第1题: 基于角色的访问控制-RBAC
创建一个名为deployment-clusterrole的clusterrole,该clusterrole只允许创建Deployment、Daemonset、Statefulset的create操作
在名字为app-team1的namespace下创建一个名为cicd-token的serviceAccount,并且将上一步创建clusterrole的权限绑定到该serviceAccount
kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,ds,sts
kubectl create serviceaccount cicd-token
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
apiVersion: v1
kind: ServiceAccount
metadata:
name: cicd-token
第2题 节点维护-指定node节点不可用
将k8s-node-1节点设置为不可用,然后重新调度该节点上的所有Pod
[root@node-21-243 ~]# kubectl drain k8s-node-1 --force=true
第3题 K8s版本升级
现有的 Kubernetes 集权正在运行的版本是 1.21.0,仅将主节点上的所有 kubernetes 控制面板和组件升级到版本 1.22.0 另外,在主节点上升级 kubelet 和 kubectl
#设置为维护状态
$ kubectl config use-context mk8s
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready control-plane,master 11d v1.21.0
k8s-node01 Ready <none> 8d v1.21.0
k8s-node02 Ready <none> 11d v1.21.0
$ kubectl cordon k8s-master
# 驱逐Pod
$ kubectl drain k8s-master --delete-emptydir-data --ignore-daemonsets –force
#按照题目提示ssh到一个master节点
$ ssh k8s-master
$ apt update
$ apt-cache policy kubeadm | grep 1.22.0 #查看支持哪个版本
$ apt-get install kubeadm=1.22.0-00
#验证升级计划
$ kubeadm upgrade plan
# 看到如下信息,可升级到指定版本
You can now apply the upgrade by executing the following command:
kubeadm upgrade apply v1.22.0
# 开始升级Master节点
$ kubeadm upgrade apply v1.22.0 --etcd-upgrade=false
[upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.22.0". Enjoy!
[upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so.
# 升级kubectl和kubelet
$ apt-get install -y kubelet=1.22.0-00 kubectl=1.22.0-00
$ systemctl daemon-reload
$ systemctl restart kubelet
$ kubectl uncordon k8s-master
node/k8s-master uncordoned
$ kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready control-plane,master 11d v1.22.0
k8s-node01 Ready <none> 8d v1.21.0
k8s-node02 Ready <none> 11d v1.21.0
第4题 Etcd数据库备份恢复
针对etcd实例https://127.0.0.1:2379创建一个快照,保存到/srv/data/etcd-snapshot.db。在创建快照的过程中,如果卡住了,就键入ctrl+c终止,然后重试。
然后恢复一个已经存在的快照: /var/lib/backup/etcd-snapshot-previous.db
执行etcdctl命令的证书存放在:
ca证书:/opt/KUIN00601/ca.crt
客户端证书:/opt/KUIN00601/etcd-client.crt
客户端密钥:/opt/KUIN00601/etcd-client.key
ETCDCTL_API=3 etcdctl --endpoints 10.2.0.9:2379 \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
snapshot save /srv/data/etcd-snapshot.db
ETCDCTL_API=3 etcdctl --endpoints 10.2.0.9:2379 snapshot restore /var/lib/backup/etcd-snapshot-previous.db
第5题 网络策略NetworkPolicy
创建一个名字为all-port-from-namespace的NetworkPolicy,这个NetworkPolicy允许internal命名空间下的Pod访问该命名空间下的9000端口。
并且不允许不是internal命令空间的下的Pod访问
不允许访问没有监听9000端口的Pod。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
user: alice
ports:
- protocol: TCP
port: 6379
第6题 四层负载均衡service
重新配置一个已经存在的deployment front-end,在名字为nginx的容器里面添加一个端口配置,名字为http,暴露端口号为80,然后创建一个service,名字为front-end-svc,暴露该deployment的http端口,并且service的类型为NodePort。
kubectl edit deployment front-end
spec:
containers:
ports:
- name: http
containerPort: 80
apiVersion: v1
kind: Service
metadata:
name: front-end-svc
spec:
type: NodePort
selector:
app: MyApp
ports:
- port: 80
targetPort: 80
nodePort: 30007
第7题 七层负载均衡Ingress
在ing-internal 命名空间下创建一个ingress,名字为pong,代理的service hi,端口为5678,配置路径/hi。
