• 从零到一k8s(六)集群管理深入

    建议要从官方文档中学习并熟练的技能:

    入门:

    https://kubernetes.io/zh/docs/tutorials/

    安全:
    •      apparmor(Many Linux distributions (e.g. Debian, Ubuntu, OpenSUSE) ship with AppArmor.) 如果用其他分支linux 系统在运行k8s 没必要关系这个类selinux 的安全工具

         

    kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.kubeletVersion}\n{end}'
1 #确保 kubernetes 版本在1.4以上,才支持此功能
cat /sys/module/apparmor/parameters/enabled
Y
2 #确认开启了此模块
    3 #主流runtime 都支持apparmor
    4 # 查看目前 apparmor 支持那些文件

     sudo cat /sys/kernel/security/apparmor/profiles | sort

    

    

      

    •  seccomp
      • 

    

             
    

    

    # 更改kubelet 参数
--feature-gates=SeccompDefault=true --seccomp-default
#创建 seccomp 文件
cd /var/lib/kubelet/seccomp
mkdir ./profiles
curl -L -o profiles/audit.json https://k8s.io/examples/pods/security/seccomp/profiles/audit.json
curl -L -o profiles/violation.json https://k8s.io/examples/pods/security/seccomp/profiles/violation.json
curl -L -o profiles/fine-grained.json https://k8s.io/examples/pods/security/seccomp/profiles/fine-grained.json
ls profiles
#创建pod 
kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/audit-pod.yaml
kubectl expose pod audit-pod --type NodePort --port 5678
root@us-test00:~# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
audit-pod    NodePort    172.18.51.138   <none>        5678:30784/TCP   15m
    

    root@us-test00:~# curl 172.17.0.1:30784
    

    just made some syscalls!
    

    grep 'http-echo' /var/log/syslog |tail. (非Ubuntu 系统参考 message文件)
    

    Mar  9 09:48:24 us-test02 kernel: [76705.078649] audit: type=1326 audit(1646819304.186:1393): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1543 comm="http-echo" exe="/http-echo" sig=0 arch=c000003e syscall=202 compat=0 ip=0x455e53 code=0x7ffc0000
    

    


    创建statefulset 应用
    

      

    •    wordpress
      • 

    

          
    

    

    #kubernetes 声明式的定义
    

    cat <<EOF >./kustomization.yaml
    

    secretGenerator:
- name: mysql-pass
  literals:
  - password=YOUR_PASSWORD
resources:
  - mysql-deployment.yaml
  - wordpress-deployment.yaml
  - wordpress-ingress.yaml
    EOF

    mkdir statefuleset
    

    curl -LO https://k8s.io/examples/application/wordpress/mysql-deployment.yaml
    

    curl -LO https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml
    

    cat <<EOF >.wordpress-ingress.yaml 
    

    apiVersion: networking.k8s.io/v1
    

    kind: Ingress
    

    metadata:
    

      name: wordpress
    

      annotations:
    

        kubernetes.io/ingress.class: "nginx"
    

    spec:
    

      rules:
    

        - host: wordpress.song.test
    

          http:
    

            paths:
    

              - path: /
    

                pathType: Prefix
    

                backend:
    

                  service:
    

                    name: wordpress
    

                    port:
    

                      number: 80
    

    EOF
    

    kubectl apply -k ./statefuleset
    

    




    提升:
    

    https://kubernetes.io/zh/docs/tasks/
    

    
    
          
    • 

          
  • 

            相关阅读:
    
            
              Spring系列之访问数据库
                
    (转载)Java反射机制
                
    Spring系列之IOC容器
                
    SpringMVC系列之基本配置
                
    Java中Comparable和Comparator区别小结
                
    计算机网络知识点回顾
                
    Java内部类
                
    Java接口回调机制
                
    linux mysql-bin.000001占用磁盘空间过大解决方法
                
    linux mysql数据库登录密码忘记了怎么办
                
                    
          
    • 
          
  • 
            原文地址:https://www.cnblogs.com/leleyao/p/15984361.html
          
    • 

        

      



      
      

        

        

      

    

  


  

  
Copyright © 2020-2023 
  润新知