16、Deployment编排运行wordpress、jpress
要求:把nginx或wordpress都做成多实例,测试滚动 更新过程,验证更新过程中,服务是否中断;并写出验证报告
#基于上边部署的wordpress资源修改为deployment资源:
[root@k8s-master01 ~]#vim deploy-wordpress.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: wordpress
name: deploy-wordpress
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: mysql-external
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.name
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.name
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.passwd
volumeMounts:
- name: wordpress-nfs
mountPath: /var/www/html
ports:
- containerPort: 80
volumes:
- name: wordpress-nfs
persistentVolumeClaim:
claimName: nfs-csi-wordpress-pvc
#更新:
[root@k8s-master01 ~]#vim deploy-wordpress.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: wordpress
name: deploy-wordpress
spec:
replicas: 3
selector:
matchLabels:
app: wordpress
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
template:
metadata:
labels:
app: wordpress
spec:
containers:
- image: registry.cn-zhangjiakou.aliyuncs.com/dy-dockerfile/wordpress:6.1.0-php7.4-apache
# - image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: mysql-external
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.name
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.name
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.passwd
volumeMounts:
- name: wordpress-nfs
mountPath: /var/www/html
ports:
- containerPort: 80
volumes:
- name: wordpress-nfs
persistentVolumeClaim:
claimName: nfs-csi-wordpress-pvc
[root@k8s-master01 ~]#kubectl apply -f deploy-wordpress.yaml
[root@k8s-master01 ~]#kubectl get pod -w
NAME READY STATUS RESTARTS AGE
deploy-wordpress-649756b96d-wjt5l 1/1 Running 0 109m
deploy-wordpress-68bd846ccb-5nmkd 0/1 ContainerCreating 0 15s
deploy-wordpress-68bd846ccb-ppc6w 1/1 Running 0 20s
deploy-wordpress-68bd846ccb-vnnwb 0/1 ContainerCreating 0 20s
jpress 1/1 Running 0 3h13m
nginx-jpress 1/1 Running 0 174m
deploy-wordpress-68bd846ccb-5nmkd 1/1 Running 0 51s
deploy-wordpress-68bd846ccb-vnnwb 1/1 Running 0 56s
deploy-wordpress-649756b96d-wjt5l 1/1 Terminating 0 109m
deploy-wordpress-649756b96d-wjt5l 1/1 Terminating 0 109m
deploy-wordpress-649756b96d-wjt5l 0/1 Terminating 0 109m
deploy-wordpress-649756b96d-wjt5l 0/1 Terminating 0 109m
deploy-wordpress-649756b96d-wjt5l 0/1 Terminating 0 109m
#回滚:
[root@k8s-master01 ~]#kubectl rollout history deployment
deployment.apps/deploy-wordpress
REVISION CHANGE-CAUSE
1 <none>
2 <none>
#方法1:修改yaml文件为原来的镜像,应用yaml
[root@k8s-master01 ~]#kubectl apply -f deploy-wordpress.yaml
deployment.apps/deploy-wordpress configured
[root@k8s-master01 ~]#kubectl get pod -w
NAME READY STATUS RESTARTS AGE
deploy-wordpress-649756b96d-fks4f 1/1 Running 0 6s
deploy-wordpress-649756b96d-hl6vz 1/1 Running 0 6s
deploy-wordpress-649756b96d-jtdwk 0/1 ContainerCreating 0 3s
deploy-wordpress-68bd846ccb-zc578 1/1 Terminating 0 2m3s
jpress 1/1 Running 0 3h23m
nginx-jpress 1/1 Running 0 3h4m
deploy-wordpress-649756b96d-jtdwk 1/1 Running 0 4s
deploy-wordpress-68bd846ccb-zc578 0/1 Terminating 0 2m4s
deploy-wordpress-68bd846ccb-zc578 0/1 Terminating 0 2m4s
deploy-wordpress-68bd846ccb-zc578 0/1 Terminating 0 2m4s
#方法2:通过更新历史回滚:
[root@k8s-master01 ~]#kubectl rollout history deployment
deployment.apps/deploy-wordpress
REVISION CHANGE-CAUSE
1 <none>
2 <none>
[root@k8s-master01 ~]#kubectl rollout undo deployment deploy-wordpress --to-revision=0
deployment.apps/deploy-wordpress rolled back
#总结:
deployment滚蛋默认更新策略是:可以多出1个副本(或25%),允许1个pod不在线(25%),先多出一个副本,在减少两个副本,业务不会中断,不影响客户访问
17、修改mysql为基于statefulset编排单实例运行的MySQL
#创建sc资源:
[root@k8s-master01 ~]#vim mydb-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nfs-csi-mydb
provisioner: nfs.csi.k8s.io
