1. k8s與harbor聯(lián)合使用

使用私有倉(cāng)庫(kù)

• 命令行手動(dòng)創(chuàng)建

[k8s@k8s-master ~]$ kubectl -n test-yapin create secret docker-registry  jinboharbor --docker-server=docker-hub.qhgctech.com  --docker-username=jinbo --docker-password=xxx --docker-email=1165773573@qq.com
[k8s@k8s-master ~]$ kubectl -n test-yapin  describe secrets jinboharbor 
Name:         jinboharbor
Namespace:    test-yapin
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  145 bytes

注意：必須加上--docker-server，否則無(wú)法拉取鏡像
通過(guò)kubectl describe觀(guān)察新建的Secret的內(nèi)容時(shí)會(huì)發(fā)現(xiàn)一個(gè)條目.dockercfg, 相當(dāng)于用戶(hù)主目錄的
.dockercfg文件。該文件通常會(huì)在運(yùn)行docker login命令時(shí)由Docker自動(dòng)創(chuàng)建。

• 使用一臺(tái)已經(jīng)登錄過(guò)harbor服務(wù)器的機(jī)器的認(rèn)證信息
  使用cat ~/.docker/config.json, 確認(rèn)是否有harbor服務(wù)器的認(rèn)證信息

$ cat ~/.docker/config.json | base64 -w 0

將該認(rèn)證信息BASE64編碼

jinkins in k8s下的鏡像拉取和推送

2. 手動(dòng)刪除pod

3. 使用指定條目初始化卷和掛載卷的指定條目

• 卷內(nèi)暴露指定的ConfigMap條目（volumes.configMap.items）

通過(guò)卷的items屬性能夠指定哪些條目會(huì)被暴露作為configMap卷中的文件

      volumes:
        - name: config
          configMap:
            name: fortune-config
            items:
            - key: a.conf
              path: aa.conf

指定單個(gè)條目時(shí)需要同時(shí)設(shè)置條目的鍵名稱(chēng)和對(duì)應(yīng)的文件名, a.conf和aa.conf

示例（如下configMap包含a.conf、b.conf兩個(gè)條目）：

[k8s@k8s-master jinbo-test]$ cat a.conf 
aaaaaaaaaaaaa
aaaaaaaaaaaaa
[k8s@k8s-master jinbo-test]$ cat b.conf 
bbbbbbbbbb
bbbbbbbbbb
[k8s@k8s-master jinbo-test]$ cat test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
  namespace: jinbo-test
  labels:
    app: busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
    spec:
      containers:
        - name: busybox
          image: busybox:glibc
          imagePullPolicy: "IfNotPresent"
          command: ['sleep','infinity']
          volumeMounts:
            - name: config
              mountPath: /tmp
          resources:
            limits:
              cpu: 40m
              memory: 100Mi
            requests:
              cpu: 40m
              memory: 100Mi
      volumes:
        - name: config
          configMap:
            name: fortune-config
            items:
            - key: a.conf
              path: aa.conf
[k8s@k8s-master jinbo-test]$ kubectl -n jinbo-test exec busybox-7d76c9f58f-mfxmg ls /tmp/
aa.conf
[k8s@k8s-master jinbo-test]$ kubectl -n jinbo-test exec busybox-7d76c9f58f-mfxmg cat /tmp/aa.conf
aaaaaaaaaaaaa
aaaaaaaaaaaaa
[k8s@k8s-master jinbo-test]$ 

/tmp文件夾下僅包含aa.conf文件

• ConfigMap獨(dú)立條目作為文件被掛載且不隱藏文件夾中的其他文件
  volumeMounts額外的subPath字段可以被用于掛載卷中的某個(gè)獨(dú)立文件或文件夾，無(wú)需掛載完整卷

    spec:
      containers:
          image: some/image
          volumeMounts:
            - name: myvolume
              mountPath: /etc/someconfig.conf    //掛載至某一文件，而不是文件夾
              subPath: myconfig.conf        //僅掛載指定條目myconfig.conf,并非完整的卷

