CKAD真题详见
https://blog.csdn.net/vic_qxz/article/details/123360925
Services and Networking (13%)
使用nginx镜像创建一个名为nginx的pod,并公开其端口80
kubectl run nginx --image=nginx --restart=Never --port=80 --expose # observe that a pod as well as a service are created
确认已创建群集 IP。同时检查endpoints
kubectl get svc nginx # services kubectl get ep # endpoints
获取服务的 ClusterIP,创建一个临时 busybox pod 并使用 wget 访问该 IP
kubectl get svc nginx # get the IP (something like 10.108.93.130)
kubectl run busybox --rm --image=busybox -it --restart=Never -- sh
wget -O- IP:80
exit
or
IP=$(kubectl get svc nginx --template={{.spec.clusterIP}}) # get the IP (something like 10.108.93.130)
kubectl run busybox --rm --image=busybox -it --restart=Never --env="IP=$IP" -- wget -O- $IP:80 --timeout 2
# Tip: --timeout is optional, but it helps to get answer more quickly when connection fails (in seconds vs minutes)
将群集 IP 转换为同一服务的 NodePort,然后找到 NodePort 端口。使用节点的IP命中服务。删除末尾的服务和容器。
kubectl edit svc nginx
apiVersion: v1 kind: Service metadata: creationTimestamp: 2018-06-25T07:55:16Z name: nginx namespace: default resourceVersion: "93442" selfLink: /api/v1/namespaces/default/services/nginx uid: 191e3dac-784d-11e8-86b1-00155d9f663c spec: clusterIP: 10.97.242.220 ports: - port: 80 protocol: TCP targetPort: 80 selector: run: nginx sessionAffinity: None type: NodePort # change cluster IP to nodeport status: loadBalancer: {}
or
kubectl patch svc nginx -p '{"spec":{"type":"NodePort"}}'
kubectl get svc
# result:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 1d
nginx NodePort 10.107.253.138 <none> 80:31931/TCP 3m
wget -O- NODE_IP:31931 # if you're using Kubernetes with Docker for Windows/Mac, try 127.0.0.1 #if you're using minikube, try minikube ip, then get the node ip such as 192.168.99.117
kubectl delete svc nginx # Deletes the service kubectl delete pod nginx # Deletes the pod
使用映像"dgkanatsios/simpleapp"(返回主机名的简单服务器)和 3 个副本创建名为 foo 的部署。将其标记为"app=foo"。声明此 pod 中的容器将接受端口 8080 上的流量(尚未创建服务)
kubectl create deploy foo --image=dgkanatsios/simpleapp --port=8080 --replicas=3 kubectl label deployment foo --overwrite app=foo
获取容器 IP。创建一个临时busybox Pod 并尝试在端口 8080 上访问它们
kubectl get pods -l app=foo -o wide # 'wide' will show pod IPs kubectl run busybox --image=busybox --restart=Never -it --rm -- sh wget -O- POD_IP:8080 # do not try with pod name, will not work # try hitting all IPs to confirm that hostname is different exit # or kubectl get po -o wide -l app=foo | awk '{print $6}' | grep -v IP | xargs -L1 -I '{}' kubectl run --rm -ti tmp --restart=Never --image=busybox -- wget -O- http://\{\}:8080
创建在端口 6262 上公开deployment的服务。验证其是否存在,检查endpoints
kubectl expose deploy foo --port=6262 --target-port=8080 kubectl get service foo # you will see ClusterIP as well as port 6262 kubectl get endpoints foo # you will see the IPs of the three replica pods, listening on port 8080
创建一个临时busybox pod 并通过 wget 连接到 foo 服务。验证每次返回不同的主机名。最后删除部署和服务以清理群集
kubectl get svc # get the foo service ClusterIP kubectl run busybox --image=busybox -it --rm --restart=Never -- sh wget -O- foo:6262 # DNS works! run it many times, you'll see different pods responding wget -O- SERVICE_CLUSTER_IP:6262 # ClusterIP works as well # you can also kubectl logs on deployment pods to see the container logs kubectl delete svc foo kubectl delete deploy foo
创建包含 2 个副本,且名字为nginx的deployment,通过端口 80 上的 ClusterIP 服务公开它。创建网络策略,以便只有标签为"access: granted"的 Pod 才能访问并应用部署
kubernetes.io > Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies
请注意,默认情况下可能不会强制执行网络策略,具体取决于您的 k8s 实现。例如,默认情况下,Azure AKS 不会强制实施策略,因此创建群集时必须显式支持 Secure pod traffic with network policy - Azure Kubernetes Service | Microsoft Docsnetpol
kubectl create deployment nginx --image=nginx --replicas=2 kubectl expose deployment nginx --port=80 kubectl describe svc nginx # see the 'app=nginx' selector for the pods # or kubectl get svc nginx -o yaml vi policy.yaml
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx # pick a name spec: podSelector: matchLabels: app: nginx # selector for the pods ingress: # allow ingress traffic - from: - podSelector: # from pods matchLabels: # with this label access: granted
# Create the NetworkPolicy kubectl create -f policy.yaml # Check if the Network Policy has been created correctly # make sure that your cluster's network provider supports Network Policy (https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/#before-you-begin) kubectl run busybox --image=busybox --rm -it --restart=Never -- wget -O- http://nginx:80 --timeout 2 # This should not work. --timeout is optional here. But it helps to get answer more quickly (in seconds vs minutes) kubectl run busybox --image=busybox --rm -it --restart=Never --labels=access=granted -- wget -O- http://nginx:80 --timeout 2 # This should be fine