1. k8s 相关组件配置介绍
在通过 kubeadm 安装的 Kubernetes 集群中,etcd、kube-apiserver 、kube-controller- manager、kube-scheduler 等组件以静态 Pod 方式运行,其配置文件位于 /etc/kubernetes/manifests 目录下:
ls -l /etc/kubernetes/manifests/
-rw------- 1 root root 2603 12月 1 19:12 etcd.yaml
-rw------- 1 root root 3633 12月 1 19:12 kube-apiserver.yaml
-rw------- 1 root root 3139 12月 1 19:12 kube-controller-manager.yaml
-rw------- 1 root root 1499 12月 1 19:12 kube-scheduler.yamlNode 上的 kubelet 服务一般被配置为 Linux 中的 Service,可以由 systemd 系统进行管理,并自动启动运行。kubelet 的默认配置文件一般位于 /var/lib/kubelet 目录下,其中的 config.yam 是 kubelet 的主要配置文件。
在以二进制方式安装的 Kubernetes 集群中,一般也会把 etcd、kube-apiserver、 kube-controller-manager、kube-scheduler 配置为 Linux 中的 Service,由 systemd 管理。如果不确定配置文件的路径,也可以通过 ps 命令查询其启动参数和配置文件的路径:
ps -efwww | grep kube-2. kubectl 配置文件的使用
kubectl 命令作为客户端,需要连接 API Server,kubectl 默认读取 $HOME/.kube 目录下的 config 文件获取配置信息。可以在初始化控制平面后将配置文件添加到相应用户:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config对于在其他目录下存储的配置文件,可以通过 KUBECONFIG 环境变量或者 –kubeconfig 参数配置给 kubectl 使用。例如:kubeconfig 配置文件的存储路径是 /ete/kubernetes/admin.conf,在添加环境变量 KUBECONFIG 后,kubectl 命令就可以正确连接 API Server 了。
# 添加环境变量
export KUBECONFIG=/etc/kubernetes/admin.conf
# 参数配置
kubectl --kubeconfig /etc/kubernetes/admin.conf get pod3. kubelet 配置
安装好集群后,管理员需要针对各个 Node 上的 kubelet 进程进行日常维护,每个 Node上的 kubelet 进程的参数都是不同的。这些参数主要与资源管理相关,与所在 Node 关系密切。比如,某个 Node 服务器是高配的,它能运行的 Pod 数量比低配服务器更多,在进行资源规划时,相关参数值需要设置得高一点;又如,在某个 Node 上运行了一些非容器化的关键业务,在进行资源规划时,需要合理预留这些业务将占用的资源。由于 kubelet 有很多参数在未被配置时都使用默认值,这些默认值在不同的版本中可能有所变化,所以管理员需要知道当前 Node 上 kubelet 进程的所有参数的值,这样才能确定如何调整参数及参数设置是否生效。
获取 kubelet 所有配置信息并转换为 json 格式命令如下:
kubectl get --raw /api/v1/nodes/k8s-node-08-u-218/proxy/configz | python3 -m json.tool
{
"kubeletconfig": {
"enableServer": true,
"staticPodPath": "/etc/kubernetes/manifests",
"podLogsDir": "/var/log/pods",
"syncFrequency": "1m0s",
"fileCheckFrequency": "20s",
"httpCheckFrequency": "20s",
"address": "0.0.0.0",
"port": 10250,
"tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt",
"tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key",
"rotateCertificates": true,
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/pki/ca.crt"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"registryPullQPS": 5,
"registryBurst": 10,
"eventRecordQPS": 50,
"eventBurst": 100,
"enableDebuggingHandlers": true,
"healthzPort": 10248,
"healthzBindAddress": "127.0.0.1",
"oomScoreAdj": -999,
"clusterDomain": "cluster.local",
"clusterDNS": [
"10.96.0.10"
],
"streamingConnectionIdleTimeout": "4h0m0s",
"nodeStatusUpdateFrequency": "10s",
"nodeStatusReportFrequency": "5m0s",
"nodeLeaseDurationSeconds": 40,
"imageMinimumGCAge": "2m0s",
"imageMaximumGCAge": "0s",
"imageGCHighThresholdPercent": 85,
"imageGCLowThresholdPercent": 80,
"volumeStatsAggPeriod": "1m0s",
"cgroupsPerQOS": true,
"cgroupDriver": "systemd",
"cpuManagerPolicy": "none",
"cpuManagerReconcilePeriod": "10s",
"memoryManagerPolicy": "None",
"topologyManagerPolicy": "none",
"topologyManagerScope": "container",
"runtimeRequestTimeout": "2m0s",
"hairpinMode": "promiscuous-bridge",
"maxPods": 110,
"podPidsLimit": -1,
"resolvConf": "/run/systemd/resolve/resolv.conf",
