作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.livenessProbe(需要做健康状态检查,即验证存活状态检测,当发现容器运行不正常会立即重启,若重启后容器依旧不正常运行会逐一累计间隔时间进行重启)
1>.定义yaml文件
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/liveness-exec.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness-exec
name: liveness-exec
spec:
containers:
- name: liveness-demo
image: busybox
args:
- /bin/sh
- -c
- touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
livenessProbe:
exec:
command:
- test
- -e
- /tmp/healthy
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/liveness-exec.yaml
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/liveness-http.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-http
spec:
containers:
- name: liveness-demo
image: nginx:1.14-alpine
ports:
- name: http
containerPort: 80
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- 'echo Healty > /usr/share/nginx/html/healthz'
livenessProbe:
httpGet:
path: /healthz
port: http
scheme: HTTP
periodSeconds: 2
failureThreshold: 2
initialDelaySeconds: 3
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/liveness-http.yaml
2>.应用yaml文件并查看pods信息
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/pod/liveness-exec.yaml
pod/liveness-exec created
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/pod/liveness-http.yaml
pod/liveness-http created
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 0/1 CrashLoopBackOff 7 19m
liveness-http 1/1 Running 0 10m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 4h46m
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
3>.验证pod是否发生重启
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 0/1 CrashLoopBackOff 7 20m
liveness-http 1/1 Running 0 10m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 4h46m
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods liveness-http
Name: liveness-http
Namespace: default
Priority: 0
Node: node201.yinzhengjie.org.cn/172.200.1.201
Start Time: Thu, 06 Feb 2020 13:15:43 +0800
Labels: test=liveness
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"test":"liveness"},"name":"liveness-http","na
Status: Running
IP: 10.244.1.3
IPs:
IP: 10.244.1.3
Containers:
liveness-demo:
Container ID: docker://f9457bb20479d8e0c121c8c1fbe04146f767ee895522c5cc47a759e939993b07
Image: nginx:1.14-alpine
Image ID: docker-pullable://nginx@sha256:485b610fefec7ff6c463ced9623314a04ed67e3945b9c08d7e53a47f6d108dc7
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Thu, 06 Feb 2020 13:15:44 +0800
Ready: True
Restart Count: 0
Liveness: http-get http://:http/healthz delay=3s timeout=1s period=2s #success=1 #failure=2
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-4jpjf (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-4jpjf:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-4jpjf
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 10m default-scheduler Successfully assigned default/liveness-http to node201.yinzhengjie.o
Normal Pulled 10m kubelet, node201.yinzhengjie.org.cn Container image "nginx:1.14-alpine" already present on machine
Normal Created 10m kubelet, node201.yinzhengjie.org.cn Created container liveness-demo
Normal Started 10m kubelet, node201.yinzhengjie.org.cn Started container liveness-demo
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods liveness-http
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 1/1 Running 8 21m
liveness-http 1/1 Running 0 11m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 4h47m
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods liveness-exec
Name: liveness-exec
Namespace: default
Priority: 0
Node: node202.yinzhengjie.org.cn/172.200.1.202
Start Time: Thu, 06 Feb 2020 13:05:53 +0800
Labels: test=liveness-exec
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"test":"liveness-exec"},"name":"liveness-exec
","namespace":"default...Status: Running
IP: 10.244.2.2
IPs:
