podpreset的使用
podpreset:一个api资源。用来在创建pod的添加额外的运行参数。使用label选择器对pod和podpreset资源进行关联。它主要用来针对一组podtemplate添加相应的配置信息。
个人理解:通过podpreset将pod的定义抽象化,实现插件式的方式实现pod的配置可插拔。
工作原理
k8s提供podpreset的admission controller。当它开启的时候,一个pod被创建的过程中,系统调用如下:
- 接收所有的PodPreset的变量
- 检查label选择器进行匹配pod
- 将PodPreset中的变量添加到pod中
- 如果报错,将创建没有PodPreset的pod并且抛出一个时间错误信息
- 结果通过注解显示podpreset.admission.kubernetes.io/podpreset-
: " "
注意:
- 每个pod可以添加0个或者多个PodPreset。
- podpreset用来修改.spec.containers中的字段信息。比如Env,EnvFrom,VolumeMounts
- initContainers中的信息在1.14之后可以修改配置
查看是否支持PodPreset
[root@k8s-master-01.novalocal 12:12 ~]
# kubectl api-resources | grep -i podpreset对apiserver进行修改(这里我们采用的是kubeadm安装)
[root@k8s-master-01.novalocal 12:12 ~]
# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.3.20
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction,PodPreset
- --enable-bootstrap-token-auth=true
- --etcd-servers=http://10.0.3.40:2379,http://10.0.3.41:2379,http://10.0.3.42:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=172.96.0.0/16
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --runtime-config=settings.k8s.io/v1alpha1=true
...
1,添加PodPreset的admission控制器
2,添加runtime-config的配置等待api自动重启。如果有多台,请每台都进行修改
[root@k8s-master-01.novalocal 12:12 ~]
# kubectl api-resources | grep -i podpreset
podpresets settings.k8s.io true PodPreset\测试
目的:通过podpreset来实现pod创建后,时区的修改。
创建PodPreset配置。时区的环境变量
[root@k8s-master-01.novalocal 12:16 ~/k8s/PodPreset]
# cat tz-config.yaml
apiVersion: settings.k8s.io/v1alpha1
kind: PodPreset
metadata:
name: allow-tz-env
spec:
selector:
matchLabels:
env:
- name: TZ
value: Asia/Shanghai挂载方式操作(可选)
[root@k8s-master-01.novalocal 12:16 ~/k8s/PodPreset]
# cat tz-config-file.yaml
apiVersion: settings.k8s.io/v1alpha1
kind: PodPreset
metadata:
name: allow-tz-env
spec:
selector:
matchLabels:
volumeMounts:
- name: tz-config
mountPath: /etc/localtime
readOnly: true
volumes:
- name: tz-config
hostPath:
path: /etc/localtime查看配置
[root@k8s-master-01.novalocal 12:17 ~/k8s/PodPreset]
# kubectl get podpreset
NAME CREATED AT
allow-tz-env 2019-07-16T02:44:06Z创建一个pod后。查看pod相关信息
[root@liran-test-1.novalocal 12:15 ~/k8s/PodPreset]
# kubectl get pod test-deployment-9c498b79c-7jcv4 -o yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
cni.projectcalico.org/podIP: 172.200.174.129/32
podpreset.admission.kubernetes.io/podpreset-allow-tz-env: "1308"
creationTimestamp: "2019-07-16T03:23:22Z"
generateName: test-deployment-9c498b79c-
labels:
app: centos
pod-template-hash: 9c498b79c
name: test-deployment-9c498b79c-7jcv4
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: test-deployment-9c498b79c
uid: 3cde5495-a56b-4710-99f1-888976b4ca8b
resourceVersion: "5031"
selfLink: /api/v1/namespaces/default/pods/test-deployment-9c498b79c-7jcv4
uid: 26932c58-9ee7-4aa8-96b5-71a82da558a7
spec:
containers:
- command:
- bash
- -c
- sleep 6000
image: centos:test-1
imagePullPolicy: IfNotPresent
name: centos
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/localtime
name: tz-config
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-p6z2z
readOnly: true从上面结果上面看,添加一个podpreset的注解。然后下面的mounts添加一个关于localtime的volumes配置。整体已经达到我们的目的。