k8s部署-41-对POD进行重新认识（下）

k8s部署-41-对POD进行重新认识（下）

1 POD的几种状态

1、Pendding # 等待2、containerCreating # 创建3、Running # 运行4、Success # 成功5、Failed # 失败6、Ready # 准备7、CrashLoopBackoff # 长期失败8、Unknown  # 未知

2 ProjectedVolume

作用：将指定的文件内容放置到容器中，常见的使用方式有以下三种；

1、Secret2、ConfigMap3、DownwardApi

3 Secret

加密方式，我们先看下默认的是怎样的吧；

[root@node1 ~]# kubectl get secretNAME TYPE DATA AGEdefault-token-77rbc kubernetes.io/service-account-token 3 29d[root@node1 ~]# kubectl get secret default-token-77rbc -o yamlapiVersion: v1data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4RENDQXF5Z0F3SUJBZ0lVZUJ0Wi93ZzUwUzYvN0l6eUFmTmpDOHNxSktNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJeU1ETXhOekF5TlRZd01Gb1hEVEkzTURNeE5qQXlOVFl3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEvY2h2YnJjdDBmU3UKWXhhQjYzWFhMZ2I2VFBkb1c5aGk5bWtURTROdnFacEpYSFFSRHdNSmN3SUtSZjRQcDBYcnNDR3R2QmRQUWFKYQpNaWFaY0RJQ1RRdlRIWUdBMmFkMVJqL0x3dnlUZUVPTlorVkdsNlBKNTZzaVR0dkpGblZSYk9ydW9WRTlUdEhNCjJ5VU94VDdaVWk2NmFuWUVlUmZLL1BXdmJLMlNzUXpqYUNRWWwzV1BhOGdzd1JyRnBRQVNiL3pSZ0FpbU1KR24KSTF5RjkxK2NZS1VsQlVSdmh5QWNrVEFlWVNEKzNCWjMxaWkwaStLdEYxSERNVDIvRGhFRFgxWkFpSlNVeE41egpjQ1pQdUhCc2pSZE02NVdkOFJWMFNqbWI4aHFnY1drRzVKeEdGR0trYXB1empxTlJpaW45RUNpZVpNMDc3cjBEClBQcVFyUXB5RndJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKL3dJQkFqQWRCZ05WSFE0RUZnUVVvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3SHdZRFZSMGpCQmd3Rm9BVQpvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVjdzduRFVrOGxjCmNzUWFNNTVMclRKSzVQcWZWdUdubmozOWFWbFYzZTc1VXcxYU9mNDJvRE5KTm1pdllvKzhkRDlscFV0L0UvN0MKTVYwcjNROEtLQXJwV3dWSlFkeno1R0hZQWEzajYzS2lnb1FvaEF3dDY3SjJiVlcwTHFOQzNjV1ZHbC82QXhBVwpzYlRldnZUTEVaUjlKT0ZFMEg5RmxhcGgxcTQzWDEyMEZGTVVnV24zK2ZyZWRkRGJCVlNRUlJHU1ZkTnpXenpHClJrMzY1Q3N5eFAzUzZrd1ZVS0NrLzdPcDZNVllHRmljV3R6Wm9tUXF3UE1IU3p4Rk5vSDF2YzZ3cW5xSTk1bCsKOXNJMTdneHI2MEdoK3lkVzkwYjZ1eHZNR0lidU51aVYzdzJlMW5ZeG03NmZNZFhXWHlqRzk0Q3U2dHgyd2FZMgpxTS96aE1XeWRvTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= namespace: ZGVmYXVsdA== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpMW5kWGRxUjFCM1ZWRTVZbTl1WjA1V1ZWVmxlVzh0U3pWWE1EUlRiaTFXWDJGMlUxZFlaM2RrZGtraWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE56ZHlZbU1pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamcwTkdWaE9HSm1MV1l6T0dVdE5HSTJZeTFpTURsbExXRTVaRGsyTUdRek1HSTROU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuTFRqS1plekpELXhpOFo5NnpvcXM3bUhJTjQxYlFBQ0txRXplZmVaUlY2cTFVN0N2VFVscHo1anU2bjBsUnpmaEdwZ2tYdzV2dkx6cThFQ2FMTDJJckJyNHA4M29kb3p5ZnE1bDFxTlBXTTZ0TDN1N3ZMQzg0S2JVY0RoLUNET0c0Vm1GNnZfbXJnSWp3Qi0wUm1OOTVsdUo2eWpaVDNNbHJ3ZmpGMEZOTVp5LWJobWt4bnFIVlNoQTI2d3UwTm1MSC1BUUItX1J0MldzTk5sYmwtc3Nua3hlb0NrdzJYR25YSjVGMC1sN0ZDVGs1SmhaMDVQQkJvQ2NBY1dVZmthaVZCOExGeXh3Q3JPb01wRXJzTnNBZTdRZVhNZFh6NllyeWp6WElfcmlNYlBwb2xZSjNpOGdoT2ptMW5Hd2F0WU96b3R5MUpsNDJNdTFuT0p3ZzQzYmdRkind: Secretmetadata: annotations: kubernetes.io/service-account.name: default kubernetes.io/service-account.uid: 844ea8bf-f38e-4b6c-b09e-a9d960d30b85 creationTimestamp: "2022-03-19T13:35:06Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:namespace: {} f:token: {} f:metadata: f:annotations: .: {} f:kubernetes.io/service-account.name: {} f:kubernetes.io/service-account.uid: {} f:type: {} manager: kube-controller-manager operation: Update time: "2022-03-19T13:35:06Z" name: default-token-77rbc namespace: default resourceVersion: "313" uid: fd3f793e-6406-4c3c-abab-072459322d92type: kubernetes.io/service-account-token[root@node1 ~]#