IP: 10.244.2.2
Containers:
liveness-demo:
Container ID: docker://0e718e53f333af21d266b3ff0c1f69c76712675ec772da0f5b57eeb2cc9a0512
Image: busybox
Image ID: docker-pullable://busybox@sha256:6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a
Port: <none>
Host Port: <none>
Args:
/bin/sh
-c
touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
State: Running
Started: Thu, 06 Feb 2020 13:26:44 +0800
Last State: Terminated
Reason: Error
Exit Code: 137
Started: Thu, 06 Feb 2020 13:20:10 +0800
Finished: Thu, 06 Feb 2020 13:21:30 +0800
Ready: True
Restart Count: 8
Liveness: exec [test -e /tmp/healthy] delay=0s timeout=1s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-4jpjf (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-4jpjf:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-4jpjf
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 21m default-scheduler Successfully assigned default/liveness-exec to node2
02.yinzhengjie.org.cn Normal Created 18m (x3 over 21m) kubelet, node202.yinzhengjie.org.cn Created container liveness-demo
Normal Started 18m (x3 over 21m) kubelet, node202.yinzhengjie.org.cn Started container liveness-demo
Normal Pulling 16m (x4 over 21m) kubelet, node202.yinzhengjie.org.cn Pulling image "busybox"
Normal Pulled 16m (x4 over 21m) kubelet, node202.yinzhengjie.org.cn Successfully pulled image "busybox"
Warning Unhealthy 11m (x19 over 20m) kubelet, node202.yinzhengjie.org.cn Liveness probe failed:
Normal Killing 6m28s (x8 over 20m) kubelet, node202.yinzhengjie.org.cn Container liveness-demo failed liveness probe, will
be restarted Warning BackOff 84s (x38 over 10m) kubelet, node202.yinzhengjie.org.cn Back-off restarting failed container
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods liveness-exec
二.readinessProbe(就绪状态检测,即验证服务是否正常运行,如果就绪的话就作为service的后端,如果一直处于未就绪状态就会讲该容器从service的后端移除掉;需要注意的是该步骤也没有权限重启容器,这就是它和健康检查的重要区别)
1>.定义yaml文件
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/readiness-exec.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
test: readiness-exec
name: readiness-exec
spec:
containers:
- name: readiness-demo
image: busybox
args: ["/bin/sh", "-c", "while true; do rm -f /tmp/ready; sleep 30; touch /tmp/ready; sleep 300; done"]
readinessProbe:
exec:
command: ["test", "-e", "/tmp/ready"]
initialDelaySeconds: 5
periodSeconds: 5
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/readiness-exec.yaml
2>.应用yaml文件并查看pods信息
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/pod/readiness-exec.yaml
pod/readiness-exec created
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods #虽然状态是"Running",但并没有READY
NAME READY STATUS RESTARTS AGE
liveness-exec 0/1 CrashLoopBackOff 11 37m
liveness-http 1/1 Running 0 27m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 5h3m
readiness-exec 0/1 Running 0 7s
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods #由于我们设置了延迟检测,因此需要等一会pod的容器才会被认为是正常运行的
NAME READY STATUS RESTARTS AGE
liveness-exec 1/1 Running 12 37m
liveness-http 1/1 Running 0 27m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 5h4m
readiness-exec 1/1 Running 0 45s
[root@master200.yinzhengjie.org.cn ~]#
3>.验证pod是否发生重启
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl exec readiness-exec -- touch /tmp/ready
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 0/1 CrashLoopBackOff 13 45m
liveness-http 1/1 Running 0 35m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 5h11m
readiness-exec 1/1 Running 0 8m28s
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods readiness-exec
Name: readiness-exec
Namespace: default
Priority: 0
Node: node202.yinzhengjie.org.cn/172.200.1.202
Start Time: Thu, 06 Feb 2020 13:42:51 +0800
Labels: test=readiness-exec
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"test":"readiness-exec"},"name":"readiness-exec","namespace":"defau...
