前言:
etcd基本背景介绍:
etcd是kubernetes集群内的一个基础组件,同时也是比较多的其它集群的官方推荐组件,主要特点如下:
由coreos团队开发并开源的分布式键值存储系统,具备以下特点:
- 简单:提供定义明确且面向用户的API
- 安全:支持SSL证书验证
- 性能:基准压测支持1w+/sec写入
- 可靠:采用Raft协议保证分布式系统数据的可用性和一致性
这里要着重强调一哈 :开源@!!!!!!!!!!!!可靠!!!!
同类型的键值对存储系统还有zookeeper,console(go语言编写的,其实也适合kubernetes的,但没有进入官方推荐,重要提示:Consul 所在的 HashiCorp 公司宣布,不允许中国境内使用该公司旗下的产品和软件。 不过也幸好没进入过kubernetes官方推荐)等等。
一,
etcd数据库的环境变量配置:
为了简化etcd的增删改查操作,需要配置一哈环境变量,本例以配置了ssl的etcd集群为例。
etcd集群的配置文件:
可以看到,该etcd集群是三个节点的集群,这个是其中一个节点的配置文件,因此,其它节点name是etcd-2,etcd-3
[root@master ~]# cat /opt/etcd/cfg/etcd.conf #[Member] ETCD_NAME="etcd-1" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.217.16:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.217.16:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.217.16:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.217.16:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.217.16:2380,etcd-2=https://192.168.217.17:2380,etcd-3=https://192.168.217.18:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
启动脚本:
主要是稍后会使用到证书存放路径
[root@master ~]# cat /usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd.conf ExecStart=/opt/etcd/bin/etcd \ --name=${ETCD_NAME} \ --data-dir=${ETCD_DATA_DIR} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --peer-cert-file=/opt/etcd/ssl/server.pem \ --peer-key-file=/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
根据以上配置文件,写入如下变量到 /etc/profile 文件内
vim /etc/profile
做了一个别名命令,名字为etcd_search,将相关证书和etcd的客户端做了相关绑定
export ETCDCTL_API=3 alias etcd_search=/opt/etcd/bin/etcdctl --endpoints=192.168.217.16 \ --cert=/opt/etcd/ssl/server.pem \ --key=/opt/etcd/ssl/server-key.pem \ --cacert=/opt/etcd/ssl/ca.pem
激活变量:
source /etc/profile
二,
etcd状态查询
[root@master ~]# etcd_search member list -w table +------------------+---------+--------+-----------------------------+-----------------------------+ | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | +------------------+---------+--------+-----------------------------+-----------------------------+ | 1a58a86408898c44 | started | etcd-1 | https://192.168.217.16:2380 | https://192.168.217.16:2379 | | 67146ac2958941d0 | started | etcd-2 | https://192.168.217.17:2380 | https://192.168.217.17:2379 | | e078026890aff6e3 | started | etcd-3 | https://192.168.217.18:2380 | https://192.168.217.18:2379 | +------------------+---------+--------+-----------------------------+-----------------------------+
etcd健康查询(其实有上面那一个就可以了,都是started状态了嘛):
[root@master ~]# etcd_search endpoint health -w table 127.0.0.1:2379 is healthy: successfully committed proposal: took = 2.981431ms
kubernetes集群有哪几个节点查询(简略信息):
[root@master ~]# etcd_search get /registry/minions/ --prefix --keys-only /registry/minions/k8s-master /registry/minions/k8s-node1 /registry/minions/k8s-node2
kubernetes集群状态查询(详细信息):
看到这些不要慌,都是使用base64加密过的信息,解一哈密就可以了,例如:
[root@master ~]# echo "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW1hc3Rlcg==" |base64 -d /registry/minions/k8s-master
查询规则:
查询某个key的值,–keys-only=false表示要给出value,该参数默认值即为false,,如果要查询不包括values, –keys-only=true即可,所以该参数可以不出现,-w=json表示输出json格式。 python -m json.tool 表示使用python的内置模块json.tool 处理一哈数据
[root@master ~]# etcd_search get /registry/minions/ --prefix --keys-only -w json | python -m json.tool { "count": 3, "header": { "cluster_id": 16483616014024957692, "member_id": 1898452390530092100, "raft_term": 12, "revision": 719002 }, "kvs": [ { "create_revision": 13103, "key": "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW1hc3Rlcg==", "mod_revision": 718962, "version": 4016 }, { "create_revision": 48118, "key": "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW5vZGUx", "mod_revision": 718963, "version": 1077 }, { "create_revision": 48351, "key": "L3JlZ2lzdHJ5L21pbmlvbnMvazhzLW5vZGUy", "mod_revision": 718961, "version": 1083 } ] }
