Kubernetes探索学习004--深入Kubernetes的Pod

深入研究学习Pod

首先需要认识到Pod才是Kubernetes项目中最小的编排单位原子单位，凡是涉及到调度，网络，存储层面的，基本上都是Pod级别的！官方是用这样的语言来描述的: A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy.

1.Pod API对象

1.1.Pod中的一些重要字段解释

NodeSelector：将Pod与Node绑定的字段，可以用来指定对象的调度节点
NodeName：该字段被赋值，调度器会认为这个Pod已经经过了调度
HostAliases：定义Pod的hosts文件内容
shareProcessNamespace：Pod中的容器共享 PID Namespace
hostNetwork：共享宿主机Network
hostIPC：共享宿主机IPC
hostPID：共享宿主机PID Namespace
ImagePullPolicy：定义镜像拉取的策略
Lifecycle：Container Lifecycle Hooks的作用，钩子

1.2.Pod生命周期中的几种状态

Pending 悬而未决，Pod中的容器可能因为某种原因不能被顺利创建，比如调度不成功
Running Pod已经调度成功
Succeeded Pod里面的容器正常运行完毕并已经退出
Failed Pod中至少有一个容器以不正常的状态退出，你要想办法查日志了分析具体原因！
UnKnown 异常状态

2.认识特殊的Volume-Projected Volume

这块儿需要先理解Projected Volume的含义，在Kubernetes中有几种特殊的Volume它们为容器提供预先定义好的数据，从Container的角度来看，这些Volume就好像是被Kubernetes Project(投射)进入Container中的。

2.1.Projected Volume分类

Secret 把Pod想要访问的加密数据放入Etcd中
ConfigMap 把Pod想要访问的非加密数据放入Etcd中
Downward API 让Pod容器能够直接获取这个Pod API对象的本身
ServiceAccountToken 一种特殊的secret保存授权信息和文件

2.2.关于这些卷的实践

1.Secret保存账号密码的例子

1.首先准备YAML文件
[root@kubernetes01 ~]# cat test-projected-volume.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-projected-volume001
spec:
  containers:
  - name: test-secret-volume001
    image: busybox
    args:
    - sleep
    - "86400"
    volumeMounts:
    - name: mysql-cred
      mountPath: "/projected-volume"
      readOnly: true
  volumes:
  - name: mysql-cred
    projected:
      sources:
      - secret:
          name: user001
      - secret:
          name: pass001

2.存放账号密码
[root@kubernetes01 ~]# cat ./username.txt
Ym95YW5nMDAx
[root@kubernetes01 ~]# cat ./password.txt
Ym95YW5nMDAx
[root@kubernetes01 ~]# kubectl create secret generic user001 --from-file=./username.txt
[root@kubernetes01 ~]# kubectl create secret generic pass001 --from-file=./password.txt

3.查看Secret对象
[root@kubernetes01 ~]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-8j8dl   kubernetes.io/service-account-token   3      11d
pass                  Opaque                                1      7d
pass001               Opaque                                1      2d1h
user                  Opaque                                1      7d
user001               Opaque                                1      2d1h

4.创建Pod之后进入Pod进行查看
[root@kubernetes01 ~]# kubectl exec -it test-projected-volume001 -- /bin/sh
/ # ls /projected-volume/
password.txt  username.txt
/ # cat /projected-volume/username.txt
Ym95YW5nMDAx
/ # cat /projected-volume/password.txt
Ym95YW5nMDAx
需要注意一点，生产使用中密码的加密方式！

2.ConfigMap保存java配置文件的例子

1.首先准备一段java配置文件
[root@kubernetes01 ~]# cat ./application.properties
#actuator \u53EA\u5F00\u653Ehealth\u63A5\u53E3
endpoints.enabled=false
endpoints.health.enabled=true

# Server
server.port=15051
spring.application.name=loancenter-app-web
server.sessionTimeout=30
spring.profiles.active=dev
...