parameters:
server: 192.168.100.207
share: /data/mydb
reclaimPolicy: Retain
volumeBindingMode: Immediate
mountOptions:
- hard
- nfsvers=4.1
#创建secret资源:
[root@k8s-master01 ~]#vim mydb-secret.yaml
apiVersion: v1
data:
db.name: d29yZHByZXNz
db.root.pass: MTIzNDU2
db.user: d29yZHByZXNz
db.user.pass: MTIzNDU2
kind: Secret
metadata:
creationTimestamp: null
name: mydb-secret
#创建statefulset资源:
[root@k8s-master01 ~]#vim mydb-statefulset.yaml
apiVersion: v1
kind: Service
metadata:
name: mysql-statefulset
namespace: default
spec:
clusterIP: None
ports:
- port: 3306
name: mysql
selector:
app: statefulset-mysql
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset-mysql
spec:
serviceName: mysql-statefulset
replicas: 2
selector:
matchLabels:
app: mysql-statefulset
template:
metadata:
labels:
app: mysql-statefulset
spec:
containers:
- name: mydb-state
image: mysql:8.0
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mydb-secret
key: db.root.pass
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: mydb-secret
key: db.name
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: mydb-secret
key: db.user
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mydb-secret
key: db.user.pass
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-data
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: mysql-data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "nfs-csi-mydb"
resources:
requests:
storage: 2Gi
[root@k8s-master01 ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
statefulset-mysql-0 1/1 Running 0 18m
statefulset-mysql-1 1/1 Running 0 18m
18、基于Strimz Opertor部署霆一个Kafka集群,并测试消息的收发
#创建kafka名称空间
[root@k8s-master01 ~]# kubectl create namespace kafka
namespace/kafka created
#安装strimzi相关资源
[root@k8s-master01 ~]#kubectl create -f 'https://strimzi.io/install/latest?namespace=kafka' -n kafka
[root@k8s-master01 ~]#kubectl api-resources --api-group=kafka.strimzi.io
NAME SHORTNAMES APIVERSION NAMESPACED KIND
kafkabridges kb kafka.strimzi.io/v1beta2 true KafkaBridge
kafkaconnectors kctr kafka.strimzi.io/v1beta2 true KafkaConnector
kafkaconnects kc kafka.strimzi.io/v1beta2 true KafkaConnect
kafkamirrormaker2s kmm2 kafka.strimzi.io/v1beta2 true KafkaMirrorMaker2
kafkamirrormakers kmm kafka.strimzi.io/v1beta2 true KafkaMirrorMaker
kafkarebalances kr kafka.strimzi.io/v1beta2 true KafkaRebalance
kafkas k kafka.strimzi.io/v1beta2 true Kafka
kafkatopics kt kafka.strimzi.io/v1beta2 true KafkaTopic
kafkausers ku kafka.strimzi.io/v1beta2 true KafkaUser
#配置kafka集群(kafka和zookeeper各一个集群)
[root@k8s-master01 ~]#kubectl apply -f https://strimzi.io/examples/latest/kafka/kafka-ephemeral.yaml -n kafka
[root@k8s-master01 ~]#kubectl get pods -n kafka
NAME READY STATUS RESTARTS AGE
my-cluster-kafka-0 1/1 Running 0 34s
my-cluster-kafka-1 1/1 Running 0 33s
my-cluster-kafka-2 1/1 Running 0 33s
my-cluster-zookeeper-0 1/1 Running 0 2m31s
my-cluster-zookeeper-1 1/1 Running 0 2m31s
my-cluster-zookeeper-2 1/1 Running 0 2m31s
strimzi-cluster-operator-56d64c8584-d9qq6 1/1 Running 0 16m
#测试发送消息:
[root@k8s-master01 ~]#kubectl -n kafka run kafka-producer -ti --image=quay.io/strimzi/kafka:0.32.0-kafka-3.3.1 --rm=true --restart=Never -- bin/kafka-console-producer.sh --bootstrap-server my-cluster-kafka-bootstrap:9092 --topic my-topic
If you don't see a command prompt, try pressing enter.
>
>>>>>>>
>hahaha
>whatareyoudoing
>iamproducer
>
#再开一个终端,测试接收消息:
[root@k8s-master01 ~]#kubectl -n kafka run kafka-consumer -ti --image=quay.io/strimzi/kafka:0.32.0-kafka-3.3.1 --rm=true --restart=Never -- bin/kafka-console-consumer.sh --bootstrap-server my-cluster-kafka-bootstrap:9092 --topic my-topic --from-beginning
If you don't see a command prompt, try pressing enter.
