zoukankan      html  css  js  c++  java
  • 练习calico的网络policy

    1.安装docker,kubelet kubeadm kubectl 

    1 ssh-keygen
    2 cat .ssh/authorized_keys
    3 cat .ssh/id_rsa.pub
    4 ssh 47.254.84.60
    5 swapoff -a
    6 vi /etc/fstab
    7 systemctl stop firewalld
    8 cat <<EOF > /etc/yum.repos.d/kubernetes.repo
    [kubernetes]
    name=Kubernetes
    baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
    enabled=1
    gpgcheck=1
    repo_gpgcheck=1
    gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
    exclude=kube*
    EOF

    9 setenforce 0
    10 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
    11 yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
    12 systemctl enable --now kubelet
    13 cat <<EOF > /etc/sysctl.d/k8s.conf
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    EOF

    14 sysctl --system
    15 lsmod | grep br_netfilter
    16 modprobe br_netfilter
    17 lsmod | grep br_netfilter
    18 yum install -y yum-utils device-mapper-persistent-data lvm2
    19 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    20 yum list docker-ce --showduplicates | sort -r
    21 yum install docker-ce
    22 sudo systemctl start docker
    23 systemctl enable docker
    24 systemctl start kubelet
    25 systemctl status kubelet
    26 kubeadm init --pod-network-cidr=192.168.0.0/16
    27 mkdir -p $HOME/.kube
    28 sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    29 sudo chown $(id -u):$(id -g) $HOME/.kube/config
    30 kubectl get no
    31 kubectl get pod --all-namespace
    32 kubectl get pod --all-namespaces
    33 kubectl get no
    34 kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/installation/hosted/etcd.yaml
    35 kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/installation/hosted/calico.yaml
    36 kubectl get pods --all-namespaces
    37 kubectl get no
    38 kubectl taint nodes --all node-role.kubernetes.io/master-
    39 kubectl get pods --all-namespaces

    2.calico pod策略

    40 kubectl create ns policy-demo
    41 kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
    42 kubectl expose --namespace=policy-demo deployment nginx --port=80
    43 kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
    44 kubectl create -f - <<EOF
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
    name: default-deny
    namespace: policy-demo
    spec:
    podSelector:
    matchLabels: {}
    EOF

    45 kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
    46 kubectl create -f - <<EOF
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
    name: access-nginx
    namespace: policy-demo
    spec:
    podSelector:
    matchLabels:
    run: nginx
    ingress:
    - from:
    - podSelector:
    matchLabels:
    run: access
    EOF

    47 kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
    48 kubectl run --namespace=policy-demo cant-access --rm -ti --image busybox /bin/sh
    49 kubectl get pod
    50 kubectl get pod --all-namespaces

  • 相关阅读:
    Qt判断文件夹是否存在并新建文件夹
    QFileDialog的使用
    C++11 std::chrono库详解
    disconnected no supported authentication methods available(server sent: publickey)
    connect函数的第5参数Qt::ConnectionType
    在C++ 中检查一个文件是否存在的几种方法
    win10打开便签
    1024. Palindromic Number (25)
    1023. Have Fun with Numbers (20)
    1021. Deepest Root (25)
  • 原文地址:https://www.cnblogs.com/Jt00/p/10718345.html
Copyright © 2011-2022 走看看