验证:访问curl -kL <INTERNAL_IP>/hi会返回hi
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pong
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /hi
pathType: Prefix
backend:
service:
name: hi
port:
number: 5678
第8题 Deployment管理pod扩缩容
扩容名字为loadbalancer的deployment的副本数为6
kubectl scale --replicas=6 deployment/loadbalancer
第9题 pod指定节点部署
创建一个Pod,名字为nginx-kusc00401,镜像地址是nginx,调度到具有disk=spinning标签的节点上
apiVersion: v1
kind: Pod
metadata:
name: nginx-kusc00401
labels:
env: test
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
nodeSelector:
disk: spinning
第10题 检查Node节点的健康状态
检查集群中有多少节点为Ready状态,并且去除包含NoSchedule污点的节点。之后将数字写到/opt/KUSC00402/kusc00402.txt
kubectl get node | awk '{print $2}' | grep -w Ready | wc -l
第11题 一个Pod封装多个容器
创建一个Pod,名字为kucc1,这个Pod可能包含1-4容器,该题为四个:nginx+redis+memcached+consul
apiVersion: v1
kind: Pod
metadata:
name: kucc1
spec:
containers:
- name: nginx
image: nginx
- name: redis
image: redis
- name: memcached
image: memcached
- name: consul
image: consul
第12题 持久化存储卷Persistent、Volume
创建一个pv,名字为app-config,大小为2Gi,访问权限为ReadWriteMany。Volume的类型为hostPath,路径为/srv/app-config
apiVersion: v1
kind: PersistentVolume
metadata:
name: example-pv
spec:
capacity:
storage: 100Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Delete
storageClassName: local-storage
local:
path: /mnt/disks/ssd1
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- example-node
第13题 PersistentVolumeClaim
创建一个名字为pv-volume的pvc,指定storageClass为csi-hostpath-sc,大小为10Mi
然后创建一个Pod,名字为web-server,镜像为nginx,并且挂载该PVC至/usr/share/nginx/html,挂载的权限为ReadWriteOnce。之后通过kubectl edit或者kubectl path将pvc改成70Mi,并且记录修改记录。
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: myclaim
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: slow
selector:
matchLabels:
release: "stable"
matchExpressions:
- {key: environment, operator: In, values: [dev]}
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myfrontend
image: nginx
volumeMounts:
- mountPath: "/var/www/html"
name: mypd
volumes:
- name: mypd
persistentVolumeClaim:
claimName: myclaim
kubectl edit pvc pv-volume
第14题 监控Pod日志
监控名为foobar的Pod的日志,并过滤出具有unable-access-website 信息的行,然后将写入到 /opt/KUTR00101/foobar
kubectl logs -f foobar | grep unable-access-website >> /opt/KUTR00101/foobar
第15题 Sidecar代理
添加一个名为busybox且镜像为busybox的sidecar到一个已经存在的名为legacy-app的Pod上,这个sidecar的启动命令为/bin/sh, -c, 'tail -n+1 -f /var/log/legacy-app.log'。
并且这个sidecar和原有的镜像挂载一个名为logs的volume,挂载的目录为/var/log/
apiVersion: v1
kind: Pod
metadata:
name: counter
spec:
containers:
- name: count
image: busybox
args:
- /bin/sh
- -c
- >
i=0;
while true;
do
echo "$i: $(date)" >> /var/log/1.log;
echo "$(date) INFO $i" >> /var/log/2.log;
i=$((i+1));
sleep 1;
done
volumeMounts:
- name: varlog
mountPath: /var/log
volumes:
- name: varlog
emptyDir: {}
第16题 监控Pod度量指标
找出具有name=cpu-user的Pod,并过滤出使用CPU最高的Pod,然后把它的名字写在已经存在的/opt/KUTR00401/KUTR00401.txt文件里(注意他没有说指定namespace。所以需要使用-A指定所以namespace)
kubectl top pod --selector='name=cpu-user' --sort-by='cpu' -A
第17题 集群故障排查 – kubelet故障
一个名为wk8s-node-0的节点状态为NotReady,让其他恢复至正常状态,并确认所有的更改开机自动完成
kubectl describe node node-21-243