Status: Running
IP: 10.244.2.3
IPs:
IP: 10.244.2.3
Containers:
readiness-demo:
Container ID: docker://a603c504e38d91d420c9aaa8d062d2b595323b0f91ab789bedafc26035e95eb6
Image: busybox
Image ID: docker-pullable://busybox@sha256:6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a
Port: <none>
Host Port: <none>
Args:
/bin/sh
-c
while true; do rm -f /tmp/ready; sleep 30; touch /tmp/ready; sleep 300; done
State: Running
Started: Thu, 06 Feb 2020 13:42:57 +0800
Ready: True
Restart Count: 0
Readiness: exec [test -e /tmp/ready] delay=5s timeout=1s period=5s #success=1 #failure=3
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-4jpjf (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-4jpjf:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-4jpjf
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 10m default-scheduler Successfully assigned default/readiness-exec to node202.yinzhengjie.org.cn
Normal Pulling 10m kubelet, node202.yinzhengjie.org.cn Pulling image "busybox"
Normal Pulled 10m kubelet, node202.yinzhengjie.org.cn Successfully pulled image "busybox"
Normal Created 10m kubelet, node202.yinzhengjie.org.cn Created container readiness-demo
Normal Started 10m kubelet, node202.yinzhengjie.org.cn Started container readiness-demo
Warning Unhealthy 5m22s (x39 over 10m) kubelet, node202.yinzhengjie.org.cn Readiness probe failed:
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl exec readiness-exec -- touch /tmp/ready
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 1/1 Running 14 47m
liveness-http 1/1 Running 0 37m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 5h13m
readiness-exec 1/1 Running 0 10m
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl exec readiness-exec -- rm -f /tmp/ready
[root@master200.yinzhengjie.org.cn ~]#
root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 1/1 Running 15 48m
liveness-http 1/1 Running 0 38m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 5h14m
readiness-exec 0/1 Running 0 11m
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-exec 0/1 CrashLoopBackOff 15 49m
liveness-http 1/1 Running 0 39m
mynginx-677d85dbd5-t9xfz 1/1 Running 0 5h15m
readiness-exec 0/1 Running 0 12m
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods readiness-exec
Name: readiness-exec
Namespace: default
Priority: 0
Node: node202.yinzhengjie.org.cn/172.200.1.202
Start Time: Thu, 06 Feb 2020 13:42:51 +0800
Labels: test=readiness-exec
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"test":"readiness-exec"},"name":"readiness-exec","namespace":"defau...
Status: Running
IP: 10.244.2.3
IPs:
IP: 10.244.2.3
Containers:
readiness-demo:
Container ID: docker://a603c504e38d91d420c9aaa8d062d2b595323b0f91ab789bedafc26035e95eb6
Image: busybox
Image ID: docker-pullable://busybox@sha256:6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a
Port: <none>
Host Port: <none>
Args:
/bin/sh
-c
while true; do rm -f /tmp/ready; sleep 30; touch /tmp/ready; sleep 300; done
State: Running
Started: Thu, 06 Feb 2020 13:42:57 +0800
Ready: False
Restart Count: 0
Readiness: exec [test -e /tmp/ready] delay=5s timeout=1s period=5s #success=1 #failure=3
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-4jpjf (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-4jpjf:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-4jpjf
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 12m default-scheduler Successfully assigned default/readiness-exec to node202.yinzhengjie.org.cn
Normal Pulling 12m kubelet, node202.yinzhengjie.org.cn Pulling image "busybox"
Normal Pulled 12m kubelet, node202.yinzhengjie.org.cn Successfully pulled image "busybox"
Normal Created 12m kubelet, node202.yinzhengjie.org.cn Created container readiness-demo
Normal Started 12m kubelet, node202.yinzhengjie.org.cn Started container readiness-demo
Warning Unhealthy 93s (x66 over 11m) kubelet, node202.yinzhengjie.org.cn Readiness probe failed:
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl exec readiness-exec -- rm -f /tmp/ready
三.pod对象的相位(phase)
Pod对象总是应该处于其生命进程周期中以下几个相位(phase)之一:
Pending:
API Server创建了Pod资源对象并已存入etcd中,但它尚未被调度完成(一般是资源需求紧缺导致,比如内存不足),或仍处于从仓库中下载镜像的过程中。
Running:
Pod已经被调度至某节点,并且所有容器都已经被kubelet创建完成。
Succeeded:
Pod中的所有容器都已经成功终止并且不会被重启。
Failed:
所有容器都已经终止,但至少有一个容器终止失败,即容器返回了非0值的退出状态码或已经被系统终止。
Unknown:
API Server无法正常获取到Pod对象的状态信息,通常是由于其无法在所在工作节点的kubelet通信所致。
四.Pod对象的创建过程
(1)用户提交创建Pod请求给K8S API Server;
(2)API Server将用户的请求中未提交的参数使用默认参数补齐(即准入控制)后写入etcd中;
(3)Scheduler通过监测(watch)事件发现需要创建新的pod,于是根据自己的默认算法选出将一个最佳的K8S node,并将该节点回馈给API Server;
(4)API Server更新etcd中的数据(即"nameNode"字段),与此同时会通知相应的K8S node主机的kubelet进程;
(5)kubelet进程接收到API Server的消息后,向API Server发送请求获取需要创建的pod的元数据信息属性,通过这些属性调用本地的Docker引擎去创建相应的容器,Docker引擎创建完毕后由kubelet返回给API Server状态;
(6)API Server接收到Kubelet的数据后,将pod信息再一次更新到etcd中(比如更新容器的相位(phase)的状态由Pending变为Running);
五.容器的重启策略
Pod对象因容器程序崩溃或容器申请超出限制的资源等原因都可能导致其被终止,此时是否应该重建它取决于其重启策略(restartPolicy)属性的定义。
Always:
但凡Pod对象终止就将其重启,此为默认设定。
OnFailure:
仅在Pod对象出现错误时方才将其重启。
Nerver:
从不重启。
六.Pod的终止过程
(1)用户提交删除Pod请求给K8S API Server(在用户提交删除请求后,该Pod会被标记为"terminating");
(2)API Server将用户的请求中未提交的参数使用默认参数补齐(即准入控制)后写入etcd中,并设置宽限策略(set grace period,比如30s时间,这也是为什么我们删除Pod时会等待一段时间),即并不会立即删除Pod;
(3)所有的K8S node主机kubelet进程通过API Server的监测(watch)事件得知需要终止的Pod,于是会向本地的Docker引擎发送终止信号,于是Docker引擎开始运行"pre Stop hook"相关指令;
(4)API Server将pod标记为终止终端(terminating)状态并告知端点控制器(Endpoint controller),端点控制器开始移除相应的service;
(5)如果kubulet在超出了指定宽限策略(我们假设宽限策略是30s,而我们使用了31s)还没有移除Pod的所有service那么就会发送SIGKILL(比如发送"kill -9")信号,此时Pod会被立即删除;
(6)移除成功后,此时API Server将etcd中的数据移除。
七.POD安全配置接口(需要的小伙伴可根据官方文档自行调研)
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.securityContext
KIND: Pod
VERSION: v1
RESOURCE: securityContext <Object>
DESCRIPTION:
SecurityContext holds pod-level security attributes and common container
settings. Optional: Defaults to empty. See type description for default
values of each field.
PodSecurityContext holds pod-level security attributes and common container
settings. Some fields are also present in container.securityContext. Field
values of container.securityContext take precedence over field values of
PodSecurityContext.
FIELDS:
fsGroup <integer>
A special supplemental group that applies to all containers in a pod. Some
volume types allow the Kubelet to change the ownership of that volume to be
owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit
is set (new files created in the volume will be owned by FSGroup) 3. The
permission bits are OR'd with rw-rw---- If unset, the Kubelet will not
modify the ownership and permissions of any volume.
runAsGroup <integer>
The GID to run the entrypoint of the container process. Uses runtime
default if unset. May also be set in SecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence for that container.
runAsNonRoot <boolean>
Indicates that the container must run as a non-root user. If true, the
Kubelet will validate the image at runtime to ensure that it does not run
as UID 0 (root) and fail to start the container if it does. If unset or
false, no such validation will be performed. May also be set in
SecurityContext. If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
runAsUser <integer>
The UID to run the entrypoint of the container process. Defaults to user
specified in image metadata if unspecified. May also be set in
SecurityContext. If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence for that container.
seLinuxOptions <Object>
The SELinux context to be applied to all containers. If unspecified, the
container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence for that container.
supplementalGroups <[]integer>
A list of groups applied to the first process run in each container, in
addition to the container's primary GID. If unspecified, no groups will be
added to any container.
sysctls <[]Object>
Sysctls hold a list of namespaced sysctls used for the pod. Pods with
unsupported sysctls (by the container runtime) might fail to launch.
windowsOptions <Object>
The Windows specific settings applied to all containers. If unspecified,
the options within a container's SecurityContext will be used. If set in
both SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence.