查询kubernetes的default 命名空间:
查询一哈default这个命名空间内的详情
[root@master ~]# etcd_search get /registry/namespaces/default --prefix --keys-only=false -w=json | python -m json.tool { "count": 1, "header": { "cluster_id": 16483616014024957692, "member_id": 1898452390530092100, "raft_term": 12, "revision": 718975 }, "kvs": [ { "create_revision": 148, "key": "L3JlZ2lzdHJ5L25hbWVzcGFjZXMvZGVmYXVsdA==", "mod_revision": 148, "value": "azhzAAoPCgJ2MRIJTmFtZXNwYWNlErIBCpcBCgdkZWZhdWx0EgAaACIAKiQ1ODlhYWQ1My00YTM4LTQ4OWMtODE0NS04ODA1ODc4MDhjZDIyADgAQggI7+OlmAYQAHoAigFPCg5rdWJlLWFwaXNlcnZlchIGVXBkYXRlGgJ2MSIICO/jpZgGEAAyCEZpZWxkc1YxOh0KG3siZjpzdGF0dXMiOnsiZjpwaGFzZSI6e319fRIMCgprdWJlcm5ldGVzGggKBkFjdGl2ZRoAIgA=", "version": 1 } ] }
解一哈密:
[root@master ~]# echo "azhzAAoPCgJ2MRIJTmFtZXNwYWNlErIBCpcBCgdkZWZhdWx0EgAaACIAKiQ1ODlhYWQ1My00YTM4LTQ4OWMtODE0NS04ODA1ODc4MDhjZDIyADgAQggI7+OlmAYQAHoAigFPCg5rdWJlLWFwaXNlcnZlchIGVXBkYXRlGgJ2MSIICO/jpZgGEAAyCEZpZWxkc1YxOh0KG3siZjpzdGF0dXMiOnsiZjpwaGFzZSI6e319fRIMCgprdWJlcm5ldGVzGggKBkFjdGl2ZRoAIgA=" |base64 -d k8s v1 Namespace² default"*$589aad53-4a38-489c-8145-880587808cd22ࣥzO kube-apiserverUpdatevࣥFieldsV1: "f:status":{"f:phase":{}}} kubernetes
查询一哈kube-system这个命名空间内有哪些使用deployment方式部署的pod:
[root@master ~]# etcd_search get /registry/deployments/kube-system --prefix --keys-only /registry/deployments/kube-system/calico-kube-controllers /registry/deployments/kube-system/coredns
查询一哈kube-system这个命名空间内有哪些pods(总共有五个):
[root@master ~]# etcd_search get /registry/pods/kube-system --prefix --keys-only /registry/pods/kube-system/calico-kube-controllers-57546b46d6-6jwqp /registry/pods/kube-system/calico-node-88pxp /registry/pods/kube-system/calico-node-m5vnd /registry/pods/kube-system/calico-node-wlmk5 /registry/pods/kube-system/coredns-76648cbfc9-87fc7
以上的key和values都以base64编码了,如果想查看key的值可以执行如下命令。有些value的值包含二进制,不易解开。
插个题外话:
总的来说,etcd这么做也是为了一定的安全哈,虽然并没什么卵用。so,如果有人破解了你的kubernetes集群,进入了系统,通过etcd会非常快的搞定你的kubernetes集群,为什么呢?多少个节点,节点什么情况,有哪些pod,然后hacker可以把自己想安装的pod交由etcd注册然后就可以提权运行等等操作啦。
查询apiserver的详情,包括服务建立时间,服务状态等信息(很明显,我的kubernetes是8月27建立的,目前kube-apiserver 是正常的):
[root@master ~]# etcd_search get /registry/apiregistration.k8s.io/apiservices/v1.apiextensions.k8s.io /registry/apiregistration.k8s.io/apiservices/v1.apiextensions.k8s.io {"kind":"APIService","apiVersion":"apiregistration.k8s.io/v1beta1","metadata":{"name":"v1.apiextensions.k8s.io","uid":"2efbefbf-ee03-4512-bea5-382d365ac03e","creationTimestamp":"2022-08-27T01:22:53Z","labels":{"kube-aggregator.kubernetes.io/automanaged":"onstart"}},"spec":{"group":"apiextensions.k8s.io","version":"v1","groupPriorityMinimum":16700,"versionPriority":15},"status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2022-08-27T01:22:53Z","reason":"Local","message":"Local APIServices are always available"}]}}
OK,以上是查询,下面来个增删改。
二,
etcd数据库增加:
[root@master ~]# etcd_search put wo "zsk_json" OK [root@master ~]# etcd_search get wo wo zsk_json [root@master ~]# etcd_search put web1 dev1 OK [root@master ~]# etcd_search put web2 dev2 OK [root@master ~]# etcd_search put web3 dev3 OK [root@master ~]# etcd_search get web --prefix web1 dev1 web2 dev2 web3 dev3
三,
删除以上刚建立的哈(删除后,再次查询没有了哈):
[root@master ~]# etcd_search del web --prefix 3 [root@master ~]# etcd_search get web --prefix [root@master ~]# etcd_search del wo 1 [root@master ~]# etcd_search get wo
删除kubernetes集群的节点:
[root@master ~]# k get no NAME STATUS ROLES AGE VERSION k8s-master Ready <none> 32d v1.18.3 k8s-node1 Ready <none> 32d v1.18.3 k8s-node2 Ready <none> 32d v1.18.3 [root@master ~]# etcd_search del /registry/minions/k8s-node2 1 [root@master ~]# k get no NAME STATUS ROLES AGE VERSION k8s-master Ready <none> 32d v1.18.3 k8s-node1 Ready <none> 32d v1.18.3
按照我上一篇的博客恢复哈etcd集群就好啦。