示例：

[k8s@k8s-master jinbo-test]$ cat b.conf 
bbbbbbbbbb
bbbbbbbbbb
[k8s@k8s-master jinbo-test]$ 
[k8s@k8s-master jinbo-test]$ cat test.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
  namespace: jinbo-test
  labels:
    app: busybox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
    spec:
      containers:
        - name: busybox
          image: busybox:glibc
          imagePullPolicy: "IfNotPresent"
          command: ['sleep','infinity']
          volumeMounts:
            - name: myvolume
              mountPath: /lib/bb.conf
              subPath: b.conf
          resources:
            limits:
              cpu: 40m
              memory: 100Mi
            requests:
              cpu: 40m
              memory: 100Mi
      volumes:
        - name: myvolume
          configMap:
            name: fortune-config
[k8s@k8s-master jinbo-test]$ kubectl -n jinbo-test exec busybox-6bd9c59c47-ws4gw ls /lib
bb.conf
ld-linux-x86-64.so.2
libc.so.6
libm.so.6
libnsl.so.1
libnss_compat.so.2
libnss_dns.so.2
libnss_files.so.2
libnss_hesiod.so.2
libnss_nis.so.2
libnss_nisplus.so.2
libpthread.so.0
libresolv.so.2
[k8s@k8s-master jinbo-test]$ kubectl -n jinbo-test exec busybox-6bd9c59c47-ws4gw cat /lib/bb.conf
bbbbbbbbbb
bbbbbbbbbb
[k8s@k8s-master jinbo-test]$ 

結(jié)論:
kubernetes key (pod.spec.volums[0].configMap.items[0].key)用于指定configMap中的哪些條目可用于掛載
kubernetes path (pod.spec.volums[0].configMap.items[0].path)用于將key重命名

kubernetes subPath (pod.spec.containers[0].volumeMounts.subPath)用于掛載卷中的指定目錄或文件

4, k8s集群新增和刪除節(jié)點(diǎn)

• 新增節(jié)點(diǎn)
  默認(rèn)情況下加入集群的token是24小時(shí)過(guò)期，24小時(shí)后如果是想要新的node加入到集群，需要重新生成一個(gè)token，命令如下

# 顯示獲取token列表
$ kubeadm token list
# 生成新的token
$ kubeadm token create

除token外，join命令還需要一個(gè)sha256的值，通過(guò)以下方法計(jì)算

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

用上面輸出的token和sha256的值或者是利用kubeadm token create --print-join-command拼接join命令即可

• 刪除節(jié)點(diǎn)

[k8s@k8s-master ~]$ kubectl drain k8s-node2 --delete-local-data --force --ignore-daemonsets
node/k8s-node2 cordoned
WARNING: ignoring DaemonSet-managed Pods: kube-system/kube-flannel-ds-amd64-dzw84, kube-system/kube-proxy-86vsn
node/k8s-node2 drained
[k8s@k8s-master ~]$ kubectl delete nodes k8s-node2
node "k8s-node2" deleted

Options:
--delete-local-data=false: Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained).
--dry-run=false: If true, only print the object that would be sent, without sending it.
--force=false: Continue even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet.
--ignore-daemonsets=false: Ignore DaemonSet-managed pods.

5. coredns 添加自定義DNS解析記錄

參考文檔: https://blog.csdn.net/kunyus/article/details/88841159

[k8s@k8s-master ~]$ kubectl -n kube-system get configmaps coredns -o yaml
apiVersion: v1
data:
  Corefile: |
    .:53 {
        errors
        health
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           upstream
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        hosts {
           1.1.1.1  docker-hub.abcd.com   //自定義dns解析

           fallthrough                       //此處很關(guān)鍵
        }
        prometheus :9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }
kind: ConfigMap
...
[k8s@k8s-master ~]$ kubectl -n kube-system scale deployment coredns --replicas=0
[k8s@k8s-master ~]$ kubectl -n kube-system scale deployment coredns --replicas=2

fallthrouth，如果沒(méi)有配置其屬性，你會(huì)發(fā)現(xiàn)雖然服務(wù)訪(fǎng)問(wèn)正常，并且自定義解析也正常，但是其他外網(wǎng)解析失敗，我的理解是：當(dāng)配置了fallthrouth后，當(dāng)一個(gè)外部域名沒(méi)有在自定義解析中找到，其會(huì)再通過(guò)forward . /etc/resolv.conf去查詢(xún)。

6. nginx ingress配置支持低版本TLS

6.1 問(wèn)題描述

image.png

6.2 解決方法

在沒(méi)有配置任何nginx下，k8s的nginx默認(rèn)只支持TLS1.2，不支持TLS1.0和TLS1.1

新建或修改nginx-configuration :

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
data:
  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

更新nginx-configuration并重啟pod

驗(yàn)證能正常響應(yīng):

$ curl -v --tlsv1.0 https://test.com
$ curl -v --tlsv1.1 https://test.com
$ curl -v --tlsv1.2 https://test.com

參考文檔: https://www.cnblogs.com/lyc94620/p/11345124.html