command: ['/bin/sh']
command: ["rm", "-fr", "/var/lib/dbs/lost+found"]
command:
- 'sh'
- '-c'
- 'pwd'
command: ["sh", "-c", "pwd; sleep 2; pwd;"]
command: ["sh"]
args: ["-c","pwd; sleep 2; pwd;"]If the script is very long and you want to write it into yaml file
command: ['sh']
args:
- "-c"
- |
set -ex
if [ "$a" -eq "$b" ];then
touch /tmp/test
else
echo "not eq"
fiThis model is mainly used for compilation, deployment, compilation and import
The init container can use git to download the code to emptydir, and then the main container builds it
apiVersion: batch/v1
kind: Job
metadata:
generateName: test-
namespace: default
spec:
backoffLimit: 6
completions: 1
parallelism: 1
template:
spec:
initContainers:
- name: init
image: ubuntu
imagePullPolicy: IfNotPresent
command: ["touch","/tmp/test.txt"]
volumeMounts:
- name: mytmp
mountPath: "/tmp"
containers:
- name: test
image: ubuntu
command: ["ls", "/tmp"]
volumeMounts:
- name: mytmp
mountPath: "/tmp"
imagePullPolicy: IfNotPresent
dnsPolicy: ClusterFirst
restartPolicy: Never
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: mytmp
emptyDir: {}For a job in the normal state, if you use apply or create, there will be the problem of unchanged or existing name
But in many cases, I have a yaml that needs to be executed manually occasionally (no cron is required)
apiVersion: batch/v1
kind: Job
metadata:
generateName: pi-with-ttl-
spec:
ttlSecondsAfterFinished: 10
template:
spec:
containers:
- name: pi
image: perl
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
It should be noted that job TTL is a new feature of 1.21. In the old version of kubernetes, you may need to use cronjob to clean up these executed jobs regularly
kubectl delete jobs `kubectl get jobs -o custom-columns=:.metadata.name -n lizhe` -n lizhe
However, the above solution also suffers from the fact that cronjobs may delete running jobs by mistake
Be careful
First make sure you have git installed
Then use the following command
(
set -x; cd "$(mktemp -d)" &&
OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" &&
tar zxvf krew.tar.gz &&
KREW=./krew-"${OS}_${ARCH}" &&
"$KREW" install krew
)
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
kubectl krew
Kubectl Krew update # update
Kubectl Krew search # displays all plug-ins
Kubectl Krew install view secret # installs a plug-in named view secret
Kubectl view secret # uses this plug-in
Kubectl Krew upgrade # upgrade installed plug-ins
Kubectl Krew remove view secret # uninstall plug-inKube linter is a static analysis tool
Installing using golang
GO111MODULE=on go get golang.stackrox.io/kube-linter/cmd/kube-linterOr use Linux brew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> /home/lizhe/.profile
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
brew install kube-linterUsing lint
kube-linter lint test.yaml
curl https://get.datree.io | /bin/bash
Let’s use datree to test the following yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
lifecycle:
postStart:
exec:
command:
- sh
- -c
- date "+%Y-%m-%d %H:%M:%S" > /datetmp.txt && sleep 30
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 30
readinessProbe:
httpGet:
path: /
port: 80
scheme: HTTP
initialDelaySeconds: 30datree test demo.yaml
❌ Ensure Deployment has more than one replica configured [1 occurrences]
💡 Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service
❌ Ensure each container image has a pinned (tag) version [1 occurrences]
💡 Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future
❌ Ensure each container has a configured CPU limit [1 occurrences]
💡 Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization
❌ Ensure each container has a configured CPU request [1 occurrences]
💡 Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization
❌ Ensure each container has a configured memory request [1 occurrences]
💡 Missing property object `requests.memory` - value should be within the accepted boundaries recommended by the organization
❌ Ensure each container has a configured memory limit [1 occurrences]
💡 Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization
If you need to check multiple files at once, you can use folders directly
By default, it has only 21 (?) rule
Each CLI invocation is running a default policy that includes 21 built-in rules.
