kubernetes之镜像拉取策略；

1. 各工作节点负责运行Pod对象，而Pod的核心功能用于运行容器，因此工作节点上必须配置容器引擎，如Dokcer、Containerd等，启动容器时，容器引擎将首先于本地查找指定的镜像文件，不存在的镜像则需要从指定的镜像仓库(Registry)下载至本地；

2. kubernetes支持用户自定义镜像文件的获取方式策略，例如在网络资源紧张的时候可以禁止从仓库中获取文件镜像等，容器的ImagePullPolicy字段用于为其指定镜像获取策略，可用值包括:

   • IfNotPresent: 本地有镜像则使用本地镜像，本地不存在则拉取镜像；(默认值)
   • Always: 每次都尝试拉取镜像；
   • Never: 永不拉取，禁止从仓库下载镜像，如果本地镜像已经存在，kubelet会尝试启动容器，否则，启动失败；

3. 官方文档: https://kubernetes.io/zh-cn/docs/concepts/containers/images/

4. 我们可以通过explain来查看它的属性
   imgaepullpolicy是容器级别的；

root@ks-master01-10:~# kubectl explain pod.spec.containers.imagePullPolicy
KIND:     Pod
VERSION:  v1

FIELD:    imagePullPolicy <string>

DESCRIPTION:
     Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always
     if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
     More info:
     https://kubernetes.io/docs/concepts/containers/images#updating-images

4. 示例说明；

root@ks-master01-10:~#  cat tomcat-test.yaml 

apiVersion: v1
kind: Pod
metadata:
  name: tomcat-test
  namespace: default
spec:
  containers:
  - name: tomcat
    image: tomcat:latest
    imagePullPolicy: Always

root@ks-master01-10:~# kubectl apply -f tomcat-test.yaml 
pod/tomcat-test created

5. 现在Pod是正常状态；

root@ks-master01-10:~# kubectl get pods
NAME                          READY   STATUS    RESTARTS      AGE
tomcat-test                   1/1     Running   0             87s

6. 我们来看看详细描述；
   定义了使用tomcat:latest镜像，其获取策略为Always，这就意味每次启动容器时，它都会从镜像仓库获取最新版本的镜像文件；

root@ks-master01-10:~# kubectl describe pods tomcat-test
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  82s   default-scheduler  Successfully assigned default/mysql-test to ks-node24-24
  Normal  Pulling    81s   kubelet            Pulling image "tomcat:latest"
  Normal  Pulled     45s   kubelet            Successfully pulled image "tomcat:latest" in 36.41152006s
  Normal  Created    45s   kubelet            Created container tomcat
  Normal  Started    45s   kubelet            Started container tomcat

7. IfNotPresent
   对于其他标签的镜像，其默认策略为IfNotPresent，需要注意的是，使用私有仓库中的镜像时通常需要由Registry服务器完成认证才能进行，认证过程要么需要在相关节点上交互执行docker login命令进行，要么就是将认证信息定义为secret资源，通过ImagePullSecrets字段来完成认证信息；

• 示例

root@ks-master01-10:~# cat httpdpod-test.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: httpd-testpod
  namespace: default
spec:
  containers:
  - name: httpd
    image: registry.cn-hangzhou.aliyuncs.com/lengyuye/httpd:alpine3.14
    imagePullPolicy: IfNotPresent

root@ks-master01-10:~# kubectl apply -f httpdpod-test.yaml 
pod/httpd-testpod created

来查看下详情；
为什么能拉取私有仓库的镜像，因为docker login认证过。没有认证的话拉取镜像的时候会Error；

root@ks-master01-10:~# kubectl describe pods httpd-testpod
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  4m28s  default-scheduler  Successfully assigned default/httpd-testpod to ks-node24-24
  Normal  Pulling    4m27s  kubelet            Pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/httpd:alpine3.14"
  Normal  Pulled     4m24s  kubelet            Successfully pulled image "registry.cn-hangzhou.aliyuncs.com/lengyuye/httpd:alpine3.14" in 3.56652979s
  Normal  Created    4m23s  kubelet            Created container httpd
  Normal  Started    4m23s  kubelet            Started container httpd

Pod运行正常；

root@ks-master01-10:~# kubectl get pods
NAME                          READY   STATUS    RESTARTS     AGE
httpd-testpod                 1/1     Running   0            3m26s