hahaha
whatareyoudoing
iamproducer
19、(未完成)结合搜索引擎,尝试使用statefulset编排一个读写分离的MySQL集群
20、(未完成)结合搜索引擎,尝试使用Operator部署一个MySQL Cluster; 并将Wordpress的数据存储于该Cluster之上
#创建CRD自定义资源
[root@k8s-master01 ~]# kubectl apply -f https://raw.githubusercontent.com/mysql/mysql-operator/trunk/deploy/deploy-crds.yaml
#部署MySQL Operator:
[root@k8s-master01 ~]# kubectl apply -f https://raw.githubusercontent.com/mysql/mysql-operator/trunk/deploy/deploy-operator.yaml
[root@k8s-master01 ~]#kubectl get deploy -n mysql-operator mysql-operator
NAME READY UP-TO-DATE AVAILABLE AGE
mysql-operator 0/1 1 0 27s
#创建集群根用户管理秘钥
[root@k8s-master01 ~]#kubectl create secret generic mypwds \
--from-literal=rootUser=root \
--from-literal=rootHost=% \
--from-literal=rootPassword="123456"
[root@k8s-master01 ~]#kubectl get secrets
NAME TYPE DATA AGE
mypwds Opaque 3 69s
#创建引用秘钥资源
[root@k8s-master01 ~]#vim mycluster.yaml
apiVersion: mysql.oracle.com/v2
kind: InnoDBCluster
metadata:
name: mycluster
spec:
secretName: mypwds
tlsUseSelfSigned: true
instances: 3
router:
instances: 1
[root@k8s-master01 ~]#kubectl apply -f mycluster.yaml
innodbcluster.mysql.oracle.com/mycluster created
[root@k8s-master01 ~]#kubectl get innodbclusters
NAME STATUS ONLINE INSTANCES ROUTERS AGE
mycluster PENDING 0 3 1 8m38s
[root@k8s-master01 ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
mycluster-0 0/2 Pending 0 7m47s
mycluster-1 0/2 Pending 0 7m47s
mycluster-2 0/2 Pending 0 7m47s
21、基于静态令牌认证,添加三个用户; 并验证能成功完成认证
#生成token
[root@k8s-master01 ~]#echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"
bba408.e310e46deacc44c3
[root@k8s-master01 ~]#echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"
a04c07.ebeb268325db8923
[root@k8s-master01 ~]#echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"
39cc3f.5427d0c515b685ab
#生成static token文件
[root@k8s-master01 ~]#cd /etc/kubernetes/
[root@k8s-master01 kubernetes]#mkdir auth
[root@k8s-master01 kubernetes]#cd auth/
[root@k8s-master01 auth]#vim token.csv
bba408.e310e46deacc44c3,dayu,0001,kuberadmin
a04c07.ebeb268325db8923,eryou,0002,kuberuser
39cc3f.5427d0c515b685ab,youzi,0003,kuberuser
#配置kube-apiserver加载该静态令牌文件以启用相应的认证功能
[root@k8s-master01 ~]#vim /etc/kubernetes/manifests/kube-apiserver.yaml
......
- --token-auth-file=/etc/kubernetes/auth/token.csv
......
- mountPath: /etc/kubernetes/auth
name: static-auth-token
readOnly: true
......
- hostPath:
path: /etc/kubernetes/auth
type: DirectoryOrCreate
name: static-auth-token
......
[root@DY-kuber-011 ~]#curl -k -H "Authorization: Bearer 39cc3f.5427d0c515b685ab" https://192.168.100.03:6443/api/v1/namespaces/default/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"youzi\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
[root@k8s-node01 ~]#kubectl -s https://192.168.100.203:6443 --token="bba408.e310e46deacc44c3" --insecure-skip-tls-verify=true get pods -n default
Error from server (Forbidden): pods is forbidden: User "dayu" cannot list resource "pods" in API group "" in the namespace "default"
22、基于数字证书认证,添加一个用户,并验证能成功完成认证
[root@k8s-master01 pki]#(umask 077; openssl genrsa -out mason.key 4096)
[root@k8s-master01 pki]#openssl req -new -key ./mason.key -out ./mason.csr -subj '/CN=mason/O=kubeadmin'
[root@k8s-master01 pki]#openssl x509 -req -days 3650 -CAkey ./ca.key -CA ./ca.crt -CAcreateserial -in ./mason.csr -out ./mason.crt
Signature ok
subject=CN = mason, O = kubeadmin
Getting CA Private Key
[root@k8s-master01 pki]#scp -p mason* 10.0.0.105:
[root@k8s-master01 pki]#scp ca.crt 10.0.0.105:
#验证:
[root@k8s-node02 ~]#kubectl -s https://10.0.0.101:6443 --client-certificate=./mason.crt --client-key=./mason.key --insecure-skip-tls-verify=true get pods
Error from server (Forbidden): pods is forbidden: User "mason" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s-node02 ~]#kubectl -s https://10.0.0.101:6443 --client-certificate=./mason.crt --client-key=./mason.key --certificate-authority=./ca.crt get pods
Error from server (Forbidden): pods is forbidden: User "mason" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s-node02 ~]#curl --cert ./mason.crt --key ./mason.key --cacert ./ca.crt https://10.0.0.101:6443/api/vi/namespaces/default/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"mason\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
23、将创建的用户账号,并入到一个kubeconfig文件中
# 将静态令牌认证信息保存为kubeconfig文件
[root@k8s-master01 pki]#kubectl config set-cluster mykube --embed-certs=true --certificate-authority=./ca.crt --server="https://10.0.0.101:6443" --kubeconfig=$HOME/.kube/mykube.conf
Cluster "mykube" set.