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.securityContext
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.containers.securityContext
KIND: Pod
VERSION: v1
RESOURCE: securityContext <Object>
DESCRIPTION:
Security options the pod should run with. More info:
https://kubernetes.io/docs/concepts/policy/security-context/ More info:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
SecurityContext holds security configuration that will be applied to a
container. Some fields are present in both SecurityContext and
PodSecurityContext. When both are set, the values in SecurityContext take
precedence.
FIELDS:
allowPrivilegeEscalation <boolean>
AllowPrivilegeEscalation controls whether a process can gain more
privileges than its parent process. This bool directly controls if the
no_new_privs flag will be set on the container process.
AllowPrivilegeEscalation is true always when the container is: 1) run as
Privileged 2) has CAP_SYS_ADMIN
capabilities <Object>
The capabilities to add/drop when running containers. Defaults to the
default set of capabilities granted by the container runtime.
privileged <boolean>
Run container in privileged mode. Processes in privileged containers are
essentially equivalent to root on the host. Defaults to false.
procMount <string>
procMount denotes the type of proc mount to use for the containers. The
default is DefaultProcMount which uses the container runtime defaults for
readonly paths and masked paths. This requires the ProcMountType feature
flag to be enabled.
readOnlyRootFilesystem <boolean>
Whether this container has a read-only root filesystem. Default is false.
runAsGroup <integer>
The GID to run the entrypoint of the container process. Uses runtime
default if unset. May also be set in PodSecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence.
runAsNonRoot <boolean>
Indicates that the container must run as a non-root user. If true, the
Kubelet will validate the image at runtime to ensure that it does not run
as UID 0 (root) and fail to start the container if it does. If unset or
false, no such validation will be performed. May also be set in
PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
runAsUser <integer>
The UID to run the entrypoint of the container process. Defaults to user
specified in image metadata if unspecified. May also be set in
PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
seLinuxOptions <Object>
The SELinux context to be applied to the container. If unspecified, the
container runtime will allocate a random SELinux context for each
container. May also be set in PodSecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence.
windowsOptions <Object>
The Windows specific settings applied to all containers. If unspecified,
the options from the PodSecurityContext will be used. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence.
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.containers.securityContext
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.containers.securityContext.capabilities
KIND: Pod
VERSION: v1
RESOURCE: capabilities <Object>
DESCRIPTION:
The capabilities to add/drop when running containers. Defaults to the
default set of capabilities granted by the container runtime.
Adds and removes POSIX capabilities from running containers.
FIELDS:
add <[]string>
Added capabilities
drop <[]string>
Removed capabilities
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.containers.securityContext.capabilities
八.资源需求及资源限制(容器的计算资源配额)
CPU属于可压缩性资源,即资源额度可按需收缩,而内存(当前)则是不可压缩性资源,对其执行收缩操作可能会导致某种程度的问题。
CPU资源的计算方式:
一个核心相当于1000个微核心,即1=1000m,0.5=500m。
内存资源的计算方式:
默认单位为字节,也可以使用E,P,T,G,M和K后缀单位,或Ei,Pi,Ti,Gi,Mi,Ki形式的单位后缀。
温馨提示:
下面有两个我从互联网上找到两个pod的yaml文件,感兴趣的小伙伴可以测试一下,测试方式如下:
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/pod/memleak-pod.yaml
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods memleak-pod
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.containers.resources
KIND: Pod
VERSION: v1
RESOURCE: resources <Object>
DESCRIPTION:
Compute Resources required by this container. Cannot be updated. More info:
https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
ResourceRequirements describes the compute resource requirements.