2.创建ConfigMap
kubectl create configmap loancenter-app-web-config --from-file=./application.properties

3.查看
[root@kubernetes01 ~]# kubectl get configmaps loancenter-app-web-config -o yaml
apiVersion: v1
data:
  application.properties: |
    #actuator \u53EA\u5F00\u653Ehealth\u63A5\u53E3
    endpoints.enabled=false
    endpoints.health.enabled=true

    # Server
    server.port=15051
    spring.application.name=loancenter-app-web
    server.sessionTimeout=30
    spring.profiles.active=dev
...

3.Downward API容器获取信息的例子

1.准备YAML文件
[root@kubernetes01 ~]# cat test-downwardapi-volume.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-downwardapi-volume
  labels:
    zone: cn-beijing-coast
    cluster: cluster001
    rack: rack-007
spec:
  containers:
    - name: client-container
      image: busybox
      command: ["sh", "-c"]
      args:
      - while true; do
          if [[ -e /etc/podinfo/labels ]]; then
            echo -en '\n\n'; cat /etc/podinfo/labels; fi;
          sleep 5;
        done;
      volumeMounts:
        - name: podinfo
          mountPath: /etc/podinfo
          readOnly: false
  volumes:
    - name: podinfo
      projected:
        sources:
        - downwardAPI:
            items:
              - path: "labels"
                fieldRef:
                  fieldPath: metadata.labels

2.创建Pod
[root@kubernetes01 ~]# kubectl apply -f test-downwardapi-volume.yaml

3.查看日志输出
[root@kubernetes01 ~]# kubectl logs test-downwardapi-volume | tail -n 10
cluster="cluster001"
rack="rack-007"
zone="cn-beijing-coast"

cluster="cluster001"
rack="rack-007"
zone="cn-beijing-coast"

cluster="cluster001"
rack="rack-007"
可以看到Volume声明暴露的metadata.labels信息被Container打印出来了！

4.ServiceAccountToken

Service Account对象的作用，就是Kubernetes系统内置的一种“服务账户”。
这块需要我们记住的是Kubernetes API编程最佳授权方式是default Service Account自动授权

3.Pod中的容器健康检查和恢复机制

我们可以在Pod中定义Probe(探针)，这是用来保证应用是否健康的重要手段！Pod还具有恢复机制restartPolicy！注意恢复永远只发生当前节点，如果同一个Pod出现在多个Node节点上就需要用控制器来管理，还要学会Pod中web应用的健康检查方法。

3.1.Pod中定义Probe

通过命令来充当探针的例子

1.准备YAML文件
[root@kubernetes01 ~]# cat test-liveness-exec.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    test: liveness
  name: test-liveness-exec
spec:
  containers:
  - name: liveness
    image: busybox
    args:
    - /bin/sh
    - -c
    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 60
    livenessProbe:
      exec:
        command:
        - cat
        - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5

2.创建Pod之后，观察效果
[root@kubernetes01 ~]# kubectl get pods | grep "test-liveness"
test-liveness-exec                       0/1     CrashLoopBackOff   317        20h

[root@kubernetes01 ~]# kubectl describe pods test-liveness-exec | tail -n 10
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age                   From                   Message
  ----     ------     ----                  ----                   -------
  Normal   Pulling    60m (x303 over 20h)   kubelet, kubernetes05  pulling image "busybox"
  Normal   Killing    20m (x313 over 20h)   kubelet, kubernetes05  Killing container with id docker://liveness:Container failed liveness probe.. Container will be killed and recreated.
  Warning  Unhealthy  6m2s (x951 over 20h)  kubelet, kubernetes05  Liveness probe failed: cat: can't open '/tmp/healthy': No such file or directory
  Warning  BackOff    61s (x3881 over 19h)  kubelet, kubernetes05  Back-off restarting failed container
这块儿因为探针检测到的Unhealthy状态，再加上默认的restartPolicy Pod具有的恢复机制，所以20小时内重启了317次。

