- 创建账号
- 创建角色
- 创建role-binding
- 获取账号secrets
- 新建.kube/config
- 配置ssh
- k8s-configmap
- k8s-consul-client
- k8s deploy 检测
创建账号
kubectl create sa app
创建角色
# app-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: app
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","describe","list"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
创建role-binding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: app-role-binding
namespace: default
subjects:
- kind: User
name: system:serviceaccount:default:app
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app
apiGroup: rbac.authorization.k8s.io
获取账号secrets
- 获取CA证书
通过kubectl get secret app-token-d9bl8 -o json,获取ca.crt粘贴到文件ca.crt.source,然后执行命令cat ca.crt.source |base64 -d > ca.crt - 获取token
通过kubectl get secret app-token-d9bl8 -o json,获取token粘贴到文件token.source,然后执行命令cat token.source |base64 -d > ./token
新建.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority: ca.crt
server: https://cls-oxauarbt.ccs.tencent-cloud.com
name: test-cluster
contexts:
- context:
cluster: test-cluster
user: app
name: test-context
current-context: test-context
kind: Config
preferences: {}
users:
- name: app
user:
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwcC10b2tlbi13bThnNyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhcHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5YzE0NzVmZi1mMTYwLTExZTgtYmNhMC01MjU0MDA3NmZiMjEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDphcHAifQ.oItcDPfyJ-Fb42qdGtydeLgO_2SFbsE-aYTpo8ZeBIxRsAHOMVS3xxB18qpsqVBYPhx9DCKdviOKQBs76FNYVEBqhOgNdYPFehCZb5_Qay26e94vHXlD3T7-MUPJbKoNwLuF5gZljr36dea3gWFfbb-rTlnnzXloxBCLadYCCkH2L_h7RkSAvJa_wvZAAYbOo9OEuBWmr7wiCqzp5HBPsZPCqjf0AcC9Jdoe26vIsgCsiv08m88lOYW_AvK-dt0RomXjX4cH8AE1_oFLPQC87_8FWWvqzCz39CnJZuZNPh92_UnbTxChnNdsXYIa1TiIFPGFV1rxOzXb-dGrjJxv2w
配置ssh
- 生成ssh key
ssh-keygen -t rsa -C "your_email@example.com"
- 配置authorized_keys权限为700
- 配置本地ssh
k8s-configmap
apiVersion: v1
data:
application.conf: |-
play.crypto.secret="xxxche"
http.port = 8080
mongo-async-driver {
akka {
loggers = ["akka.event.slf4j.Slf4jLogger"]
loglevel = INFO
}}
mongodb.uri = "mongodb://user:config#pwd@10.x.1.21/db?authSource=admin&authMode=scram-sha1"
play.http.filters = "filters.Filters"
exposedHeaders += ["X-Total-Count"]
play.filters.hosts {allowed = ["localhost:8080", "localhost:9000", "*"]}
play.modules.enabled += "play.modules.reactivemongo.ReactiveMongoModule"
redis.uri="redis://redisid:pwd@public.redis.test.xx.xx:6379"
redis.database = 12
redis.pool.maxTotal=200
redis.pool.maxIdle=50
redis.pool.minIdle=5
redis.pool.maxWaitMillis=3000
include "authorities.json"
organization-authority-url = "http://other-service:8080/authorities_roles"
consul {
host: "10.xxx.1.38"
port: 8500
config {
prefix = "config"
data-key = "data"
}
}
common.consul {
cluster = [
{
host: "10.xxx.1.38"
port: 8500
}
],
config {
prefix = "config"
data-key = "data"
}
}
kind: ConfigMap
metadata:
name: service-config-cm
namespace: default
consul-client
* deployment ``` apiVersion: apps/v1beta1 kind: Deployment metadata: name: consul-client namespace: default spec: replicas: 2 selector: matchLabels: qcloud-app: consul-client template: metadata: labels: qcloud-app: consul-client spec: containers: - args: - agent - -ui - -client=0.0.0.0 - -join=10.6.1.38 env: - name: APPLICATION_NAME value: consul-client - name: TAG value: test image: consul:1.3.0 imagePullPolicy: Always name: consul-client resources: limits: cpu: "2" memory: 2Gi requests: cpu: 200m memory: 512Mi securityContext: privileged: false restartPolicy: Always ``` * service ``` apiVersion: v1 kind: Service metadata: name: consul-client namespace: default spec: ports: - name: tcp-8500-8500 port: 8500 protocol: TCP targetPort: 8500 - name: tcp-8300-8300 port: 8300 protocol: TCP targetPort: 8300 - name: udp-8301-8301 port: 8301 protocol: UDP targetPort: 8301 - name: udp-8302-8302 port: 8302 protocol: UDP targetPort: 8302 - name: tcp-8600-8600 port: 8600 protocol: TCP targetPort: 8600 selector: qcloud-app: consul-client type: ClusterIP
<h1 id="k8s-probe">k8s deploy 检测</h1>
* http
livenessProbe:
failureThreshold: 3
httpGet:
path: /geocode?location=30.646261%2C104.226177
port: 8080
scheme: HTTP
initialDelaySeconds: 100
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
* tcp
readinessProbe:
failureThreshold: 1
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
tcpSocket:
port: 8080
timeoutSeconds: 5