FIELDS:
limits <map[string]string>
Limits describes the maximum amount of compute resources allowed. More
info:
https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
requests <map[string]string>
Requests describes the minimum amount of compute resources required. If
Requests is omitted for a container, it defaults to Limits if that is
explicitly specified, otherwise to an implementation-defined value. More
info:
https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.containers.resources
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/memleak-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: memleak-pod
spec:
containers:
- name: simmemleak
image: saadali/simmemleak
resources:
requests:
memory: "64Mi"
cpu: "1"
limits:
memory: "64Mi"
cpu: "1"
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/memleak-pod.yaml
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/stress-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: stress-pod
spec:
containers:
- name: stress
image: ikubernetes/stress-ng
command: ["/usr/bin/stress-ng", "-c 1", "-m 1", "--metrics-brief"]
resources:
requests:
memory: "128Mi"
cpu: "200m"
limits:
memory: "512Mi"
cpu: "400m"
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/pod/stress-pod.yaml
九.Pod服务质量类别
根据Pod对象的requests和limits属性,kubernetes把Pod对象归类到BestEffort,Burstable和Guaranteed三个服务质量类别(Quality of Service,简称QoS)。
Guaranteed:
每个容器都为CPU资源设置了具有相同值得requests和limits属性,以及每个容器都为内存资源设置了具体相同值的requests和limits属性的pod资源会自动归属此类别,它们具有中等优先级。
Burstable:
至少有一个容器设置了CPU和内存资源的requests属性,但不满足Guaranteed类别要求的pod资源自动归属此类别,它们具有中等优先级。
BestEffort:
未为任何一个容器设置requests或limits属性的pod资源自动归属此类别,它们的优先级为最低级别。
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.priorityClassName
KIND: Pod
VERSION: v1
FIELD: priorityClassName <string>
DESCRIPTION:
If specified, indicates the pod's priority. "system-node-critical" and
"system-cluster-critical" are two special keywords which indicate the
highest priorities with the former being the highest priority. Any other
name must be defined by creating a PriorityClass object with that name. If
not specified, the pod priority will be default or zero if there is no
default.
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl explain pods.spec.priorityClassName
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods memleak-pod
Name: memleak-pod
Namespace: default
Priority: 0
Node: node201.yinzhengjie.org.cn/172.200.1.201
Start Time: Thu, 06 Feb 2020 15:30:42 +0800
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"memleak-pod","namespace":"default"},"spec":{"containers":[{"image":"s...
Status: Running
IP: 10.244.1.12
IPs:
IP: 10.244.1.12
Containers:
simmemleak:
Container ID: docker://58d3a4bb976bf247510d05ae66fdaa4096a3d96cd67a19eb8041cf41f20285ad
Image: saadali/simmemleak
Image ID: docker-pullable://saadali/simmemleak@sha256:5cf58299a7698b0c9779acfed15c8e488314fcb80944550eab5992cdf3193054
Port: <none>
Host Port: <none>
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: OOMKilled
Exit Code: 137
Started: Thu, 06 Feb 2020 15:42:13 +0800
Finished: Thu, 06 Feb 2020 15:42:13 +0800
Ready: False
Restart Count: 7
Limits:
cpu: 1
memory: 64Mi
Requests:
cpu: 1
memory: 64Mi
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-4jpjf (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-4jpjf:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-4jpjf
Optional: false
QoS Class: Guaranteed
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 11m default-scheduler Successfully assigned default/memleak-pod to node201.yinzhengjie.org.cn
Normal Started 11m (x3 over 11m) kubelet, node201.yinzhengjie.org.cn Started container simmemleak
Normal SandboxChanged 11m (x3 over 11m) kubelet, node201.yinzhengjie.org.cn Pod sandbox changed, it will be killed and re-created.
Normal Pulling 10m (x4 over 11m) kubelet, node201.yinzhengjie.org.cn Pulling image "saadali/simmemleak"
Normal Pulled 10m (x4 over 11m) kubelet, node201.yinzhengjie.org.cn Successfully pulled image "saadali/simmemleak"
Normal Created 10m (x4 over 11m) kubelet, node201.yinzhengjie.org.cn Created container simmemleak
Warning BackOff 107s (x56 over 11m) kubelet, node201.yinzhengjie.org.cn Back-off restarting failed container
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods memleak-pod | grep QoS
QoS Class: Guaranteed
[root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe pods memleak-pod | grep QoS
