1.部署运行容器应用
1.1. 登录tkc集群
jianhua@napp:~/tkc$ kubectl vsphere login --server=192.168.203.194 \
--tanzu-kubernetes-cluster-name tkc-dev-cluster \
--tanzu-kubernetes-cluster-namespace tkc-01 \
--vsphere-username [email protected] \
--insecure-skip-tls-verify
KUBECTL_VSPHERE_PASSWORD environment variable is not set. Please enter the password below
Password:
Logged in successfully.
You have access to the following contexts:
192.168.203.194
tkc-01
tkc-dev-cluster
If the context you wish to use is not in this list, you may need to try
logging in again later, or contact your cluster administrator.
To change context, use `kubectl config use-context <workload name>`
jianhua@napp:~/tkc$
jianhua@napp:~/tkc$ kubectl config use-context tkc-dev-cluster
Switched to context "tkc-dev-cluster".
jianhua@napp:~/tkc$
1.2.运行容器配置设置
不进行配置设置,运行容器时会出现如下报错
jianhua@napp:~/tkc$ kubectl run nginx --image=nginx:latest Error from server (Forbidden): pods "nginx" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") jianhua@napp:~/tkc$
1.2.1pod security配置
jianhua@napp:~/tkc$ kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
namespace/default labeled
jianhua@napp:~/tkc$
1.2.2.rolebindings配置
jianhua@napp:~/tkc$ cat rolebindings-default-namespace.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rolebinding-default-privileged-sa-ns_default
namespace: default
roleRef:
kind: ClusterRole
name: psp:vmware-system-privileged
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:serviceaccounts
jianhua@napp:~/tkc$
- 配置示例
jianhua@napp:~/tkc$ kubectl apply -f rolebindings-default-namespace.yaml
rolebinding.rbac.authorization.k8s.io/rolebinding-default-privileged-sa-ns_default created
jianhua@napp:~/tkc$ kubectl get rolebindings
NAME ROLE AGE
rolebinding-default-privileged-sa-ns_default ClusterRole/psp:vmware-system-privileged 7s
jianhua@napp:~/tkc$
1.3 运行容器
- 运行容器
jianhua@napp:~/tkc$ kubectl run nginx --image=quay.io/jitesoft/nginx
pod/nginx created
jianhua@napp:~/tkc$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx 0/1 ContainerCreating 0 1s
jianhua@napp:~/tkc$
jianhua@napp:~/tkc$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 62s 172.20.18.2 tkc-dev-cluster-tck-dev-worker-zt5ls-779c467dd4xwbb9p-kl9tx <none> <none>
jianhua@napp:~/tkc$
- 对外暴露端口
jianhua@napp:~$ kubectl expose pod nginx --port=80 --target-port=80 --type=LoadBalancer --name=nginx-svc
service/nginx-svc exposed
jianhua@napp:~$ kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 19h <none>
nginx-svc LoadBalancer 172.20.10.50 <pending> 80:32720/TCP 2s run=nginx
supervisor ClusterIP None <none> 6443/TCP 19h <none>
jianhua@napp:~$ kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 19h <none>
nginx-svc LoadBalancer 172.20.10.50 192.168.203.196 80:32720/TCP 8s run=nginx
supervisor ClusterIP None <none> 6443/TCP 19h <none>
jianhua@napp:~$