使用 PodPreset 将信息注入 Pods
在 pod 创建时,用户可以使用 podpreset 对象将 secrets、卷挂载和环境变量等信息注入其中。 本文展示了一些 PodPreset 资源使用的示例。 用户可以从理解 Pod Presets 中了解 PodPresets 的整体情况。
创建 Pod Preset
简单的 Pod Spec 示例
这里是一个简单的示例,展示了如何通过 Pod Preset 修改 Pod spec 。
podpreset/preset.yaml  |
|---|
apiVersion: settings.k8s.io/v1alpha1kind: PodPresetmetadata: name: allow-databasespec: selector: matchLabels: role: frontend env: - name: DB_PORT value: “6379” volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}
|
创建 PodPreset:
kubectl apply -f https://k8s.io/examples/podpreset/preset.yaml
检查所创建的 PodPreset:
kubectl get podpreset
NAME AGEallow-database 1m
新的 PodPreset 会对所有具有标签 role: frontend 的 Pods 采取行动。
用户提交的 pod spec:
podpreset/pod.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontendspec: containers: - name: website image: nginx ports: - containerPort: 80
|
创建 Pod:
kubectl create -f https://k8s.io/examples/podpreset/pod.yaml
列举运行中的 Pods:
kubectl get pods
NAME READY STATUS RESTARTS AGEwebsite 1/1 Running 0 4m
通过准入控制器后的 Pod 规约:
podpreset/merged.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontend annotations: podpreset.admission.kubernetes.io/podpreset-allow-database: “resource version”spec: containers: - name: website image: nginx volumeMounts: - mountPath: /cache name: cache-volume ports: - containerPort: 80 env: - name: DB_PORT value: “6379” volumes: - name: cache-volume emptyDir: {}
|
要查看如上输出,运行下面的命令:
kubectl get pod website -o yaml
带有 ConfigMap 的 Pod Spec 示例
这里的示例展示了如何通过 PodPreset 修改 Pod 规约,PodPreset 中定义了 ConfigMap 作为环境变量取值来源。
用户提交的 pod spec:
podpreset/pod.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontendspec: containers: - name: website image: nginx ports: - containerPort: 80
|
用户提交的 ConfigMap:
podpreset/configmap.yaml |
|---|
apiVersion: v1kind: ConfigMapmetadata: name: etcd-env-configdata: number_of_members: “1” initial_cluster_state: new initial_cluster_token: DUMMY_ETCD_INITIAL_CLUSTER_TOKEN discovery_token: DUMMY_ETCD_DISCOVERY_TOKEN discovery_url: http://etcd_discovery:2379 etcdctl_peers: http://etcd:2379 duplicate_key: FROM_CONFIG_MAP REPLACE_ME: “a value”
|
PodPreset 示例:
podpreset/allow-db.yaml |
|---|
apiVersion: settings.k8s.io/v1alpha1kind: PodPresetmetadata: name: allow-databasespec: selector: matchLabels: role: frontend env: - name: DB_PORT value: “6379” - name: duplicate_key value: FROM_ENV - name: expansion value: $(REPLACE_ME) envFrom: - configMapRef: name: etcd-env-config volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}
|
通过准入控制器后的 Pod spec:
podpreset/allow-db-merged.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontend annotations: podpreset.admission.kubernetes.io/podpreset-allow-database: “resource version”spec: containers: - name: website image: nginx volumeMounts: - mountPath: /cache name: cache-volume ports: - containerPort: 80 env: - name: DB_PORT value: “6379” - name: duplicate_key value: FROM_ENV - name: expansion value: $(REPLACE_ME) envFrom: - configMapRef: name: etcd-env-config volumes: - name: cache-volume emptyDir: {}
|
带有 Pod Spec 的 ReplicaSet 示例
以下示例展示了(通过 ReplicaSet 创建 pod 后)只有 pod spec 会被 Pod Preset 所修改。
用户提交的 ReplicaSet:
podpreset/replicaset.yaml |
|---|
apiVersion: apps/v1kind: ReplicaSetmetadata: name: frontendspec: replicas: 3 selector: matchLabels: role: frontend matchExpressions: - {key: role, operator: In, values: [frontend]} template: metadata: labels: app: guestbook role: frontend spec: containers: - name: php-redis image: gcr.io/google_samples/gb-frontend:v3 resources: requests: cpu: 100m memory: 100Mi env: - name: GET_HOSTS_FROM value: dns ports: - containerPort: 80
|
PodPreset 示例:
podpreset/preset.yaml |
|---|
apiVersion: settings.k8s.io/v1alpha1kind: PodPresetmetadata: name: allow-databasespec: selector: matchLabels: role: frontend env: - name: DB_PORT value: “6379” volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}
|
通过准入控制器后的 Pod spec:
注意 ReplicaSet spec 没有改变,用户必须检查单独的 pod 来验证 PodPreset 已被应用。
podpreset/replicaset-merged.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: frontend labels: app: guestbook role: frontend annotations: podpreset.admission.kubernetes.io/podpreset-allow-database: “resource version”spec: containers: - name: php-redis image: gcr.io/google_samples/gb-frontend:v3 resources: requests: cpu: 100m memory: 100Mi volumeMounts: - mountPath: /cache name: cache-volume env: - name: GET_HOSTS_FROM value: dns - name: DB_PORT value: “6379” ports: - containerPort: 80 volumes: - name: cache-volume emptyDir: {}
|
多 PodPreset 示例
这里的示例展示了如何通过多个 Pod 注入策略修改 Pod spec。
用户提交的 Pod 规约:
podpreset/pod.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontendspec: containers: - name: website image: nginx ports: - containerPort: 80
|
PodPreset 示例:
podpreset/preset.yaml |
|---|
apiVersion: settings.k8s.io/v1alpha1kind: PodPresetmetadata: name: allow-databasespec: selector: matchLabels: role: frontend env: - name: DB_PORT value: “6379” volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}
|
另一个 Pod Preset 示例:
podpreset/proxy.yaml |
|---|
apiVersion: settings.k8s.io/v1alpha1kind: PodPresetmetadata: name: proxyspec: selector: matchLabels: role: frontend volumeMounts: - mountPath: /etc/proxy/configs name: proxy-volume volumes: - name: proxy-volume emptyDir: {}
|
通过准入控制器后的 Pod 规约:
podpreset/multi-merged.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontend annotations: podpreset.admission.kubernetes.io/podpreset-allow-database: “resource version” podpreset.admission.kubernetes.io/podpreset-proxy: “resource version”spec: containers: - name: website image: nginx volumeMounts: - mountPath: /cache name: cache-volume - mountPath: /etc/proxy/configs name: proxy-volume ports: - containerPort: 80 env: - name: DB_PORT value: “6379” volumes: - name: cache-volume emptyDir: {} - name: proxy-volume emptyDir: {}
|
冲突示例
这里的示例展示了 PodPreset 与原 Pod 存在冲突时,Pod spec 不会被修改。
用户提交的 Pod 规约:
podpreset/conflict-pod.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontendspec: containers: - name: website image: nginx volumeMounts: - mountPath: /cache name: cache-volume ports: - containerPort: 80 volumes: - name: cache-volume emptyDir: {}
|
PodPreset 示例:
podpreset/conflict-preset.yaml |
|---|
apiVersion: settings.k8s.io/v1alpha1kind: PodPresetmetadata: name: allow-databasespec: selector: matchLabels: role: frontend env: - name: DB_PORT value: “6379” volumeMounts: - mountPath: /cache name: other-volume volumes: - name: other-volume emptyDir: {}
|
因存在冲突,通过准入控制器后的 Pod spec 不会改变:
podpreset/conflict-pod.yaml |
|---|
apiVersion: v1kind: Podmetadata: name: website labels: app: website role: frontendspec: containers: - name: website image: nginx volumeMounts: - mountPath: /cache name: cache-volume ports: - containerPort: 80 volumes: - name: cache-volume emptyDir: {}
|
如果运行 kubectl describe... 用户会看到以下事件:
$ kubectl describe .......Events: FirstSeen LastSeen Count From SubobjectPath Reason Message Tue, 07 Feb 2017 16:56:12 -0700 Tue, 07 Feb 2017 16:56:12 -0700 1 {podpreset.admission.kubernetes.io/podpreset-allow-database } conflict Conflict on pod preset. Duplicate mountPath /cache.
删除 Pod Preset
一旦用户不再需要 pod preset,可以使用 kubectl 进行删除:
kubectl delete podpreset allow-database
podpreset "allow-database" deleted
我的书签
添加书签
移除书签