"cpuCFSQuota": true,
"cpuCFSQuotaPeriod": "100ms",
"nodeStatusMaxImages": 50,
"maxOpenFiles": 1000000,
"contentType": "application/vnd.kubernetes.protobuf",
"kubeAPIQPS": 50,
"kubeAPIBurst": 100,
"serializeImagePulls": true,
"evictionHard": {
"imagefs.available": "15%",
"imagefs.inodesFree": "5%",
"memory.available": "100Mi",
"nodefs.available": "10%",
"nodefs.inodesFree": "5%"
},
"evictionPressureTransitionPeriod": "5m0s",
"enableControllerAttachDetach": true,
"makeIPTablesUtilChains": true,
"iptablesMasqueradeBit": 14,
"iptablesDropBit": 15,
"failSwapOn": true,
"memorySwap": {},
"containerLogMaxSize": "10Mi",
"containerLogMaxFiles": 5,
"containerLogMaxWorkers": 1,
"containerLogMonitorInterval": "10s",
"configMapAndSecretChangeDetectionStrategy": "Watch",
"enforceNodeAllocatable": [
"pods"
],
"volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
"logging": {
"format": "text",
"flushFrequency": "5s",
"verbosity": 0,
"options": {
"text": {
"infoBufferSize": "0"
},
"json": {
"infoBufferSize": "0"
}
}
},
"enableSystemLogHandler": true,
"enableSystemLogQuery": false,
"shutdownGracePeriod": "0s",
"shutdownGracePeriodCriticalPods": "0s",
"enableProfilingHandler": true,
"enableDebugFlagsHandler": true,
"seccompDefault": false,
"memoryThrottlingFactor": 0.9,
"registerNode": true,
"localStorageCapacityIsolation": true,
"containerRuntimeEndpoint": "unix:///var/run/containerd/containerd.sock",
"failCgroupV1": false
}
}
通过 yaml 文件修改 kubelet 配置:
cd /var/lib/kubelet/
sudo cp config.yaml config.yaml.bak
sudo vim config.yaml
# 修改参数时,建议使用注释保留原来配置,以便快速回退
# 修改后重启 kubelet
sudo systemctl restart kubelet.service4. k8s 资源对象查询
查看 k8s 支持的所有资源对象:
kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
nodes no v1 false Node
persistentvolumeclaims pvc v1 true PersistentVolumeClaim
persistentvolumes pv v1 false PersistentVolume
pods po v1 true Pod
...查看自定义 CRD 类型的资源对象:
kubectl get crd查看某自定义 CRD 对应的 CR实例:
kubectl get <CRD类型名> --all-namespaces5. 查看 Secret 中的数据
Kubernetes Secret 对象经常用于存储私密数据(经过Base64编码)。
查看所有 Secret 对象:
kubectl get secret --all-namespaces查看 Secret 对象内容:
# elastic-auth 为 Secret 名字
kubectl -n logging get secrets elastic-auth -o yaml
apiVersion: v1
data:
password: cGluZ2sxMjM0NTY=
username: ZWxhc3RpYw==
kind: Secret
metadata:
creationTimestamp: "2024-12-17T04:45:29Z"
name: elastic-auth
namespace: logging
resourceVersion: "2979495"
uid: e16a2611-d2e6-4b3c-b79e-b68a6e1706b9
type: Opaque可以用下面的命令对 Secret 保存的数据进行 Base64 解码来得到明文:
kubectl -n logging get secret elastic-auth -o jsonpath="{ .data['username']}" | base64 --decode6. Lable 的增删查改
增加标签:
kubectl label pods frontend app=php查看标签:
kubectl get pods frontend -L app
NAME READY STATUS RESTARTS AGE APP
frontend 1/1 Running 0 9h php查看所有标签:
kubectl get pod frontend -o=jsonpath='{.metadata.labels}'
{"app":"php","name":"frontend"}修改标签:
kubectl label pods frontend app=php-fpm --overwrite
kubectl get pod frontend -o=jsonpath='{.metadata.labels}'
{"app":"php-fpm","name":"frontend"}删除标签:
# 指定标签的 key,并与一个减号相连
kubectl label pods frontend app-
kubectl get pod frontend -o=jsonpath='{.metadata.labels}'
{"name":"frontend"}