[root@k8s-master01 pki]#kubectl config set-credentials dayu --token="f38222.b51461b2a92e578f" --kubeconfig=$HOME/.kube/mykube.conf
User "dayu" set.
[root@k8s-master01 pki]#kubectl config view --kubeconfig=$HOME/.kube/mykube.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.101:6443
name: mykube
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: dayu
user:
token: REDACTED
[root@k8s-master01 pki]#kubectl config set-context dayu@mykube --cluster=mykube --user=dayu --kubeconfig=$HOME/.kube/mykube.conf
Context "dayu@mykube" created.
[root@k8s-master01 pki]#kubectl config view --kubeconfig=$HOME/.kube/mykube.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.101:6443
name: mykube
contexts:
- context:
cluster: mykube
user: dayu
name: dayu@mykube
current-context: ""
kind: Config
preferences: {}
users:
- name: dayu
user:
token: REDACTED
[root@k8s-master01 pki]#kubectl get pods -n default --kubeconfig=$HOME/.kube/mykube.conf
Error from server (Forbidden): pods is forbidden: User "dayu" cannot list resource "pods" in API group "" in the namespace "default"
# 将数字证书认证的信息保存为kubeconfig文件,以下过程中没有新增集群,只添加用户和context
[root@k8s-master01 pki]#kubectl config set-credentials mason --embed-certs=true --client-certificate=./mason.crt --client-key=./mason.key --kubeconfig=$HOME/.kube/mykube.conf
User "mason" set.
[root@k8s-master01 pki]#kubectl config view --kubeconfig=$HOME/.kube/mykube.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.101:6443
name: mykube
contexts:
- context:
cluster: mykube
user: dayu
name: dayu@mykube
current-context: dayu@mykube
kind: Config
preferences: {}
users:
- name: dayu
user:
token: REDACTED
- name: mason
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master01 pki]#kubectl config set-context mason@mykube --cluster=mykube --user=mason --kubeconfig=$HOME/.kube/mykube.conf
Context "mason@mykube" created.
[root@k8s-master01 pki]#kubectl config view --kubeconfig=$HOME/.kube/mykube.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.101:6443
name: mykube
contexts:
- context:
cluster: mykube
user: dayu
name: dayu@mykube
- context:
cluster: mykube
user: mason
name: mason@mykube
current-context: dayu@mykube
kind: Config
preferences: {}
users:
- name: dayu
user:
token: REDACTED
- name: mason
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master01 pki]#kubectl get pods
No resources found in default namespace
[root@k8s-master01 pki]#kubectl --context='mason@mykube' get pods
Error in configuration: context was not found for specified context: mason@mykube
[root@k8s-master01 pki]#kubectl config use-context mason@mykube --kubeconfig =$HOME/.kube/mykube.conf
error: no context exists with the name: "mason@mykube"
[root@k8s-master01 pki]#kubectl get pods --kubeconfig=$HOME/.kube/mykube.conf
Error from server (Forbidden): pods is forbidden: User "dayu" cannot list resource "pods" in API group "" in the namespace "default"
# KUBECONFIG环境变量合并kubeconfig文件的方法:
[root@k8s-master01 pki]#echo $KUBECONFIG
[root@k8s-master01 pki]#export KUBECONFIG="/root/.kube/mykube.conf:/etc/kubernetes/admin.conf"
[root@k8s-master01 pki]#kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://kubeapi.wang.org:6443
name: kubernetes
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.101:6443
name: mykube
contexts:
- context:
cluster: mykube
user: dayu
name: dayu@mykube
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: mykube
user: mason
name: mason@mykube
current-context: mason@mykube
kind: Config
preferences: {}
users:
- name: dayu
user:
token: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: mason
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# 验证
[root@k8s-master01 pki]#kubectl --context="mason@mykube" get pods
Error from server (Forbidden): pods is forbidden: User "mason" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s-master01 pki]#kubectl --context="dayu@mykube" get pods
Error from server (Forbidden): pods is forbidden: User "dayu" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s-master01 pki]#kubectl --context="kubernetes-admin@kubernetes" get pods
No resources found in default namespace.