You can reconfigure it by logging in with cliid
Reference official
https://kubernetes.io/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
This example is the simplest HelloWorld example. It does not involve coding content, but can be used to understand how CRD works
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
# The name must match the spec field below, and the format is' < plural form of name >< Group name > '
name: crontabs.stable.example.com
spec:
# Group name for rest API: / APIs / < group > / < version >
group: stable.example.com
# List the supported versions of this customresourcedefinition
versions:
- name: v1
# Each version can be enabled or disabled independently through the served flag
served: true
# One and only one version must be marked as a stored version
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
cronSpec:
type: string
image:
type: string
replicas:
type: integer
# It can be named or cluster
scope: Namespaced
names:
# Plural of name for URL: / APIs / < group > / < version > / < plural of name >
plural: crontabs
# The singular form of the name as an alias when used on the command line and when displayed
singular: crontab
# Kind is usually a singular form of camel cased. Your resource list will use this form.
kind: CronTab
# Shortnames allows you to match resources with shorter strings on the command line
shortNames:
- ct
After the above steps, we will get a new service endpoint in
/apis/stable.example.com/v1/namespaces/*/crontabs/...Create crontab custom object
my-crontab.yaml
apiVersion: "stable.example.com/v1"
kind: CronTab
metadata:
name: my-new-cron-object
spec:
cronSpec: "*/60 * * * *"
image: my-awesome-cron-image
Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.
The Internet Security Center (CIS) is a non-profit organization that develops its own configuration strategy benchmark (i.e. CIS benchmark) so that the organization can improve its security and compliance plans and posture.
In addition to operating systems and databases, the organization also launched benchmark benchmarks applicable to kubernetes and dockers.
refer
https://docs.microsoft.com/zh-cn/azure/aks/certificate-rotation
kubectl config view --raw -o jsonpath="{.clusters[?(@.name == 'cluster_name')].cluster.certificate-authority-data}" | base64 -d | openssl x509 -text | grep -A2 Validity
Using AZ aks rotate certs to rotate certificates may cause the AKS cluster to shut down for up to 30 minutes.
az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAMEThe core function of kubelet is to create a pod on the host and start the containers it defines.
In the kubernetes community, both kubelet and cri belong to sig node.
Kubernetes has two irreplaceable components: Kube apiserver and kubelet.
Kubelet itself works according to the controller mode. The core of the work is a control loop syncloop
There are four events that drive the operation of the control cycle
Kubelet will monitor the changes of pod objects related to him through the watch mechanism. Of course, the filter condition of this watch is that the nodeName field of the pod is the same as its own. Kubelet will cache the information of these pods in its own memory.
It should be noted here that the execution process of kubelet calling the lower container runtime does not directly call the docker API, but is indirectly executed through a set of grpc interfaces called CRI. Kubernetes before version 1.6 directly called the docker API to create and manage containers
The core of CRI mechanism is that each container project can now implement a CRI shim to process CRI requests by itself. In this way, kubernetes has a unified container abstraction layer.
In addition to dockershim, CRI shim of other container runtime needs to be additionally deployed on the host.
The containerd project in CNCF can provide a typical CRI shim capability, convert the CRI request sent by kubernetes into a call to containerd, and then create a runc container. The runc project is the component responsible for basic operations such as setting container namespace, cgroups and chroot.
There is also a set of interfaces called runpodsandbox in CRI. It does not correspond to the pod API object in kubernetes, but only extracts some fields related to the container runtime in pod, such as hostname, dnsconfig, cgroupparent, etc.
As a specific container project, you need to decide how to use these fields to implement a pod model expected by kubernetes.
After kubectl run is executed and a pod containing containers a and B is created, the information of this pod finally comes to kubelet.
Then kubelet will create a and B containers according to the following steps
RunPodSandbox(foo)
In the specific CRI shim, the implementation of these interfaces can be completely different
If it is a docker project, dockershim will create an infra container named foo (pause container) to hold the network namespace of the whole pod.
If it is a container based on virtualization technology, such as Kata containers project, its CRI implementation will directly create a lightweight virtual machine to act as a pod
In the implementation of runpodsandbox interface, you also need to call networkplugin Setuppod (…) to set up the network for this sandbox. This setuppod (…) is to execute the add (…) method in the CNI plug-in.
So finally, on the host, dockershim will leave three containers, while Kata containers will leave a lightweight virtual machine.
If kubectl exec is called for a container, the request will be handed over to the API server first, and then the API server will call kubelet’s exec API. In this way, kubelet will call CRI’s exec interface, and cri shim is responsible for responding to this interface.
CRI shim will return the address and port URL of the streaming server of this cri shim to kubelet. After kubelet gets the URL, it will return it to API server in the way of redirect. API server will initiate a real exec request to the streaming server through redirection and establish a long connection with it.