How kubedm works
Install master
When initializing the master, just execute the kubedm init command:
kubeadm init --pod-network-cidr 10.244.0.0/16 --kubernetes-version st able
This command will automatically:
- System status inspection;
- Generate a token;
- Generate self signed CA and client certificate;
- Generate kubeconfig to connect kubelet to API server;
- Generate static Pod manifest for the master component and put it in the / etc/Kubernetes/manifests directory;
- Configure RBAC and set Master node to only run control plane components;
- Create additional services, such as Kube proxy and Kube DNS;
Add Node
token=$(kubeadm token list | grep authentication,signing | awk '{prin t $1}')
kubeadm join --token $token ${master_ip}
This includes the following steps:
- Download CA from API server;
- Create a local certificate and request the API server to sign it;
- Finally, configure kubelet to connect to API server;
Remove installation
kubeadm reset
kubectl
kubectl provides a large number of subcommands to facilitate various functions in Kubernetes cluster. The following describes how to query the help of commands:
- kubelet -h view the list of subcommands;
- kubelet options view global options;
- Kubelet < command > -- help view subcommand help;
- Kubelet [command] [params] - o = < Format > set output format;
- kubelet explain [RESOURCE] view the resource definition;
to configure
The first step of using kubelet is to configure Kubernetes cluster and authentication method, including:
- cluster information: Kubernetes server address;
- User information: user name, password and key;
- Context: the combination of cluster, user information and Namespace;
Common command formats
- Create: kubectl run < name > -- Image = < Image > or kubectl create - f manifest yaml
- Query: kubectl get < resource >
- Update: kubectl set or kubectl patch
- Delete: kubectl delete < resource > < name > or kubectl delete - f manifest yaml
- Query Pod IP: kubectl get pod < pod name > - O jsonpath = '{. Status. Podip}'
- Execute command in container: kubectl exec - Ti < pod name > sh
- Container logs: kubectl logs [- F] < pod name >
- Export service: kubectl expose deploy < name > -- port = 80
- Base64 decoding: kubectl get secret secret - o go template = '{. Data. Key | base64decode}}'
kubectl run only supports Pod, Replication Controller, Deployment, Job, Crontab and other resources. The default is Deployment:
| Resource type created | parameter |
|---|---|
| Pod | --restart=Never |
| Replication Controller | --generator=run/.v1 |
| Deployment | --restart=Always |
| Job | --restart=OnFailure |
| CronJob | --shedule=<cron> |
Connect to a running container
kubectl attach is used to connect to a running container, similar to the attach command of docker.
Execute commands inside the container
kubectl exec is used to execute commands in a running container;
Port forwarding
Kubectl port forward is used to forward the local port to the specified Pod.
# Monitor ports 5000 and 6000 locally and forward the data of ports 5000 and 6000 in pod kubectl port-firward mypod 5000 6000 # Listen on port 8888 locally, forwarding to 5000 in the pod kubectl port-forward mypod 8888:5000 # Listen on a random port locally, forwarding to 5000 in the pod kubectl port-forward mypod :5000 # Listen on a random port locally, forwarding to 5000 in the pod kubectl port-forward mypod 0:5000
You can also forward local ports to services, replication controllers, or deployed ports.
# Forward to deployment kubectl port-forward deployment/redis-master 6379:6379 # Forward to replicaSet kubectl port-forward rs/redis-master 6379:6379 # Forward to service kubectl port-forward svc/redis-master 6379:6379
API server agent
The kubectl proxy command provides an HTTP proxy for the Kubernetes API service.
kubectl proxy --port=8080
You can use the proxy address http://localhost:8080/api/ To directly access the Kubernetes API, such as querying the Pod list
curl http://localhost:8080/api/v1/namespaces/default/pods
If a non localhost address is specified through -- address, an unauthorized error will be reported when accessing port 8080. You can set -- accept hosts to avoid this problem.
kubectl proxy --address='0.0.0.0' --port=8080 --accept-hosts='^*$'
File copy
kubectl cp supports copying from containers or copying files to containers.
# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specifi c container kubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container> # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace> kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar # Copy /tmp/foo from a remote pod to /tmp/bar locally kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar Options: -c, --container='': Container name. If omitted, the first container in the pod will be chosen
kubectl drain
kubectl drain NODE [Options]
- It will delete the Pod created by ReplicationController, ReplicaSet, DaemonSet and StatefulSet on Job on the NODE;
- Do not delete the mirror pods, because you cannot delete the mirror pods through the API;
- If there are other types of Pod and there is no – force option, the command will fail directly;
- If the – force option is added to the command, these pods not created through ReplicationController Job or daemon set will be forcibly deleted.
Sometimes you don't need evict pod, you just need to mark that the node is not callable. You can use kubectl cordon command. If you recover, you only need to run kubectl uncordon NODE to change the node to schedulable state again.
Permission check
kubectl auth provides two subcommands to check user authentication:
- kubectl auth can-i checks whether the user has permission to perform an operation.
# Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.extensions
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
# Check to see if I can get the job named "bar" in namespace "foo"
kubectl auth can-i list jobs.batch/bar -n foo
View events
# View all events kubectl get events --all-namespaces # View the event named nginx object kubectl get events --field-selector involvedObject.name=nginx,involve dObject.namespace=default # View the service event named nginx kubectl get events --field-selector involvedObject.name=nginx,involvedObject.namespace=default,involvedObject.kind=Service # View Pod events kubectl get events --field-selector involvedObject.name=nginx-85cb586 7f-bs7pn,involvedObject.kind=Pod