从上面可以看到都是base64加密的内容，且名字为：default-token-77rbc，我们可以将想知道的内容进行解密即可，然后我们再看看我们之前的服务，在没有指定的情况下，是不是采用了该种方式呢？

[root@node1 ~]# kubectl get pod -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-ds-q2pjt 1/1 Running 30 22d 10.200.135.16 node3 nginx-ds-zc5qt 1/1 Running 35 29d 10.200.104.56 node2 [root@node1 ~]# [root@node1 ~]# kubectl get pod nginx-ds-q2pjt -o yaml---省略部分内容---    volumeMounts: - mountPath: var/run/secrets/kubernetes.io/serviceaccount name: default-token-77rbc readOnly: true volumes: - name: default-token-77rbc secret: defaultMode: 420 secretName: default-token-77rbc ---省略部分内容---[root@node1 ~]#

从上面内容我们也能看到，即使你没有指定，k8s默认也会给你加上的，且我们可以看到secrteName是一致的，然后我们再登录进容器中，看下具体映射了哪些内容；

[root@node3 ~]# crictl psCONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID78ca6e18974ff c0c6672a66a59 28 minutes ago Running calico-kube-controllers 43 33c0a0b75241f273ba708edd9b 67da37a9a360e 28 minutes ago Running coredns 34 a34ca428cc6148fcc0c4531411 b5af743e59849 28 minutes ago Running default-http-backend 5 982ff71d6c2e173c804f73c93a b5af743e59849 28 minutes ago Running default-http-backend 2 2e89678bba9738a14f1f4ef1a1 f2f70adc5d89a 28 minutes ago Running my-nginx 30 70fd05dbd43ec821a24040dfbd 7a71aca7b60fc 28 minutes ago Running calico-node 34 8ca1b324e528ad5cce8aa38d0a 90f9d984ec9a3 29 minutes ago Running node-cache 34 1d0b6745308965f6ecb863500d f2f70adc5d89a 29 minutes ago Running nginx-proxy 35 7335063a5e517[root@node3 ~]# [root@node3 ~]# crictl ps | grep q2pjt[root@node3 ~]# crictl exec -it 8a14f1f4ef1a1 bin/bashroot@nginx-ds-q2pjt:/# cd /var/run/secrets/kubernetes.io/serviceaccount/root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# lsca.crt namespace tokenroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# ls -ltotal 0lrwxrwxrwx 1 root root 13 Apr 18 13:02 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 Apr 18 13:02 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 Apr 18 13:02 token -> ..data/tokenroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# cat namespace defaultroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# exitexit[root@node3 ~]#

看到了这些之后，有没有想过他的作用是什么呢？他的作用就是和kubeapi进行交互，鉴权所使用的。

那么我们当然也可以自己创建secrte，如下：

[root@node1 ~]# cd namespace/[root@node1 namespace]# mkdir projectedvalume[root@node1 namespace]# cd projectedvalume/[root@node1 projectedvalume]# vim secret.yaml apiVersion: v1kind: Secretmetadata: name: dbpasstype: Opaquedata: username: eXVud2VpamlhCg== passwd: eXVud2VpamlhMTIzCg==[root@node1 projectedvalume]# [root@node1 projectedvalume]# kubectl create -f secret.yaml secret/dbpass created[root@node1 projectedvalume]# kubectl get secretNAME TYPE DATA AGEdbpass Opaque 2 13sdefault-token-77rbc kubernetes.io/service-account-token 3 30d[root@node1 projectedvalume]#

