,^(\s*image: )(.*/)?(.+),\1harbor:443/plugins/\3,' recommended.yaml[root@master dashboard]# kubectl apply -f recommended.yaml
[root@master dashboard]# kubectl -n kubernetes-dashboard get pods

2.发布服务

# 查看服务状态
[root@master dashboard]# kubectl -n kubernetes-dashboard get service# 获取服务资源对象文件
[root@master dashboard]# sed -n '30,45p' recommended.yaml >dashboard-svc.yaml
[root@master dashboard]# vim dashboard-svc.yaml
---
kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:type: NodePortports:- port: 443nodePort: 30443targetPort: 8443selector:k8s-app: kubernetes-dashboard[root@master dashboard]# kubectl apply -f dashboard-svc.yaml [root@master dashboard]# kubectl -n kubernetes-dashboard get service

三、服务账号与权限

1.创建服务账号

查看yaml对象文件

kubectl -n namespece1 create serviceaccount user1 --dry-run=client -o yaml

验证：kubectl -n namespce1 get serviceaccounts

# 资源对象模板
[root@master ~]# kubectl -n kubernetes-dashboard create serviceaccount kube-admin --dry-run=client -o yaml[root@master ~]# vim admin-user.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:name: kube-adminnamespace: kubernetes-dashboard[root@master ~]# kubectl apply -f admin-user.yaml [root@master ~]# kubectl -n kubernetes-dashboard get serviceaccounts

2.获取用户token

[root@master ~]# kubectl -n kubernetes-dashboard create token kube-admin

3.角色与鉴权

资源对象	描述	作用域
ServiceAccount	服务账号，为 Pod 中运行的进程提供了一个身份	单一名称空间
Role	角色，包含一组代表相关权限的规则	单一名称空间
ClusterRole	角色，包含一组代表相关权限的规则	全集群
RoleBinding	将权限赋予用户，Role、ClusterRole 均可使用	单一名称空间
ClusterRoleBinding	将权限赋予用户，只可以使用 ClusterRole	全集群

资源对象权限

create	delete	deletecollection	get	list	patch	update	watch
创建	删除	删除集合	获取属性	获取列表	补丁	更新	监控

1）普通角色

查看帮助：

kubectl create role --help

kubectl create rolebinding --help

[root@master ~]# kubectl cluster-info dump |grep authorization-mode# 资源对象模板
[root@master ~]# kubectl -n default create role myrole --resource=pods --verb=get,list --dry-run=client -o yaml[root@master ~]# kubectl -n default create rolebinding kube-admin-role --role=myrole --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml[root@master ~]# vim myrole.yaml 
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: myrolenamespace: default
rules:
- apiGroups:- ""resources:- podsverbs:- get- list---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: kube-admin-rolenamespace: default
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: myrole
subjects:
- kind: ServiceAccountname: kube-adminnamespace: kubernetes-dashboard[root@master ~]# kubectl apply -f myrole.yaml [root@master ~]# kubectl delete -f myrole.yaml

2）集群管理员

kubectl create clusterrolebinding --help

Usage:
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]

[root@master ~]# kubectl get clusterrole# 资源对象模板
[root@master ~]# kubectl create clusterrolebinding kube-admin-role --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml[root@master ~]# vim admin-user.yaml 
---
kind: ServiceAccount
apiVersion: v1
metadata:name: kube-adminnamespace: kubernetes-dashboard---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: kube-admin-role
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin
subjects:
- kind: ServiceAccountname: kube-adminnamespace: kubernetes-dashboard[root@master ~]# kubectl apply -f admin-user.yaml