1.污点策略
尽量不调度:PreferNoSchedule 不被调度:NoSchedule 驱逐节点:NoExecute
# 设置污点标签
[root@master ~]# kubectl taint node node-0001 k=v:NoSchedule
node/node-0001 tainted
# 查看污点标签
[root@master ~]# kubectl describe nodes node-0001
Taints: k=v:NoSchedule
# 删除污点标签
[root@master ~]# kubectl taint node node-0001 k=v:NoSchedule-
node/node-0001 untainted
# 查看污点标签
[root@master ~]# kubectl describe nodes node-0001
Taints: <none>
# 查看所有节点污点标签
[root@master ~]# kubectl describe nodes |grep Taints
Taints: node-role.kubernetes.io/control-plane:NoSchedule
Taints: <none>
Taints: <none>
Taints: <none>
Taints: <none>
Taints: <none>
创建几个pod测试,pod不会使用NoSchedule节点.
-----------------------
# NoExecute 会删除节点上的 Pod
[root@master ~]# kubectl taint node node-0001 k=v:NoExecute
[root@master ~]# kubectl get pods
-------------------------
[root@master ~]# kubectl taint node node-0001 k-
2.容忍策略
[root@master ~]# vim myphp.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: myphp
spec:
tolerations:
- operator: Exists/Equal # 部分匹配/完全匹配,存在即可
key: k # 键
effect: NoSchedule # 污点标签
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: 1200m
3.设置优先级(默认为0,数字越大优先级越高)
# 低优先级 Pod
[root@master ~]# vim php2.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: php2
spec:
nodeSelector:
kubernetes.io/hostname: node-0002
priorityClassName: low-non # 优先级名称
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: "1200m"
# 高优先级 Pod
[root@master ~]# vim php3.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: php3
spec:
nodeSelector:
kubernetes.io/hostname: node-0002
priorityClassName: high-non # 优先级名称
containers:
- name: php
image: myos:php-fpm
resources:
requests:
cpu: "1200m"
4.抢占策略
preemptionPolicy: Never(非抢占优先级)/PreemptLowerPriority(抢占优先级)
[root@master ~]# vim mypriority.yaml
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: high-non
preemptionPolicy: Never
value: 1000
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: low-non
preemptionPolicy: Never
value: 500
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: high
preemptionPolicy: PreemptLowerPriority
value: 1000
---
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: low
preemptionPolicy: PreemptLowerPriority
value: 500
[root@master ~]# kubectl apply -f mypriority.yaml
[root@master ~]# kubectl get priorityclasses.scheduling.k8s.io
NAME VALUE GLOBAL-DEFAULT AGE
high 1000 false 4s
high-non 1000 false 2h
low 500 false 4s
low-non 500 false 2h
system-cluster-critical 2000000000 false 21d
system-node-critical 2000001000 false 21d
5.特权容器(Pod安全)
设置主机们和修改hosts文件
[root@master ~]# vim root.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: root
spec:
hostname: myhost # 修改主机名
hostAliases: # 修改 /etc/hosts
- ip: 192.168.1.30 # IP 地址
hostnames: # 名称键值对
- harbor # 主机名
containers:
- name: apache
image: myos:httpd
系统进程特权\网络特权\root用户特权
[root@master ~]# vim root.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: root
spec:
hostPID: true # 特权,共享系统进程
hostNetwork: true # 特权,共享主机网络
containers:
- name: apache
image: myos:httpd
securityContext: # 安全上下文值
privileged: true # root特权容器
6.Pod安全策略
设置证书,声明安全策略可以被认为是安全的Pod,才可以创建
[root@master ~]# vim nonroot.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: nonroot
spec:
containers:
- name: php
image: myos:php-fpm
securityContext: # 声明安全策略
allowPrivilegeEscalation: false # 容器内没有权限提升的行为
runAsNonRoot: true # 容器运行在非 root 用户下
runAsUser: 65534 # 运行容器用户的 UID
seccompProfile: # 容器使用了默认的安全配置
type: "RuntimeDefault"
capabilities: # 容器禁用了所有特权能力
drop: ["ALL"]