然后我们将这个secrte放入pod中，如下：

[root@node1 projectedvalume]# vim pod-secret.yaml apiVersion: v1kind: Podmetadata: name: pod-secretspec: containers: - name: springboot-web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 ports: - containerPort: 8080 volumeMounts: - name: db-secret mountPath: db-secret readOnly: true volumes: - name: db-secret projected: sources: - secret:          name: dbpass[root@node1 projectedvalume]# kubectl apply -f pod-secret.yaml pod/pod-secret created[root@node1 projectedvalume]# kubectl get pod -o wide | grep secretpod-secret 1/1 Running 0 13s 10.200.135.27 node3 [root@node1 projectedvalume]#

看到该pod运行在node3节点上，我们登录到node3上看一看；

[root@node3 ~]# crictl ps | grep springboot-web2fc5df27f1877 8ad32427177e4 2 minutes ago Running springboot-web 0 494e73cde04da[root@node3 ~]# [root@node3 ~]# crictl exec -it 2fc5df27f1877 /bin/bash     root@pod-secret:/# cd db-secret/root@pod-secret:/db-secret# ls -ltotal 0lrwxrwxrwx 1 root root 13 Apr 18 14:02 passwd -> ..data/passwdlrwxrwxrwx 1 root root 15 Apr 18 14:02 username -> ..data/usernameroot@pod-secret:/db-secret# cat passwd yunweijia123root@pod-secret:/db-secret# cat username yunweijiaroot@pod-secret:/db-secret# exitexit[root@node3 ~]#

还有一点，如果说你创建了很多pod以后，如果你想换一下secret的值，可以直接换，那么就有同学要说了，那我的pod还可以和kubeapi交互嘛？是可以的哈，换完之后，你pod中和secret相关的值，也会随之改变，你可以试一下，这里就不做演示了。