3.2.Pod中web应用的健康检查

通过http请求tomcat服务充当探针的例子

1.编写YAML文件
[root@kubernetes01 ~]# cat java-web-health.yaml
apiVersion: v1
kind: Pod
metadata:
  name: java-web-healthtest
spec:
  initContainers:
  - image: registry:5000/jenkins:v2
    name: war
    command: ["cp","/jenkins.war","/app"]
    volumeMounts:
    - name: java-web-health-volume
      mountPath: "/app"
  containers:
  - image: tomcat:latest
    name: tomcat
    volumeMounts:
    - name: java-web-health-volume
      mountPath: "/usr/local/tomcat/webapps"
    ports:
    - containerPort: 8080
      name: tomcatwebsite
      hostPort: 8004
      protocol: TCP
    livenessProbe:
      httpGet:
        path: /jenkins/
        port: 8080
        scheme: HTTP
      initialDelaySeconds: 30
      timeoutSeconds: 5
      periodSeconds: 5
  volumes:
  - name: java-web-health-volume
    emptyDir: {}
解释下这三个字段的意思
initialDelaySeconds: 容器启动后第一次探测需要等久，单位秒，因为是tomcat所以可以设置的长一点
timeoutSeconds: 探测的超时时间，单位秒
periodSeconds: 执行探测的频率，单位秒

2.创建Pod后查看
[root@kubernetes01 ~]# curl -I 10.44.0.10:8080/jenkins/
HTTP/1.1 403
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=C4379308E14D00BEAFFDA51E2E38A2F3; Path=/jenkins; HttpOnly
X-Hudson: 1.395
X-Jenkins: 2.132
X-Jenkins-Session: d5a26f97
X-You-Are-Authenticated-As: anonymous
X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
X-Required-Permission: hudson.model.Hudson.Administer
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 20 Mar 2019 08:29:41 GMT
这块可以看到返回的是403！

[root@kubernetes01 ~]# kubectl describe pods java-web-health | tail -n 15
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age                  From                   Message
  ----     ------     ----                 ----                   -------
  Normal   Scheduled  2m30s                default-scheduler      Successfully assigned default/java-web-healthtest to kubernetes02
  Normal   Pulled     2m30s                kubelet, kubernetes02  Container image "registry:5000/jenkins:v2" already present on machine
  Normal   Created    2m30s                kubelet, kubernetes02  Created container
  Normal   Started    2m29s                kubelet, kubernetes02  Started container
  Normal   Pulling    59s (x3 over 2m29s)  kubelet, kubernetes02  pulling image "tomcat:latest"
  Normal   Killing    59s (x2 over 104s)   kubelet, kubernetes02  Killing container with id docker://tomcat:Container failed liveness probe.. Container will be killed and recreated.
  Normal   Pulled     55s (x3 over 2m25s)  kubelet, kubernetes02  Successfully pulled image "tomcat:latest"
  Normal   Created    55s (x3 over 2m25s)  kubelet, kubernetes02  Created container
  Normal   Started    55s (x3 over 2m25s)  kubelet, kubernetes02  Started container
  Warning  Unhealthy  20s (x8 over 115s)   kubelet, kubernetes02  Liveness probe failed: HTTP probe failed with statuscode: 403
通过查看Events输出我们可以看到探针工作和恢复机制工作的过程

4.总结

自我感觉Pod对象相关的知识比较多但是很重要，在运行大规模集群包含各种各样任务的时候，会存在各种各样的关系，关系的妥善处理维护才是编排和系统管理最困难的地方。使用传统虚拟机的粒度控制的相对较粗，没有通过Kubernetes编排Pod这种方式粒度控制的细，最后Kubernetes声明式的API具有超强的编排能力。

PS:文中服务器使用的是国内某☁️的机器

欢迎大家留言讨论哦，欢迎大家和我一起研究学习Kubernetes～～～