k8s踏坑记 第一篇

开始还欠下的Kubernetes的债

首先是照着书敲《Kubernetes权威指南》，国人写的，写这篇文章时候看到了第一章第四节，不想吐槽了，专注记录坑

搭建单机版kubernetes集群

关防火墙

实在是偷懒的做法，纯测试用

# 关闭
systemctl stop firewalld
# 取消自启动
systemctl disable firewalld	

装etcd和k8s

yum install -y etcd kubernetes

按顺序起服务

systemctl start etcd
systemctl start docker
systemctl start kube-apiserver
systemctl start kube-controller-manager
systemctl start kube-scheduler
systemctl start kubelet
systemctl start kube-proxy

启mysql服务

创建pod

创建mysql-rc.yaml，内容：

apiVersion: v1  				#指定api版本，此值必须在kubectl apiversion中
kind: ReplicationController   	#指定创建资源的类型或者角色，这里是副本控制器 RC
metadata:       				#资源的元数据/属性
  name: mysql
spec:           				#specification of the resource content
  replicas: 1   				#Pod副本期待数量
  selector:
    app: mysql  				#通过这个标签找到生产的Pod
  template:  　 					#根据此模版创建Pod的副本(实例)
    metadata:
      labels:   				#设定资源的标签     
        app: mysql  	#Pod副本拥有的标签，对应RC的selector中app: mysql
    spec:
      containers:   			#Pod内容器的定义部分
      - name: mysql   			#容器的名称
        image: mysql  			#容器对应的Docker Image
        ports:
        - containerPort: 3306 	#容器应用监听的端口号
        env:                 	#注入容器内的环境变量
        - name: MYSQL_ROOT_PASSWORD
          value: "123456"

发布到k8s集群，在master节点执行

kubectl create -f mysql-rc.yaml

replicationcontroller "mysql" created创建完成
查看RC：

kubectl get rc

NAME      DESIRED   CURRENT   READY     AGE
mysql     1         1         0         1m

查看pod

kubectl get pods

坑一

查看pod，显示No resources found.，搜了一圈，要修改个文件

vim /etc/kubernetes/apiserver

KUBE_ADMISSION_CONTROL项，去掉SecurityContextDeny,ServiceAccount，修改完成： KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota"
重启kube-apiserver：systemctl restart kube-apiserver

重新创建RC，查看pod：

kubectl get pods

NAME          READY     STATUS              RESTARTS   AGE
mysql-gjg9h   0/1       ContainerCreating   0          1m

坑二

查看pod状态，发现永远是ContainerCreating状态，查看日志：

kubectl logs mysql-gjg9h

Error from server (BadRequest): container "mysql" in pod "mysql-gjg9h" is waiting to start: ContainerCreating

就这一句话。用kubectl describe pod xxx查看

kubectl describe pod mysql-gjg9h

... ...
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  7m		7m		1	{default-scheduler }			Normal		Scheduled	Successfully assigned mysql-gjg9h to 127.0.0.1
  7m		1m		6	{kubelet 127.0.0.1}			Warning		FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request.  details: (open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory)"

  6m	0s	26	{kubelet 127.0.0.1}		Warning	FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ImagePullBackOff: "Back-off pulling image \"registry.access.redhat.com/rhel7/pod-infrastructure:latest\""

看到这个报错，首先尝试拉docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest

Trying to pull repository registry.access.redhat.com/rhel7/pod-infrastructure ... 
open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory

报了个这个。。

进去报没有文件的这个路径查看这个文件：

[root@QA ~]# cd /etc/docker/certs.d/registry.access.redhat.com
[root@QA registry.access.redhat.com]# ll
总用量 0
lrwxrwxrwx. 1 root root 27 2月   2 10:10 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

发现是个软链接，安装对应的：yum install *rhsm*
安装完成，重新尝试拉镜像：docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest

发现还是报失败

重新找了个办法：

openssl s_client -showcerts -servername registry.access.redhat.com -connect registry.access.redhat.com:443 </dev/null 2>/dev/null | openssl x509 -text > /etc/rhsm/ca/redhat-uep.pem

上面命令执行完之后再拉镜像:

[root@QA registry.access.redhat.com]# docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest
Trying to pull repository registry.access.redhat.com/rhel7/pod-infrastructure ... 
latest: Pulling from registry.access.redhat.com/rhel7/pod-infrastructure
26e5ed6899db: Pull complete 
66dbe984a319: Pull complete 
9138e7863e08: Pull complete 
Digest: sha256:92d43c37297da3ab187fc2b9e9ebfb243c1110d446c783ae1b989088495db931
Status: Image is up to date for registry.access.redhat.com/rhel7/pod-infrastructure:latest

成功。
删除RC，删除pod，重新发布：

kubectl delete -f mysql-rc.yaml
# 验证
kubectl get rc
kubectl get pod 

因为压根没有部署pod成功，所以删除pod时候，只需要

kubectl delete pod mysql-xxxx

就行了，如果是部署成功的，还需要查出deployment再删除

kubectl get deployment
kubectl delete deployment xxx

发布到kubernetes集群里：kubectl create -f mysql-rc.yaml

这次发现还是没成功创建pod，继续describe：Error syncing pod, skipping: failed to "StartContainer" for "mysql" with ErrImagePull: "net/http: request canceled"
看这样子，是拉镜像时候网络超时了，配置新的镜像加速器vim /etc/docker/daemon.json：

{
  "registry-mirrors": ["http://hub-mirror.c.163.com"]
}

重启docker： systemctl restart docker

继续删除rc，删除pod，重新发布
视本地网络因素（拉镜像），等n久之后查看pod

[root@QA myweb]# kubectl get pods

NAME          READY     STATUS    RESTARTS   AGE
mysql-4cvj5   1/1       Running   0          13s

终于成功了。。。

创建kubernetes service

上述完成之后，创建一个和这个pod关联的kubernetes service
创建mysql-svc.yaml文件，内容：

apiVersion: v1
kind: Service
metadata:
  name: mysql
spec:
  ports:
    - port: 3306
  selector:
    app: mysql

创建service：kubectl create -f musql-svc.yaml
查看：

[root@QA myweb]# kubectl get svc

NAME         CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
kubernetes   10.254.0.1      <none>        443/TCP    2h
mysql        10.254.151.22   <none>        3306/TCP   11s

其中CLUSTER-IP 是一个虚拟的IP地址，由于Service（一个Service通常有多个相关的服务进程组成，kubernetes使用一组虚拟的IP和端口让用户连接到指定的service上）一旦创建就不会变化，所以不管后台有多少服务进程，也不管某个服务进程是否会由于发生故障或者部署到其他机器，都不需要因为业务服务进程的变更而去变更其他系统配置。

以上就是使用kubernetes启动一个服务（rc，service）需要的操作。