• 创建账号
• 创建角色
• 创建role-binding
• 获取账号secrets
• 新建.kube/config
• 配置ssh
• k8s-configmap
• k8s-consul-client
• k8s deploy 检测

---

创建账号

kubectl create sa app

创建角色

# app-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: app
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","describe","list"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

创建role-binding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: app-role-binding
  namespace: default
subjects:
- kind: User
  name: system:serviceaccount:default:app
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: app
  apiGroup: rbac.authorization.k8s.io

获取账号secrets

• 获取CA证书
  通过kubectl get secret app-token-d9bl8 -o json,获取ca.crt粘贴到文件ca.crt.source,然后执行命令cat ca.crt.source |base64 -d > ca.crt
• 获取token
  通过kubectl get secret app-token-d9bl8 -o json,获取token粘贴到文件token.source,然后执行命令cat token.source |base64 -d > ./token

新建.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority: ca.crt
    server: https://cls-oxauarbt.ccs.tencent-cloud.com
  name: test-cluster
contexts:
- context:
    cluster: test-cluster
    user: app
  name: test-context
current-context: test-context
kind: Config
preferences: {}
users:
- name: app
  user:
    token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwcC10b2tlbi13bThnNyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhcHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5YzE0NzVmZi1mMTYwLTExZTgtYmNhMC01MjU0MDA3NmZiMjEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDphcHAifQ.oItcDPfyJ-Fb42qdGtydeLgO_2SFbsE-aYTpo8ZeBIxRsAHOMVS3xxB18qpsqVBYPhx9DCKdviOKQBs76FNYVEBqhOgNdYPFehCZb5_Qay26e94vHXlD3T7-MUPJbKoNwLuF5gZljr36dea3gWFfbb-rTlnnzXloxBCLadYCCkH2L_h7RkSAvJa_wvZAAYbOo9OEuBWmr7wiCqzp5HBPsZPCqjf0AcC9Jdoe26vIsgCsiv08m88lOYW_AvK-dt0RomXjX4cH8AE1_oFLPQC87_8FWWvqzCz39CnJZuZNPh92_UnbTxChnNdsXYIa1TiIFPGFV1rxOzXb-dGrjJxv2w

配置ssh

• 生成ssh key

ssh-keygen -t rsa -C "your_email@example.com"

• 配置authorized_keys权限为700
• 配置本地ssh

k8s-configmap

apiVersion: v1
data:
  application.conf: |-
    play.crypto.secret="xxxche"
    http.port = 8080
    mongo-async-driver {
    akka {
    loggers = ["akka.event.slf4j.Slf4jLogger"]
    loglevel = INFO
    }}
    mongodb.uri = "mongodb://user:config#pwd@10.x.1.21/db?authSource=admin&authMode=scram-sha1"
    play.http.filters = "filters.Filters"
    exposedHeaders += ["X-Total-Count"]
    play.filters.hosts {allowed = ["localhost:8080", "localhost:9000", "*"]}
    play.modules.enabled += "play.modules.reactivemongo.ReactiveMongoModule"
    redis.uri="redis://redisid:pwd@public.redis.test.xx.xx:6379"
    redis.database = 12
    redis.pool.maxTotal=200
    redis.pool.maxIdle=50
    redis.pool.minIdle=5
    redis.pool.maxWaitMillis=3000
    include "authorities.json"
    organization-authority-url = "http://other-service:8080/authorities_roles"
    consul {
      host: "10.xxx.1.38"
      port: 8500
      config {
        prefix = "config"
        data-key = "data"
      }
    }
    common.consul {
      cluster = [
        {
          host: "10.xxx.1.38"
          port: 8500
        }
      ],
      config {
        prefix = "config"
        data-key = "data"
      }
    }
kind: ConfigMap
metadata:
  name: service-config-cm
  namespace: default

consul-client

* deployment ``` apiVersion: apps/v1beta1 kind: Deployment metadata: name: consul-client namespace: default spec: replicas: 2 selector: matchLabels: qcloud-app: consul-client template: metadata: labels: qcloud-app: consul-client spec: containers: - args: - agent - -ui - -client=0.0.0.0 - -join=10.6.1.38 env: - name: APPLICATION_NAME value: consul-client - name: TAG value: test image: consul:1.3.0 imagePullPolicy: Always name: consul-client resources: limits: cpu: "2" memory: 2Gi requests: cpu: 200m memory: 512Mi securityContext: privileged: false restartPolicy: Always ``` * service ``` apiVersion: v1 kind: Service metadata: name: consul-client namespace: default spec: ports: - name: tcp-8500-8500 port: 8500 protocol: TCP targetPort: 8500 - name: tcp-8300-8300 port: 8300 protocol: TCP targetPort: 8300 - name: udp-8301-8301 port: 8301 protocol: UDP targetPort: 8301 - name: udp-8302-8302 port: 8302 protocol: UDP targetPort: 8302 - name: tcp-8600-8600 port: 8600 protocol: TCP targetPort: 8600 selector: qcloud-app: consul-client type: ClusterIP

<h1 id="k8s-probe">k8s deploy 检测</h1>

* http

livenessProbe:
failureThreshold: 3
httpGet:
path: /geocode?location=30.646261%2C104.226177
port: 8080
scheme: HTTP
initialDelaySeconds: 100
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5

* tcp

readinessProbe:
  failureThreshold: 1
  initialDelaySeconds: 30
  periodSeconds: 30
  successThreshold: 1
  tcpSocket:
    port: 8080
  timeoutSeconds: 5