4 ConfigMap configMad是干嘛用的呢？是可以将不加密的文件放置到容器中的，下面我们来看下；假如我们有一个配置文件，想放到pod中。[root@node1 projectedvalume]# vim ceshi.properties enemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30[root@node1 projectedvalume]#然后我们使该配置生效；[root@node1 projectedvalume]# kubectl create configmap web-ceshi --from-file ceshi.properties configmap/web-ceshi created[root@node1 projectedvalume]# kubectl get cm web-ceshi -o yamlapiVersion: v1data: ceshi.properties: | enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30kind: ConfigMapmetadata: creationTimestamp: "2022-04-18T14:13:44Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ceshi.properties: {} manager: kubectl-create operation: Update time: "2022-04-18T14:13:44Z" name: web-ceshi namespace: default resourceVersion: "535574" uid: cbad79b1-b35d-4924-b1f9-43bab1f79953[root@node1 projectedvalume]#然后我们看看如何在pod中使用它；[root@node1 projectedvalume]# vim pod-ceshi.yaml apiVersion: v1kind: Podmetadata: name: pod-ceshispec: containers: - name: web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 ports: - containerPort: 8080 volumeMounts: - name: ceshi mountPath: etc/config/ceshi readOnly: true volumes: - name: ceshi configMap: name: web-ceshi[root@node1 projectedvalume]# kubectl apply -f pod-ceshi.yaml pod/pod-ceshi created[root@node1 projectedvalume]#[root@node1 projectedvalume]# kubectl get pod -o wide | grep ceshipod-ceshi 1/1 Running 0 34s 10.200.135.24 node3 [root@node1 projectedvalume]#可以看到运行在node3上，我们去看下；[root@node3 ~]# crictl ps | grep web96e31e6be73c4 8ad32427177e4 About a minute ago Running web 0 1f4ef2c594229[root@node3 ~]# crictl exec -it 96e31e6be73c4 bin/bashroot@pod-ceshi:/# cd etc/config/ceshiroot@pod-ceshi:/etc/config/ceshi# lsceshi.propertiesroot@pod-ceshi:/etc/config/ceshi# cat ceshi.properties enemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30root@pod-ceshi:/etc/config/ceshi# exitexit[root@node3 ~]#同样的，我们一样可以修改该configmap，我们修改下试试；[root@node1 projectedvalume]# kubectl edit cm web-ceshi# 只改下面一个参数，然后我们保存退出enemies.cheat=falseconfigmap/web-ceshi edited[root@node1 projectedvalume]# # 我们登录到容器中看下[root@node3 ~]# crictl exec -it 96e31e6be73c4 bin/bashroot@pod-ceshi:/# cd etc/config/ceshi/root@pod-ceshi:/etc/config/ceshi# cat ceshi.properties enemies=alienslives=3enemies.cheat=falseenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30root@pod-ceshi:/etc/config/ceshi# exitexit[root@node3 ~]#然后我们再看下configmap的第二种使用方式，配置成环境变量；[root@node1 projectedvalume]# vim configmap.yaml apiVersion: v1kind: ConfigMapmetadata: name: configsdata: JAVA_OPTS: -Xms1024m LOG_LEVEL: DEBUG[root@node1 projectedvalume]# kubectl apply -f configmap.yaml configmap/configs created[root@node1 projectedvalume]#然后我们再看下如何使用；[root@node1 projectedvalume]# vim pod-env.yaml apiVersion: v1kind: Podmetadata: name: pod-envspec: containers: - name: web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 ports: - containerPort: 8080 env: - name: LOG_LEVEL_CONFIG valueFrom: configMapKeyRef: name: configs key: LOG_LEVEL[root@node1 projectedvalume]# kubectl apply -f pod-env.yaml pod/pod-env created[root@node1 projectedvalume]# kubectl get pod -o wide | grep pod-envpod-env 1/1 Running 0 18s 10.200.135.28 node3 [root@node1 projectedvalume]#看到运行在了node3上，我们登录上去看下；[root@node3 ~]# crictl ps | grep web4680fc83b5a81 8ad32427177e4 2 minutes ago Running web 0 98cf0870dad8e[root@node3 ~]# [root@node3 ~]# crictl exec -it 4680fc83b5a81 /bin/bashroot@pod-env:/# env | grep LOG_LEVEL_CONFIGLOG_LEVEL_CONFIG=DEBUGroot@pod-env:/# exitexit[root@node3 ~]#看下第三种使用方式，也就是可以将配置当作启动命令的参数；[root@node1 projectedvalume]# cat pod-cmd.yaml apiVersion: v1kind: Podmetadata: name: pod-cmdspec: containers: - name: web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 command: ["/bin/sh", "-c", "java -jar /springboot-web.jar -DJAVA_OPTS=$(JAVA_OPTS)"] ports: - containerPort: 8080 env: - name: JAVA_OPTS valueFrom: configMapKeyRef: name: configs key: JAVA_OPTS[root@node1 projectedvalume]# 5  downwardapi 这个方式主要是能让我们获取到当前pod本身的一些参数，使用方式如下：[root@node1 projectedvalume]# vim pod-downwardapi.yaml apiVersion: v1kind: Podmetadata: name: pod-downwardapi labels: app: downwardapi type: webappspec: containers: - name: web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 ports: - containerPort: 8080 volumeMounts: - name: podinfo mountPath: /etc/podinfo volumes: - name: podinfo projected: sources: - downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "name" fieldRef: fieldPath: metadata.name - path: "namespace" fieldRef: fieldPath: metadata.namespace - path: "mem-request" resourceFieldRef: containerName: web resource: limits.memory[root@node1 projectedvalume]# [root@node1 projectedvalume]# kubectl apply -f pod-downwardapi.yaml pod/pod-downwardapi created[root@node1 projectedvalume]# [root@node1 projectedvalume]# kubectl get pod -o wide | grep downpod-downwardapi 1/1 Running 0 10s 10.200.135.34 node3 [root@node1 projectedvalume]#可以看到运行在了node3上，我们登录去看看；[root@node3 ~]# crictl ps | grep web3509d741bc1bf 8ad32427177e4 About a minute ago Running web 0 56694986935b4[root@node3 ~]# crictl exec -it 3509d741bc1bf /bin/bashroot@pod-downwardapi:/# cd /etc/podinfo/root@pod-downwardapi:/etc/podinfo# lslabels  mem-request  name  namespaceroot@pod-downwardapi:/etc/podinfo# cat -n namespace 1 defaultroot@pod-downwardapi:/etc/podinfo# root@pod-downwardapi:/etc/podinfo# cat -n labels 1 app="downwardapi" 2 type="webapp"root@pod-downwardapi:/etc/podinfo# root@pod-downwardapi:/etc/podinfo# exitexit[root@node3 ~]#

至此，本文结束。

往期推荐11-docker系列-docker之compose安装和相关命令08-docker系列-docker网络你了解多少（上）02-docker系列-镜像分类以及操作（导入、导出、删除）